Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3438 | DO0340-ORACLE11 | SV-24531r2_rule | Medium |
Description |
---|
Application administration roles, which are assigned system or elevated application object privileges, should be protected from default activation. Application administration roles are determined by system privilege assignment (create / alter / drop user) and application user role ADMIN OPTION privileges. |
STIG | Date |
---|---|
Oracle Database 11g Instance STIG | 2017-06-29 |
Check Text ( C-29449r2_chk ) |
---|
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee, granted_role from dba_role_privs where default_role='YES' and granted_role in (select grantee from dba_sys_privs where upper(privilege) like '%USER%') and grantee not in ('DBA', 'SYS', 'SYSTEM', 'CTXSYS', 'DBA', 'IMP_FULL_DATABASE', 'MDSYS', 'SYS', 'WKSYS') and grantee not in (select distinct owner from dba_tables) and grantee not in (select distinct username from dba_users where upper(account_status) like '%LOCKED%'); Review the list of accounts reported for this check and ensures that they are authorized application administration roles. If any are not authorized application administration roles, this is a Finding. |
Fix Text (F-26513r1_fix) |
---|
For each role assignment returned, issue: From SQL*Plus: alter user [username] default role all except [role]; If the user has more than one application administration role assigned, then you will have to remove assigned roles from default assignment and assign individually the appropriate default roles. |