Defined Type: ora_secured::controls::sys_privs_grnted_using_with_admin_option_must_not_be_grnted_to_unauth_user_accnts
- Defined in:
- manifests/controls/sys_privs_grnted_using_with_admin_option_must_not_be_grnted_to_unauth_user_accnts.pp
Summary
A default Oracle Database installation provides a set of predefined administrative accounts and non-administrative accounts.Overview
ora_secured::controls::sys_privs_grnted_using_with_admin_option_must_not_be_grnted_to_unauth_user_accnts
These are accounts that have special privileges required to administer areas of the database, such as the CREATE ANY TABLE or ALTER SESSION privilege, or EXECUTE privileges on packages owned by the SYS schema. The default tablespace for administrative accounts is either SYSTEM or SYSAUX. Non-administrative user accounts only have the minimum privileges needed to perform their jobs. Their default tablespace is USERS.
To protect these accounts from unauthorized access, the installation process expires and locks most of these accounts, except where noted below. The database administrator is responsible for unlocking and resetting these accounts, as required.
Non-Administrative Accounts - Expired and locked: APEX_PUBLIC_USER, DIP, FLOWS_040100*, FLOWS_FILES, MDDATA, ORACLE_OCM, SPATIAL_CSW_ADMIN_USR, SPATIAL_WFS_ADMIN_USR, XS$NULL
Administrative Accounts - Expired and Locked: ANONYMOUS, CTXSYS, EXFSYS, LBACSYS, MDSYS, OLAPSYS, ORDDATA, OWBSYS, ORDPLUGINS, ORDSYS, OUTLN, SI_INFORMTN_SCHEMA, WK_TEST, WK_SYS, WKPROXY, WMSYS, XDB
Administrative Accounts - Open: DBSNMP, MGMT_VIEW, SYS, SYSMAN, SYSTEM, SYSKM
-
Subject to change based on version installed
Run the SQL query:
From SQL*Plus: select grantee, privilege from dba_sys_privs where grantee not in (<list of non-applicable accounts>) and admin_option = ‘YES’ and grantee not in (select grantee from dba_role_privs where granted_role = ‘DBA’);
(With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.)
If any accounts that are not authorized to have the ADMIN OPTION are listed, this is a finding.
Revoke assignment of privileges with the WITH ADMIN OPTION from unauthorized users and re-grant them without the option.
From SQL*Plus:
revoke [privilege name] from user [username];
Replace [privilege name] with the named privilege and [username] with the named user.
Restrict use of the WITH ADMIN OPTION to authorized administrators.
Document authorized privilege assignments with the WITH ADMIN OPTION in the System Security Plan.
## Skipping
To deliberately skip this control (e.g. meaning don’t use Puppet to enforce this setting), we provide you with three ways:
1) Add ‘ora_secured::controls::sys_privs_grnted_using_with_admin_option_must_not_be_grnted_to_unauth_user_accnts: skip` to your hiera data. This will skip this control for ALL databases. 2) Add `ora_secured::controls::sys_privs_grnted_using_with_admin_option_must_not_be_grnted_to_unauth_user_accnts::dbname: skip` to your hiera data. This will skip this control for specified database only. 3) Add an entry with the content `sys_privs_grnted_using_with_admin_option_must_not_be_grnted_to_unauth_user_accnts` to the array value `ora_secured::skip_list` in your hiera data.
## Benchmarks
This control is used in the following benchmarks:
-
[Oracle Database 12c CIS V1](/docs/ora_secured/stig/db12c_V1.html) - id V-61433
See the file “LICENSE” for the full license governing this code.
73 74 75 76 77 78 79 80 |
# File 'manifests/controls/sys_privs_grnted_using_with_admin_option_must_not_be_grnted_to_unauth_user_accnts.pp', line 73
define ora_secured::controls::sys_privs_grnted_using_with_admin_option_must_not_be_grnted_to_unauth_user_accnts
{
ora_secured_setup { "sys_privs_grnted_using_with_admin_option_must_not_be_grnted_to_unauth_user_accnts on ${title}":
ensure => 'present',
}
alert('Specified STIG control is not yet automatically enforced.')
}
|