Object permissions granted to PUBLIC should be restricted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2589	DO3689-ORACLE10	SV-24572r2_rule	DCFA-1	Medium

Description
Permissions on objects may be granted to the user group PUBLIC. Because every database user is a member of the PUBLIC group, granting object permissions to PUBLIC gives all users in the database access to that object. In a secure environment, granting object permissions to PUBLIC should be restricted to those objects that all users are allowed to access. The policy does not require object permissions assigned to PUBLIC by the installation of Oracle Database server components be revoked (with exception of the packages listed in DO3475).

Description

Permissions on objects may be granted to the user group PUBLIC. Because every database user is a member of the PUBLIC group, granting object permissions to PUBLIC gives all users in the database access to that object. In a secure environment, granting object permissions to PUBLIC should be restricted to those objects that all users are allowed to access. The policy does not require object permissions assigned to PUBLIC by the installation of Oracle Database server components be revoked (with exception of the packages listed in DO3475).

STIG	Date
Oracle Database 10g Instance STIG	2014-04-02

Details

Check Text ( C-29484r2_chk )
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select owner \|\|'.'\|\| table_name \|\|':'\|\| privilege from dba_tab_privs where grantee = 'PUBLIC' and owner not in ('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OLAPSYS', 'MTSSYS', 'ORDPLUGINS', 'ORDSYS', 'SYSTEM', 'WKSYS', 'WMSYS', 'XDB', 'LBACSYS', 'PERFSTAT', 'SYSMAN', 'DMSYS', 'EXFSYS'); If any records that are not Oracle product accounts are returned, are not documented and authorized, this is a Finding. NOTE: This check may return false positives where other Oracle product accounts are not included in the exclusion list.

Check Text ( C-29484r2_chk )

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select owner ||'.'|| table_name ||':'|| privilege from dba_tab_privs where grantee = 'PUBLIC' and owner not in ('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OLAPSYS', 'MTSSYS', 'ORDPLUGINS', 'ORDSYS', 'SYSTEM', 'WKSYS', 'WMSYS', 'XDB', 'LBACSYS', 'PERFSTAT', 'SYSMAN', 'DMSYS', 'EXFSYS'); If any records that are not Oracle product accounts are returned, are not documented and authorized, this is a Finding. NOTE: This check may return false positives where other Oracle product accounts are not included in the exclusion list.

Fix Text (F-26550r1_fix)
Revoke any privileges granted to PUBLIC for objects that are not owned by Oracle product accounts. From SQLPlus: revoke [privilege name] from [user name] on [object name]; Assign permissions to custom application user roles based on job functions: From SQLPlus: grant [privilege name] to [user role] on [object name];