The DBA role must not be assigned excessive or unauthorized privileges.
From Oracle Database 12c Security Technical Implementation Guide
Part of SRG-APP-000063-DB-000019
Associated with:
CCI-000366
SV-76089r2_rule
The DBA role must not be assigned excessive or unauthorized privileges.
Vulnerability discussion
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.Audit of privileged activity may require physical separation employing information systems on which the user does not have privileged access.To limit exposure and provide forensic history of activity when operating from within a privileged account or role, the application must support organizational requirements that users of information system accounts, or roles, with access to organization-defined lists of security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other (non-security) system functions.If feasible, applications must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.DBAs, if assigned excessive privileges, could perform actions that endanger the information system or hide evidence of malicious activity.
Check content
Review access permissions for objects owned by application owners or other non-administrative users.
If DBA or administrative accounts have unauthorized application roles or permissions beyond those needed for administration, this is a finding.
To obtain a list of privileges assigned to the DBMS user accounts, run the query:
SELECT * from dba_sys_privs where grantee='DBA' order by privilege;
To check to see what roles are assigned to a user, run the query:
SELECT * from dba_role_privs where grantee = '';
To check to see what privileges are assigned to a role, run the query:
SELECT * from role_sys_privs;
To show privileges by object, run the query:
SELECT table_name, grantee,
MAX(DECODE(privilege, 'SELECT', 'SELECT')) AS select_priv,
MAX(DECODE(privilege, 'DELETE', 'DELETE')) AS delete_priv,
MAX(DECODE(privilege, 'UPDATE', 'UPDATE')) AS update_priv,
MAX(DECODE(privilege, 'INSERT', 'INSERT')) AS insert_priv
FROM dba_tab_privs
WHERE grantee IN (SELECT role FROM dba_roles)
GROUP BY table_name, grantee
ORDER BY table_name, grantee;
This query will list the system privileges assigned to a specific user:
SELECT LPAD(' ', 2*level) || granted_role "USER PRIVS"
FROM
(
SELECT NULL grantee, username granted_role
FROM dba_users
WHERE username LIKE UPPER('%&uname%')
UNION
SELECT grantee, granted_role
FROM dba_role_privs
UNION
SELECT grantee, privilege
FROM dba_sys_privs
)
START WITH grantee IS NULL
CONNECT BY grantee = prior granted_role;
To list all administrative privileges granted to users via roles, run the query:
SELECT
username,
rp.granted_role,
privilege
FROM
dba_users u,
dba_role_privs rp,
dba_sys_privs sp
WHERE username = rp.grantee
AND rp.granted_role = sp.grantee
AND privilege NOT IN
(
'CREATE SEQUENCE', 'CREATE TRIGGER',
'SET CONTAINER', 'CREATE CLUSTER',
'CREATE PROCEDURE', 'CREATE TYPE',
'CREATE SESSION', 'CREATE OPERATOR',
'CREATE TABLE', 'CREATE INDEXTYPE'
)
AND username NOT IN
(
'XDB', 'SYSTEM', 'SYS', 'LBACSYS',
'DVSYS', 'DVF', 'SYSMAN_RO', 'SYSMAN_BIPLATFORM',
'SYSMAN_MDS', 'SYSMAN_OPSS', 'SYSMAN_STB', 'DBSNMP',
'SYSMAN', 'APEX_040200', 'WMSYS', 'SYSDG',
'SYSBACKUP', 'SPATIAL_WFS_ADMIN_USR',
'SPATIAL_CSW_ADMIN_US','GSMCATUSER',
'OLAPSYS', 'SI_INFORMTN_SCHEMA', 'OUTLN', 'ORDSYS',
'ORDDATA', 'OJVMSYS', 'ORACLE_OCM', 'MDSYS',
'ORDPLUGINS', 'GSMADMIN_INTERNAL', 'MDDATA',
'FLOWS_FILES', 'DIP', 'CTXSYS', 'AUDSYS', 'APPQOSSYS',
'APEX_PUBLIC_USER', 'ANONYMOUS',
'SPATIAL_CSW_ADMIN_USR', 'SYSKM',
'SYSMAN_TYPES', 'MGMT_VIEW', 'EUS_ENGINE_USER',
'EXFSYS', 'SYSMAN_APM','IX','OWBSYS'
)
ORDER by 1, 2, 3;
(The list of special accounts that are excluded from this requirement may not be complete. It is expected that the DBA will edit the list to suit local circumstances, adding other special accounts as necessary, and removing any that are not supposed to be in use in the Oracle deployment that is under review. Similarly, the list of privileges excluded from the list may be modified according to circumstances.)
Data Dictionary Objects Related To System Privileges:
all_sys_privs
session_privs
user_sys_privs
dba_sys_privs
system_privilege_map
Fix text
Remove permissions from DBAs and other administrative users beyond those required for administrative functions.
Pro Tips
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer