5.1.3.3 Ensure 'ALL' Is Revoked on 'Sensitive' Tables

Information

The Oracle database tables listed below may contain sensitive information, and should not be accessible to unauthorized users.

USER$, USER_HISTORY$, XS$VERIFIERS and DEFAULT_PWD$ may contain password hashes.

CDB_LOCAL_ADMINAUTH$ and PDB_SYNC$ may contain DDLs.

LINK$ and SCHEDULER$_CREDENTIAL may contain encrypted passwords.

ENC$ may contains encryption keys.

HISTGRM$ and HIST_HEAD$ may contain sensitive data.

Rationale:

Access to sensitive information such as hashed passwords may allow unauthorized users to decrypt the passwords hashes which could potentially result in complete compromise of the database.

Solution

Execute applicable SQLs listed below to remediate:

REVOKE ALL ON SYS.CDB_LOCAL_ADMINAUTH$ FROM <grantee>;
REVOKE ALL ON SYS.DEFAULT_PWD$ FROM <grantee>;
REVOKE ALL ON SYS.ENC$ FROM <grantee>;
REVOKE ALL ON SYS.HISTGRM$ FROM <grantee>;
REVOKE ALL ON SYS.HIST_HEAD$ FROM <grantee>;
REVOKE ALL ON SYS.LINK$ FROM <grantee>;
REVOKE ALL ON SYS.PDB_SYNC$ FROM <grantee>;
REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM <grantee>;
REVOKE ALL ON SYS.USER$ FROM <grantee>;
REVOKE ALL ON SYS.USER_HISTORY$ FROM <grantee>;
REVOKE ALL ON SYS.XS$VERIFIERS FROM <grantee>;

See Also

https://workbench.cisecurity.org/files/2741