UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

System privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2561 DO3609-ORACLE11 SV-24925r2_rule ECLP-1 Medium
Description
The WITH ADMIN OPTION allows the grantee to grant a privilege to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include DBA's, object owners, and, where designed and included in the application's functions, application administrators. Restricting privilege-granting functions to authorized accounts can help decrease mismanagement of privileges and wrongful assignments to unauthorized accounts.
STIG Date
Oracle Database 11g Instance STIG 2015-03-26

Details

Check Text ( C-29475r2_chk )
From SQL*Plus:

select grantee, privilege from dba_sys_privs
where grantee not in
('SYS', 'SYSTEM', 'AQ_ADMINISTRATOR_ROLE', 'DBA',
'MDSYS', 'LBACSYS', 'SCHEDULER_ADMIN',
'WMSYS')
and admin_option = 'YES'
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA');

If any accounts are listed, this is a Finding.
Fix Text (F-26540r1_fix)
Revoke assignment of privileges with the WITH ADMIN OPTION from unauthorized users and re-grant them without the option.

From SQL*Plus:

revoke [privilege name] from user [username];

Replace [privilege name] with the named privilege and [username] with the named user.

Restrict use of the WITH ADMIN OPTION to authorized administrators.

Document authorized privilege assignments with the WITH ADMIN OPTION in the System Security Plan.