Security Technical Implementation Guidelines (STIG) rules enhanced by Oracle.
The following STIG database rules are enhanced by Oracle. Bold text in the Collection Query denotes the change.
Name: Application objects should be owned by accounts authorized for ownership
Collection Query:
(select distinct 'Unauthorized user '||owner||' owns application objects in the database.' from dba_objects
where owner not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED',
'CTXSYS','DBSNMP','DIP','DVF','DVSYS','EXFSYS','LBACSYS','MDDATA',
'MDSYS','MGMT_VIEW','ODM','ODM_MTR',
'OLAPSYS','ORDPLUGINS', 'ORDSYS',
'OSE$HTTP$ADMIN','OUTLN','PERFSTAT',
'PUBLIC','REPADMIN','RMAN','SI_INFORMTN_SCHEMA',
'SYS','SYSMAN','SYSTEM','TRACESVR',
'TSMSYSWK_TEST','WKPROXY','WKSYS',
'WKUSER','WMSYS','XDB', 'OWBSYS', 'SCOTT', 'ORACLE_OCM', 'ORDDATA', 'APEX_030200', 'OWBSYS_AUDIT', 'APPQOSSYS', 'FLOWS_FILES')
and owner not in
(select grantee from dba_role_privs where granted_role='DBA'))
Change to STIG Rule: Added Default Users/Roles
Name: Production databases should be protected from unauthorized access by developers on shared production/development host systems.
Collection Query:
select 'User/Role '||grantee||' granted '||privilege||' on production system' from dba_sys_privs where (privilege like 'CREATE%' or privilege like 'ALTER%' or privilege like 'DROP%') and privilege <> 'CREATE SESSION' and grantee not in ('ANONYMOUS','AURORA$JIS$UTILITY$', 'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP', 'DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS','MGMT_VIEW', 'ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS', 'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','PUBLIC','REPADMIN', 'RMAN','SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM', 'TRACESVR','TSMSYSWK_TEST','WKPROXY','WKSYS','WKUSER', 'WMSYS','XDB', 'APEX_030200', 'APPQOSSYS', 'AQ_ADMINISTRATOR_ROLE','DATAPUMP_EXP_FULL_DATABASE', 'DBA', 'EXP_FULL_DATABASE', 'FLOWS_FILES', 'IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'OEM_ADVISOR', 'OEM_MONITOR', 'OLAP_DBA', 'OLAP_USER', 'OWB$CLIENT', 'OWBSYS', 'OWBSYS_AUDIT', 'RECOVERY_CATALOG_OWNER', 'RESOURCE', 'SCHEDULER_ADMIN', 'SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR') order by 1;
Change to STIG Rule: Added Default Users/Roles.
Name: DBMS login accounts require passwords to meet complexity requirements.
Collection Query:
select profile||': '||limit
from dba_profiles,
(select limit as def_pwd_verify_func
from dba_profiles
where resource_name='PASSWORD_VERIFY_FUNCTION'
and profile='DEFAULT')
where resource_name='PASSWORD_VERIFY_FUNCTION'
and replace(limit, 'DEFAULT', def_pwd_verify_func) in
('UNLIMITED', 'NULL')
Change to STIG Rule: Incorrect query. Replaced NULL with string 'NULL'.
Name: Custom and GOTS application source code stored in the database should be protected with encryption or encoding.
Collection Query:
(select 'Application source code of '||owner||'.'||name||' is not encrypted.'
from dba_source
where line=1 and owner not in('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OE', 'OLAPSYS', 'ORDPLUGINS',
'ORDSYS', 'OUTLN', 'PM', 'QS_ADM', 'RMAN', 'SYSTEM', 'WKSYS',
'WMSYS', 'XDB', 'APEX_030200', 'SYSMAN', 'ORACLE_OCM', 'DBSNMP', 'EXFSYS' )
and owner not like 'OEM%'
and text not like '%wrapped%'
and type in ('PROCEDURE', 'FUNCTION', 'PACKAGE BODY'))
Change to STIG Rule: Added default users.
