Unused database components, database application software, and database objects should be removed from the DBMS system.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3728	DG0016-ORACLE11	SV-24359r2_rule		Low

Description
Unused, unnecessary DBMS components increase the attack surface for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. However, dependencies exist among Oracle components that could result in the removal of an apparently unnecessary component interfering with the operation of a required component. Therefore, thorough testing is required before removing components from a production server.

Description

Unused, unnecessary DBMS components increase the attack surface for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. However, dependencies exist among Oracle components that could result in the removal of an apparently unnecessary component interfering with the operation of a required component. Therefore, thorough testing is required before removing components from a production server.

STIG	Date
Oracle Database 11g Installation STIG	2017-06-29

Details

Check Text ( C-26063r2_chk )
Use the Oracle Universal Installer or OPATCH utility to display the list of installed products. Review the list of installed products with the DBA and verify any installed products listed below are required and licensed. If any are installed and are not required or not licensed, this is a Finding. From Command Prompt: $ORACLE_HOME/OPatch/opatch lsinventory –detail \| more (UNIX) %ORACLE_HOME%/OPatch/opatch lsinventory –detail \| more (Windows) Requires additional License on Enterprise Edition: Oracle Active Data Guard Oracle Total Recall Oracle Real Application Clusters Oracle In-Memory Database Cache Oracle Advanced Security Oracle Label Security Oracle Database Vault Oracle Change Management Pack Oracle Configuration Management Pack Oracle Diagnostic Pack Oracle Tuning Pack Oracle Provisioning and Patch Automation Pack Oracle Real Application Testing Oracle Partitioning Oracle OLAP Oracle Data Mining Oracle Data Quality and Profiling Oracle Data Watch and Repair Connector Oracle Advanced Compression Oracle Spatial Oracle Content Database Suite Requires additional License: Oracle Database Gateways Confirm requirements for these products: Database Workspace Manager Enterprise Manager Agent iSQL*Plus LDAP Oracle Data Guard Oracle Fail Safe (Windows only) Oracle HTTP Server Oracle interMedia Oracle Internet Directory Oracle Advanced Replication Oracle Starter Database Oracle Text Oracle Virtual Private Database Oracle Wallet Manager (Requires Advanced Security when using PKI and transparent encryption) Oracle XML Development Sample Schema NOTE: This list does not take into account product dependencies that, when selected for de-install, remove required database software. A custom installation without selection of unnecessary components is required to ensure a clean install of only required and licensed products. The list of product dependencies may be subject to change by Oracle and is not addressed here.

Check Text ( C-26063r2_chk )

Use the Oracle Universal Installer or OPATCH utility to display the list of installed products. Review the list of installed products with the DBA and verify any installed products listed below are required and licensed. If any are installed and are not required or not licensed, this is a Finding.

From Command Prompt:
$ORACLE_HOME/OPatch/opatch lsinventory –detail | more (UNIX)
%ORACLE_HOME%/OPatch/opatch lsinventory –detail | more (Windows)

Requires additional License on Enterprise Edition:
Oracle Active Data Guard
Oracle Total Recall
Oracle Real Application Clusters
Oracle In-Memory Database Cache
Oracle Advanced Security
Oracle Label Security
Oracle Database Vault
Oracle Change Management Pack
Oracle Configuration Management Pack
Oracle Diagnostic Pack
Oracle Tuning Pack
Oracle Provisioning and Patch Automation Pack
Oracle Real Application Testing
Oracle Partitioning
Oracle OLAP
Oracle Data Mining
Oracle Data Quality and Profiling
Oracle Data Watch and Repair Connector
Oracle Advanced Compression
Oracle Spatial
Oracle Content Database Suite

Requires additional License:
Oracle Database Gateways

Confirm requirements for these products:
Database Workspace Manager
Enterprise Manager Agent
iSQL*Plus
LDAP
Oracle Data Guard
Oracle Fail Safe (Windows only)
Oracle HTTP Server
Oracle interMedia
Oracle Internet Directory
Oracle Advanced Replication
Oracle Starter Database
Oracle Text
Oracle Virtual Private Database
Oracle Wallet Manager (Requires Advanced Security when using PKI and transparent encryption)
Oracle XML Development
Sample Schema

NOTE: This list does not take into account product dependencies that, when selected for de-install, remove required database software. A custom installation without selection of unnecessary components is required to ensure a clean install of only required and licensed products. The list of product dependencies may be subject to change by Oracle and is not addressed here.

Fix Text (F-23717r3_fix)
Review the list of installed products available for the DBMS install. If any are required and licensed for operation of applications that will be accessing the DBMS, include them in the application design specification and list them in the System Security Plan. If any are not, but have been installed, uninstall them and remove any database schemas, objects, applications and security principals that exclusively support them. Verify correct operation of the required Oracle components in a test environment before aplying these changes to a production system.

Fix Text (F-23717r3_fix)

Review the list of installed products available for the DBMS install. If any are required and licensed for operation of applications that will be accessing the DBMS, include them in the application design specification and list them in the System Security Plan. If any are not, but have been installed, uninstall them and remove any database schemas, objects, applications and security principals that exclusively support them.

Verify correct operation of the required Oracle components in a test environment before aplying these changes to a production system.