Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-61439 | O121-BP-022600 | SV-75929r1_rule | Medium |
Description |
---|
Permissions on objects may be granted to the user group PUBLIC. Because every database user is a member of the PUBLIC group, granting object permissions to PUBLIC gives all users in the database access to that object. In a secure environment, granting object permissions to PUBLIC must be restricted to those objects that all users are allowed to access. The policy does not require object permissions assigned to PUBLIC by the installation of Oracle Database server components be revoked (with exception of the packages listed in O121-BP-021800). |
STIG | Date |
---|---|
Oracle Database 12c Security Technical Implementation Guide | 2015-12-21 |
Check Text ( C-62329r1_chk ) |
---|
A default Oracle Database installation provides a set of predefined administrative accounts and non-administrative accounts. These are accounts that have special privileges required to administer areas of the database, such as the CREATE ANY TABLE or ALTER SESSION privilege, or EXECUTE privileges on packages owned by the SYS schema. The default tablespace for administrative accounts is either SYSTEM or SYSAUX. Non-administrative user accounts only have the minimum privileges needed to perform their jobs. Their default tablespace is USERS. To protect these accounts from unauthorized access, the installation process expires and locks most of these accounts, except where noted below. The database administrator is responsible for unlocking and resetting these accounts, as required. Non-Administrative Accounts - Expired and locked: APEX_PUBLIC_USER, DIP, FLOWS_040100*, FLOWS_FILES, MDDATA, ORACLE_OCM, SPATIAL_CSW_ADMIN_USR, SPATIAL_WFS_ADMIN_USR, XS$NULL Administrative Accounts - Expired and Locked: ANONYMOUS, CTXSTS, EXFSYS, LBACSYS, MDSYS, OLAPSYS, OEDDATA, OWBSYS, ORDPLUGINS, ORDSYS, OUTLN, SI_INFORMTN_SCHEMA, WK_TEST, WK_SYS, WKPROXY, WMSYS, XDB Administrative Accounts - Open: DBSNMP, MGMT_VIEW, SYS, SYSMAN, SYSTEM * Subject to change based on version installed From SQL*Plus (Note: The owner list below is a short list of all possible default Oracle accounts): select owner ||'.'|| table_name ||':'|| privilege from dba_tab_privs where grantee = 'PUBLIC' and owner not in ('CTXSTS','EXFSYS','LBACSYS','MDSYS','OLAPSYS','OEDDATA','CTXSYS','GSMADMIN','GSMADMIN_INTERNAL', 'OWBSYS','ORDPLUGINS','ORDSYS','OUTLN','SI_INFORMTN_SCHEMA','ORDDATA', 'WK_TEST','WK_SYS','WKPROXY','WMSYS','XDB','DVSYS','APEX_040200','DVF', 'DBSNMP','MGMT_VIEW','SYS','SYSMAN','SYSTEM'); If any records that are not Oracle product accounts are returned, are not documented and authorized, then this is a finding. Note: This check may return false positives where other Oracle product accounts are not included in the exclusion list. |
Fix Text (F-67355r1_fix) |
---|
Revoke any privileges granted to PUBLIC for objects that are not owned by Oracle product accounts. From SQL*Plus: revoke [privilege name] from [user name] on [object name]; Assign permissions to custom application user roles based on job functions: From SQL*Plus: grant [privilege name] to [user role] on [object name]; |