Name: Database privileged role assignments should be restricted to IAO-authorized DBMS accounts.
Collection Query:
select 'Privileged role '||granted_role||' is assigned to user '||grantee details
from dba_role_privs
where grantee not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP',
'DMSYS','DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS',
'MGMT_VIEW','ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS',
'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','REPADMIN','RMAN',
'SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM','TRACESVR',
'TSMSYS','WK_TEST','WKPROXY','WKSYS','WKUSER','WMSYS','XDB', 'OEM_MONITOR')
and grantee not in
('DBA', 'OLAP_USER', 'IP', 'ORASSO_PUBLIC',
'PORTAL_PUBLIC', 'DATAPUMP_EXP_FULL_DATABASE',
'DATAPUMP_IMP_FULL_DATABASE', 'EXP_FULL_DATABASE',
'IMP_FULL_DATABASE', 'OLAP_DBA', 'EXECUTE_CATALOG_ROLE',
'SELECT_CATALOG_ROLE', 'JAVASYSPRIV')
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA')
and grantee not in (select distinct owner from dba_objects)
and granted_role in
('AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE',
'CTXAPP',
'DELETE_CATALOG_ROLE','EJBCLIENT','EXECUTE_CATALOG_ROLE',
'EXP_FULL_DATABASE','GATHER_SYSTEM_STATISTICS',
'GLOBAL_AQ_USER_ROLE','HS_ADMIN_ROLE', 'IMP_FULL
DATABASE','JAVADEBUGPRIV','JAVAIDPRIV',
'JAVASYSPRIV','JAVAUSERPRIV','JAVA_ADMIN','JAVA_DEPLOY',
'LOGSTDBY_ADMINISTRATOR','OEM_MONITOR','OLAP_DBA',
'RECOVERY_CATALOG_OWNER',
'SALES_HISTORY_ROLE','SELECT_CATALOG_ROLE','WKUSER',
'WM_ADMIN_ROLE','XDBADMIN')
and granted_role not in ('CONNECT', 'RESOURCE', 'AUTHENTICATEDUSER')
order by 1;
Change to STIG Rule: Added default users.
Name: Administrative privileges should be assigned to database accounts via database roles.
Collection Query:
select 'Grantee '||grantee||' is directly granted '||privilege||' privilege. The privilege should be granted via a role.' from dba_sys_privs where grantee not in ('SYS', 'SYSTEM', 'SYSMAN', 'CTXSYS', 'MDSYS', 'WKSYS', 'ANONYMOUS', 'APEX_030200', 'APEX_PUBLIC_USER', 'FLOWS_FILES', 'OUTLN', 'DIP', 'APPQOSSYS', 'WMSYS', 'OLAPSYS', 'ORACLE_OCM', 'OWBSYS_AUDIT', 'DBSNMP', 'XDB', 'EXFSYS', 'SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR', 'OWBSYS', 'OWBSYS_AUDIT') and grantee not in (select distinct granted_role from dba_role_privs) and privilege <> 'UNLIMITED TABLESPACE' order by 1
Change to STIG Rule: Added Default Users.
Name: DBMS application users should not be granted administrative privileges to the DBMS.
Collection Query:
select 'Application user '||grantee||' has administrative privilege '||privilege||' on '||owner||'.'|| table_name from dba_tab_privs where privilege in ('ALTER', 'REFERENCES', 'INDEX') and grantee not in ('DBA', 'SYS', 'SYSTEM', 'LBACSYS', 'XDBADMIN', 'ANONYMOUS', 'APEX_PUBLIC_USER', 'CSW_USR_ROLE', 'WFS_USR_ROLE', 'SPATIAL_WFS_ADMIN', 'SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN', 'SPATIAL_CSW_ADMIN_USR') and table_name not in ('SDO_IDX_TAB_SEQUENCE', 'XDB$ACL', 'XDB_ADMIN') and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA') and grantee not in (select distinct owner from dba_objects) order by 1
Change to STIG Rule: Added default users.
