From Oracle Database 11g Instance STIG
Part of DBMS application user role privileges
Excessive privileges can lead to unauthorized actions on data and database objects. Assigning only the privileges required to perform the job function authorized for the user helps protect against exploits against application vulnerabilities such as SQL injection attacks. The recommended method is to grant access only to stored procedures that perform only static actions on the data authorized for the user. Where this is not feasible, consider using data views or other methods to restrict users to only the data suitable for their job function.
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee, owner, table_name, privilege from dba_tab_privs where privilege in ('ALTER', 'REFERENCES', 'INDEX') and grantee not in ('DBA', 'SYS', 'SYSTEM', 'LBACSYS', 'XDBADMIN') and table_name not in ('SDO_IDX_TAB_SEQUENCE', 'XDB$ACL', 'XDB_ADMIN') and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA') and grantee not in (select distinct owner from dba_objects); If any records are returned, this is a Finding.
Revoke ALTER, REFERENCES, and INDEX privileges from application user roles. From SQL*Plus: revoke [privilege] from [application user role]; Replace [privilege] with the identified ALTER, REFERENCES or INDEX privilege and [application user role] with the identified application role.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer