2.2.4 Ensure 'O7_DICTIONARY_ACCESSIBILITY' Is Set to 'FALSE'

Information

The O7_dictionary_accessibility setting is a database initialization parameter that allows/disallows access to objects with the ANY privileges (SELECT ANY TABLE, DELETE ANY TABLE, EXECUTE ANY PROCEDURE, etc.). This functionality was created for the ease of migration from Oracle 7 databases to later versions. The setting should have a value of FALSE.

Note: The O7_dictionary_accessibility parameter has been deprecated in 12.2 and higher versions.

Rationale:

Leaving the SYS schema so open to connection could permit unauthorized access to critical data structures.

Solution

To remediate this setting, execute the following SQL statement.

ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE SCOPE = SPFILE;

References:

http://docs.oracle.com/database/121/REFRN/GUID-1D1A88F1-B603-48FF-BD30-E6099DB1A1ED.htm#REFRN10133

Notes:

The value for this is 'O(oh)7' not '0(Zero)7' for O7. Also, for 'Oracle Applications' up to version 11.5.9, this setting is reversed; the O7_dictionary_accessibility=TRUE value is required for correct operations.

See Also

https://workbench.cisecurity.org/files/2741

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|9.1, CSCv7|9.2

Plugin: OracleDB

Control ID: ed5a089dbb73b980c92676b269141f9341d022d843d79115c86ec1c9bd3c2cac