Name: Application users privileges should be restricted to assignment using application user roles.
Collection Query:
select 'User '||grantee||' has direct privilege '||privilege||' on the table '||owner||'.'||table_name||'. The privilege should be granted via a role.' from dba_tab_privs where grantee not in (select role from dba_roles) and grantee not in ('APEX_PUBLIC_USER', 'AURORA$JIS$UTILITY$', 'CTXSYS', 'DBSNMP', 'EXFSYS', 'FLOWS_030000', 'FLOWS_FILES', 'LBACSYS', 'MDSYS', 'MGMT_VIEW', 'ODM', 'OLAPSYS', 'ORACLE_OCM', 'ORDPLUGINS', 'ORDSYS', 'OSE$HTTP$ADMIN', 'OUTLN', 'OWBSYS', 'PERFSTAT', 'PUBLIC', 'REPADMIN', 'SYS', 'SYSMAN', 'SYSTEM', 'WKSYS', 'WMSYS', 'XDB', 'ANONYMOUS', 'APEX_030200', 'APEX_PUBLIC_USER', 'APPQOSSYS', 'CSW_USR_ROLE', 'WFS_USR_ROLE', 'SPATIAL_WFS_ADMIN', 'SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN', 'SPATIAL_CSW_ADMIN_USR') and table_name<>'DBMS_REPCAT_INTERNAL_PACKAGE' and table_name not like '%RP' and grantee not in (select grantee from dba_tab_privs where table_name in ('DBMS_DEFER', 'DEFLOB'))
Change to STIG Rule: Added default users.
Name: Access to DBMS system tables and other configuration or metadata should be restricted to DBAs.
Collection Query:
select 'Application user '|| grantee||' is granted '||privilege||' on system table '|| owner||'.'|| table_name from dba_tab_privs where (owner='SYS' or table_name like 'DBA_%') and privilege <> 'EXECUTE' and grantee not in ('PUBLIC', 'AQ_ADMINISTRATOR_ROLE', 'AQ_USER_ROLE', 'AURORA$JIS$UTILITY$', 'OSE$HTTP$ADMIN', 'TRACESVR', 'CTXSYS', 'DBA', 'DELETE_CATALOG_ROLE', 'EXECUTE_CATALOG_ROLE', 'EXP_FULL_DATABASE', 'GATHER_SYSTEM_STATISTICS', 'HS_ADMIN_ROLE', 'IMP_FULL_DATABASE', 'LOGSTDBY_ADMINISTRATOR', 'MDSYS', 'ODM', 'OEM_MONITOR', 'OLAPSYS', 'ORDSYS', 'OUTLN', 'RECOVERY_CATALOG_OWNER', 'SELECT_CATALOG_ROLE', 'SNMPAGENT', 'SYSTEM', 'WKSYS', 'WKUSER', 'WMSYS', 'WM_ADMIN_ROLE', 'XDB', 'LBACSYS', 'PERFSTAT', 'XDBADMIN', 'ADM_PARALLEL_EXECUTE_TASK', 'APEX_030200', 'APPQOSSYS', 'DBFS_ROLE', 'EXFSYS', 'HS_ADMIN_SELECT_ROLE', 'OLAP_XS_ADMIN', 'ORACLE_OCM', 'OWB$CLIENT', 'OWBSYS', 'SYSMAN') and grantee not in (select grantee from dba_role_privs where granted_role='DBA') order by 1
Change to STIG Rule: Added default users.
Name: Only authorized system accounts should have the SYSTEM tablespace specified as the default tablespace.
