5.3.1 Ensure 'SELECT_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE'

Information

The Oracle database SELECT_CATALOG_ROLE provides SELECT privileges on all data dictionary views held in the SYS schema. Unauthorized grantees should not have that role.

Rationale:

Permitting unauthorized access to the SELECT_CATALOG_ROLE can allow the disclosure of all dictionary data.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

REVOKE SELECT_CATALOG_ROLE FROM <grantee>;

See Also

https://workbench.cisecurity.org/benchmarks/13413