Application object owner accounts must be disabled when not performing installation or maintenance actions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-61467	O121-BP-024000	SV-75957r2_rule		Medium

Description
Object ownership provides all database object permissions to the owned object. Access to the application object owner accounts requires special protection to prevent unauthorized access and use of the object ownership privileges. In addition to the high privileges to application objects assigned to this account, it is also an account that, by definition, is not accessed interactively except for application installation and maintenance. This reduced access to the account means that unauthorized access to the account could go undetected. To help protect the account, it must be enabled only when access is required.

Description

Object ownership provides all database object permissions to the owned object. Access to the application object owner accounts requires special protection to prevent unauthorized access and use of the object ownership privileges. In addition to the high privileges to application objects assigned to this account, it is also an account that, by definition, is not accessed interactively except for application installation and maintenance. This reduced access to the account means that unauthorized access to the account could go undetected. To help protect the account, it must be enabled only when access is required.

STIG	Date
Oracle Database 12c Security Technical Implementation Guide	2016-06-24

Details

Check Text ( C-62357r2_chk )
From SQLPlus (Note: The owner list below is a short list of all possible default Oracle accounts): select distinct o.owner from dba_objects o, dba_users u where o.owner not in ( 'SYS','SYSTEM','LBACSYS','XDB' ) and exists (select 1 from dba_objects o2 where o2.object_type <> 'SYNONYM' and owner = o2.owner) and o.owner = username and upper(account_status) not like '%LOCKED%'; To obtain a list of users assigned DBA privileges. From SQLPlus: select grantee from dba_role_privs where granted_role = 'DBA'; If any records are returned, then verify the account is an authorized application object owner account or a default account installed to support an Oracle product. Verify that any objects owned by custom DBA accounts are for the personal use of that DBA. If any objects are used to support applications or any functions other than DBA functions, this is a finding. Any unauthorized object owner accounts are not a finding under this check as they are noted as findings under check O121-C2-011000. Any other accounts listed are a finding.

Check Text ( C-62357r2_chk )

From SQL*Plus (Note: The owner list below is a short list of all possible default Oracle accounts):

select distinct o.owner from dba_objects o, dba_users u
where o.owner not in
(
'SYS','SYSTEM','LBACSYS','XDB'
)
and exists (select 1 from dba_objects o2 where o2.object_type <> 'SYNONYM' and owner = o2.owner)
and o.owner = username
and upper(account_status) not like '%LOCKED%';

To obtain a list of users assigned DBA privileges.

From SQL*Plus:
select grantee from dba_role_privs where granted_role = 'DBA';

If any records are returned, then verify the account is an authorized application object owner account or a default account installed to support an Oracle product.

Verify that any objects owned by custom DBA accounts are for the personal use of that DBA.

If any objects are used to support applications or any functions other than DBA functions, this is a finding.

Any unauthorized object owner accounts are not a finding under this check as they are noted as findings under check O121-C2-011000.

Any other accounts listed are a finding.

Fix Text (F-67383r1_fix)
Disable any application object owner accounts. From SQL*Plus: alter user [username] account lock; Enable application object owner accounts only for installation and maintenance. DBAs are special purpose accounts and do not require disabling although they may own objects. For application objects that require routine maintenance, e.g. index objects, to maintain performance, consider allowing a special purpose account to own the index or enable the application owner account for the duration of the routine maintenance function only.

Fix Text (F-67383r1_fix)

Disable any application object owner accounts.

From SQL*Plus:
alter user [username] account lock;

Enable application object owner accounts only for installation and maintenance.

DBAs are special purpose accounts and do not require disabling although they may own objects.

For application objects that require routine maintenance, e.g. index objects, to maintain performance, consider allowing a special purpose account to own the index or enable the application owner account for the duration of the routine maintenance function only.