Collection Query:
(select 'User '||username||' is using SYSTEM as temporary or default tablespace.' from dba_users
where (default_tablespace = 'SYSTEM' or temporary_tablespace = 'SYSTEM')
and username not in
('AURORA$JIS$UTILITY$','AURORA$ORB$UNAUTHENTICATED',
'DBSNMP','MDSYS','ORDPLUGINS','ORDSYS','OSE$HTTP$ADMIN',
'OUTLN','REPADMIN','SYS','SYSTEM','TRACESVR','MTSSYS','DIP', 'MGMT_VIEW'))
Change to STIG Rule: Added default users.
Name: Application owner accounts should have a dedicated application tablespace.
Collection Query:
select distinct tablespace_name||' tablespace used by '||owner||' is not a dedicated tablespace.' from ( select distinct owner, tablespace_name from dba_tables where owner not in ('SYS','SYSTEM','OUTLN','OLAPSYS','CTXSYS','WKSYS','ODM','ODM_MTR' 'MDSYS','ORDSYS','WMSYS','RMAN','XDB', 'APEX_030200', 'APPQOSSYS', 'DBSNMP', 'EXFSYS', 'FLOWS_FILES', 'ORDDATA', 'OWBSYS', 'SYSMAN', 'SCOTT') and tablespace_name is not NULL and (owner, table_name) not in (select owner, table_name from dba_external_tables) order by 1)
Change to STIG Rule: Added default users.
Name: Fixed user and public database links should be authorized for use.
Collection Query:
select 'Fixed user database link '||db_link||' found for '||owner value from dba_db_links where db_link not in (select master from sys.dba_repcatlog)
Comment: Combined the rule queries to return db_link as violations only if dba_repcatalog has records
Name: A minimum of two Oracle redo log groups/files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
Collection Query:
select 'redo_logs_count', log_count from (select count(*) log_count from V$LOG where members > 1) where log_count < 2
Comment: Used the more strict query to get the violation. Need to manually check if a RAID device is used.
Name: Oracle application administration roles should be disabled if not required and authorized.
Collection Query:
select 'Oracle Administration role '||granted_role||' granted to '||grantee||'.'
from dba_role_privs
where default_role='YES'
and granted_role in
(select grantee from dba_sys_privs where upper(privilege) like '%USER%')
and grantee not in
('DBA', 'SYS', 'SYSTEM', 'CTXSYS', 'DBA', 'IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE','MDSYS', 'SYS', 'WKSYS')
and grantee not in (select distinct owner from dba_tables)
and grantee not in
(select distinct username from dba_users where upper(account_status) like
'%LOCKED%')
Change to STIG Rule: Added default users.
Name: Oracle system privileges should not be directly assigned to unauthorized accounts.
Collection Query:
select 'User/Role '||grantee||' granted system privilege '||PRIVILEGE from dba_sys_privs
where privilege<>'CREATE SESSION' and grantee not in
('PUBLIC', 'AQ_ADMINISTRATOR_ROLE', 'AQ_USER_ROLE', 'CTXSYS',
'DBA', 'DELETE_CATALOG_ROLE', 'EXECUTE_CATALOG_ROLE',
'EXP_FULL_DATABASE', 'GATHER_SYSTEM_STATISTICS',
'HS_ADMIN_ROLE', 'IMP_FULL_DATABASE',
'LOGSTDBY_ADMINISTRATOR', 'MDSYS', 'ODM', 'OEM_MONITOR',
'OLAPSYS', 'ORDSYS', 'OUTLN', 'MTSSYS',
'RECOVERY_CATALOG_OWNER', 'SELECT_CATALOG_ROLE',
'SNMPAGENT', 'SYSTEM', 'WKSYS', 'WKUSER', 'WMSYS',
'WM_ADMIN_ROLE', 'XDB', 'ANONYMOUS', 'CONNECT', 'DBSNMP',
'JAVADEBUGPRIV', 'ODM_MTR', 'OLAP_DBA', 'ORDPLUGINS',
'RESOURCE', 'RMAN', 'SYS', 'WKPROXY', 'AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED', 'OSE$HTTP$ADMIN',
'TIMESERIES_DBA', 'TIMESERIES_DEVELOPER', 'OLAP_USER', 'DATAPUMP_EXP_FULL_DATABASE',
'DATAPUMP_IMP_FULL_DATABASE', 'OEM_ADVISOR', 'OWB$CLIENT', 'SCHEDULER_ADMIN', 'SYSMAN')
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
and grantee not in
(select username from dba_users where upper(account_status) like
'%LOCKED%') order by 1
Change to STIG Rule: Added default users and roles.
