UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle application administration roles must be disabled if not required and authorized.


Overview

Finding ID Version Rule ID IA Controls Severity
V-53995 O112-BP-022900 SV-68235r2_rule Medium
Description
Application administration roles, which are assigned system or elevated application object privileges, should be protected from default activation. Application administration roles are determined by system privilege assignment (create / alter / drop user) and application user role ADMIN OPTION privileges.
STIG Date
Oracle Database 11.2g Security Technical Implementation Guide 2015-12-21

Details

Check Text ( C-54785r4_chk )
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):

select grantee, granted_role from dba_role_privs
where default_role='YES'
and granted_role in
(select grantee from dba_sys_privs where upper(privilege) like '%USER%')
and grantee not in
('DBA', 'SYS', 'SYSTEM', 'CTXSYS', 'IMP_FULL_DATABASE', 'MDSYS', 'SYS', 'WKSYS')
and grantee not in (select distinct owner from dba_tables)
and grantee not in
(select distinct username from dba_users where upper(account_status) like '%LOCKED%');

Review the list of accounts reported for this check and ensure that they are authorized application administration roles.

If any are not authorized application administration roles, this is a Finding.
Fix Text (F-58927r1_fix)
For each role assignment returned, issue:

From SQL*Plus:

alter user [username] default role all except [role];

If the user has more than one application administration role assigned, then you will have to remove assigned roles from default assignment and assign individually the appropriate default roles.