Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-61445 | O121-BP-022900 | SV-75935r1_rule | Medium |
Description |
---|
Application administration roles, which are assigned system or elevated application object privileges, must be protected from default activation. Application administration roles are determined by system privilege assignment (create / alter / drop user) and application user role ADMIN OPTION privileges. |
STIG | Date |
---|---|
Oracle Database 12c Security Technical Implementation Guide | 2015-12-21 |
Check Text ( C-62335r1_chk ) |
---|
From SQL*Plus (Note: The owner list below is a short list of all possible default Oracle accounts): select grantee, granted_role from dba_role_privs where default_role='YES' and granted_role in (select grantee from dba_sys_privs where upper(privilege) like '%USER%') and grantee not in ('DBA', 'SYS', 'SYSTEM', 'CTXSYS', 'DBA', 'IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE','MDSYS', 'SYS', 'WKSYS') and grantee not in (select distinct owner from dba_tables) and grantee not in (select distinct username from dba_users where upper(account_status) like '%LOCKED%'); Review the list of accounts reported for this check and ensures that they are authorized application administration roles. If any are not authorized application administration roles, this is a finding. |
Fix Text (F-67361r1_fix) |
---|
For each role assignment returned, issue: From SQL*Plus: alter user [username] default role all except [role]; If the user has more than one application administration role assigned, then remove assigned roles from default assignment and assign individually the appropriate default roles. |