Application users privileges should be restricted to assignment using application user roles.

From Oracle Database 11g Instance STIG

Part of DBMS application user privilege assignment

SV-24755r2_rule Application users privileges should be restricted to assignment using application user roles.

Vulnerability discussion

Granting permissions to accounts is error prone and repetitive. Using roles allows for group management of privileges assigned by function and reduces the likelihood of wrongfully assigned privileges. Assign permissions to roles and then grant the roles to accounts.

Check content

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee||': '||privilege||': '||owner||'.'||table_name from dba_tab_privs where grantee not in (select role from dba_roles) and grantee not in ('APEX_PUBLIC_USER', 'AURORA$JIS$UTILITY$', 'CTXSYS', 'DBSNMP', 'EXFSYS', 'FLOWS_030000', 'FLOWS_FILES', 'LBACSYS', 'MDSYS', 'MGMT_VIEW', 'ODM', 'OLAPSYS', 'ORACLE_OCM', 'ORDPLUGINS', 'ORDSYS', 'OSE$HTTP$ADMIN', 'OUTLN', 'OWBSYS', 'PERFSTAT', 'PUBLIC', 'REPADMIN', 'SYS', 'SYSMAN', 'SYSTEM', 'WKSYS', 'WMSYS', 'XDB') and table_name<>'DBMS_REPCAT_INTERNAL_PACKAGE' and table_name not like '%RP' and grantee not in (select grantee from dba_tab_privs where table_name in ('DBMS_DEFER', 'DEFLOB')); If any records are returned, this is a Finding. NOTE: This check may report false positives where other ORACLE products have been installed. Accounts installed with other Oracle products are exempt from this requirement.

Fix text

Revoke privileges assigned directly to database accounts and assign them to roles based on job functions. Assign users who are assigned responsibility for the job function to the defined role. From SQL*Plus: revoke [privilege] on [object name] from [user name]; grant [privilege] on [object name] to [role name];

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer