Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-53999	O112-BP-023100	SV-68239r4_rule		Medium

Description
Unauthorized users may bypass security mechanisms by submitting jobs to job queues managed by the database to be run under a more privileged security context of the database or host system. These queues should be monitored regularly to detect any such unauthorized job submissions.

STIG	Date
Oracle Database 11.2g Security Technical Implementation Guide	2018-06-25

Details

Check Text ( C-54789r3_chk )
The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER in Oracle versions 10.1 and higher, though it continues to be supported for backward compatibility. Run this query: select value from v$parameter where name = 'job_queue_processes'; Run this query: select value from all_scheduler_global_attribute where ATTRIBUTE_NAME = 'MAX_JOB_SLAVE_PROCESSES'; To understand the relationship between these settings, review: https://docs.oracle.com/cd/E11882_01/server.112/e25494/appendix_a.htm#ADMIN11002 Review documented and implemented procedures for monitoring the Oracle DBMS job/batch queues for unauthorized submissions. If procedures for job queue review are not defined, documented or evidence of implementation does not exist, this is a Finding. Job queue information is available from the DBA_JOBS view. The following command lists jobs submitted to the queue. DBMS_JOB does not generate a 'history' of previous job executions. Run this query: select job, next_date, next_sec, failures, broken from dba_jobs; Scheduler queue information is available from the DBA_SCHEDULER_JOBS view. The following command lists jobs submitted to the queue. Run this query: select owner, job_name, state, job_class, job_type, job_action from dba_scheduler_jobs;

Check Text ( C-54789r3_chk )

The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER in Oracle versions 10.1 and higher, though it continues to be supported for backward compatibility.

Run this query:
select value from v$parameter where name = 'job_queue_processes';

Run this query:
select value from all_scheduler_global_attribute
where ATTRIBUTE_NAME = 'MAX_JOB_SLAVE_PROCESSES';

To understand the relationship between these settings, review:
https://docs.oracle.com/cd/E11882_01/server.112/e25494/appendix_a.htm#ADMIN11002

Review documented and implemented procedures for monitoring the Oracle DBMS job/batch queues for unauthorized submissions. If procedures for job queue review are not defined, documented or evidence of implementation does not exist, this is a Finding.

Job queue information is available from the DBA_JOBS view. The following command lists jobs submitted to the queue. DBMS_JOB does not generate a 'history' of previous job executions.

Run this query:
select job, next_date, next_sec, failures, broken from dba_jobs;

Scheduler queue information is available from the DBA_SCHEDULER_JOBS view. The following command lists jobs submitted to the queue.

Run this query:
select owner, job_name, state, job_class, job_type, job_action
from dba_scheduler_jobs;

Fix Text (F-58837r3_fix)
Develop, document and implement procedures to monitor the database job queues for unauthorized job submissions. Develop, document and implement a formal migration plan to convert jobs using DBMS_JOB to use DBMS_SCHEDULER instead for Oracle versions 10.1 and higher. (This does not apply to DBMS_JOB jobs generated by Oracle itself, such as those for refreshing materialized views.) Set the value of the job_queue_processes parameter to a low value to restrict concurrent DBMS_JOB executions. Use auditing to capture use of the DBMS_JOB package in the audit trail. Review the audit trail for unauthorized use of the DBMS_JOB package.

Fix Text (F-58837r3_fix)

Develop, document and implement procedures to monitor the database job queues for unauthorized job submissions.

Develop, document and implement a formal migration plan to convert jobs using DBMS_JOB to use DBMS_SCHEDULER instead for Oracle versions 10.1 and higher. (This does not apply to DBMS_JOB jobs generated by Oracle itself, such as those for refreshing materialized views.)

Set the value of the job_queue_processes parameter to a low value to restrict concurrent DBMS_JOB executions.

Use auditing to capture use of the DBMS_JOB package in the audit trail. Review the audit trail for unauthorized use of the DBMS_JOB package.