Unused database components, DBMS software, and database objects must be removed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-52233	O112-C2-011600	SV-66449r2_rule		Medium

Description
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements or providing a wide array of functionality not required for the mission. Applications must adhere to the principles of least functionality by providing only essential capabilities. Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the DBMS and host system. Unused and unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.

Description

Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements or providing a wide array of functionality not required for the mission. Applications must adhere to the principles of least functionality by providing only essential capabilities. Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the DBMS and host system. Unused and unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.

STIG	Date
Oracle Database 11.2g Security Technical Implementation Guide	2015-06-23

Details

Check Text ( C-54289r3_chk )
Review the list of components and features installed with the database. If unused components are installed and are not documented and authorized, this is a finding. SQLPlus can also be used to check to see what is installed in the database: sqlplus connect as sysdba set linesize 121 col parameter format a35 col value format a35 select from v$option; This returns database components and their status. TRUE means that the component is installed. If the component is not installed, it will be set to FALSE or will not be returned by the query. Starting with releases 11.1.0.7.x and above all products are installed by default and the option to customize the product/component selection is no longer possible with the exception of those listed here: Oracle JVM, Oracle Text, Oracle Multimedia, Oracle OLAP, Oracle Spatial, Oracle Label Security, Oracle Application Express, Oracle Database Vault

Check Text ( C-54289r3_chk )

Review the list of components and features installed with the database. If unused components are installed and are not documented and authorized, this is a finding.

SQL*Plus can also be used to check to see what is installed in the database:

sqlplus connect as sysdba
set linesize 121
col parameter format a35
col value format a35
select * from v$option;

This returns database components and their status. TRUE means that the component is installed. If the component is not installed, it will be set to FALSE or will not be returned by the query.

Starting with releases 11.1.0.7.x and above all products are installed by default and the option to customize the product/component selection is no longer possible with the exception of those listed here:

Oracle JVM,
Oracle Text,
Oracle Multimedia,
Oracle OLAP,
Oracle Spatial,
Oracle Label Security,
Oracle Application Express,
Oracle Database Vault

Fix Text (F-57049r3_fix)
If any components are required for operation of applications that will be accessing the DBMS, include them in the system documentation. You cannot remove components, either via Database Configuration Assistant (DBCA) or manually once the database has been created. You can, however, use DBCA to create a database and remove components during the creation process, before you create the database. When using DBCA to create a custom database, select Database Template = Custom/Database Components. Components that can be selected or de-selected are: Oracle Text, Oracle OLAP, Oracle Spatial, Oracle Label Security, Sample Schemas, Enterprise Manager Repository, Oracle Warehouse Builder, Oracle Database Vault

Fix Text (F-57049r3_fix)

If any components are required for operation of applications that will be accessing the DBMS, include them in the system documentation.

You cannot remove components, either via Database Configuration Assistant (DBCA) or manually once the database has been created.

You can, however, use DBCA to create a database and remove components during the creation process, before you create the database.

When using DBCA to create a custom database, select Database Template = Custom/Database Components.
Components that can be selected or de-selected are:

Oracle Text,
Oracle OLAP,
Oracle Spatial,
Oracle Label Security,
Sample Schemas,
Enterprise Manager Repository,
Oracle Warehouse Builder,
Oracle Database Vault