Name: The IDLE_TIME profile parameter should be set for Oracle profiles IAW DoD policy.
Collection Query:
select 'IDLE_TIME set to '||limit||' for profile '||profile||'.' from ( select profile, limit from DBA_PROFILES where profile = 'DEFAULT' and resource_name = 'IDLE_TIME') where TO_NUMBER(DECODE (limit, 'UNLIMITED', 1000, limit)) > 15 UNION select profile, limit from ( select profile, limit from DBA_PROFILES where profile <> 'DEFAULT' and resource_name = 'IDLE_TIME') where TO_NUMBER(DECODE (limit, 'UNLIMITED', 1000, 'DEFAULT', (SELECT DECODE(limit, 'UNLIMITED', 1000, limit) from DBA_PROFILES where resource_name='IDLE_TIME' and profile='DEFAULT'), limit)) > 60
Comment: Combined the queries. De-referenced the DEFAULT value for the limit.
Name: System privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts.
Collection Query:
select 'User '||grantee||' granted '||privilege||' privilege WITH ADMIN OPTION.'
from dba_sys_privs
where grantee not in
('SYS', 'SYSTEM', 'AQ_ADMINISTRATOR_ROLE', 'DBA',
'MDSYS', 'LBACSYS', 'SCHEDULER_ADMIN',
'WMSYS', 'APEX_030200', 'OWBSYS')
and admin_option = 'YES'
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA') order by 1
Change to STIG Rule: Added default users and roles.
Name: Object permissions granted to PUBLIC should be restricted.
Collection Query:
select privilege||' on '||owner ||'.'|| table_name ||' is granted to PUBLIC.' from dba_tab_privs
where grantee = 'PUBLIC'
and owner not in
('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OLAPSYS', 'MTSSYS',
'ORDPLUGINS', 'ORDSYS', 'SYSTEM', 'WKSYS', 'WMSYS',
'XDB', 'LBACSYS', 'PERFSTAT', 'SYSMAN', 'DMSYS',
'EXFSYS','APEX_030200', 'DBSNMP', 'ORDDATA')
Change to STIG Rule: Added default users and roles.
Oracle provides scripts for the following STIG installation checks.
Name: Access to DBMS software files and directories should not be granted to unauthorized users.
Comment: Script provided by Oracle
Name: Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications.
Comment: Script provided by Oracle
Name: Application software should be owned by a Software Application account.
Comment: Script provided by Oracle
Name: DBMS processes or services should run under custom, dedicated OS accounts.
Comment: Script provided by Oracle
Name: DBMS network communications should comply with PPS usage restrictions.
Comment: Script provided by Oracle
Name: The DBMS warning banner should meet Department of Defense (DoD) policy requirements.
Comment: Script provided by Oracle
Name: The Oracle software installation account should not be granted excessive host system privileges.
Comment: Script provided by Oracle
Name: OS DBA group membership should be restricted to authorized accounts.
Comment: Script provided by Oracle
Name: The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0.
Comment: Script provided by Oracle
Name: The Oracle SQLNET.EXPIRE_TIME parameter should be set to a value greater than 0.
Comment: Script provided by Oracle
Name: The Oracle Listener ADMIN_RESTRICTIONS parameter if present should be set to ON.
Comment: Script provided by Oracle