5.2.5 Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE'

Information

The Oracle database SELECT ANY DICTIONARY privilege allows the designated user to access SYS schema objects. Unauthorized grantees should not have that privilege.

SELECT ANY DICTIONARY is a powerful system privilege which would allow an unauthorized user to gather information about the database through data dictionary objects. Information collected could potentially be used to exploit the database.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

REVOKE SELECT ANY DICTIONARY FROM <grantee>;

See Also

https://workbench.cisecurity.org/benchmarks/11760

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: OracleDB

Control ID: 1f280e25cae0b9f7f1abe43f5a376d4a8d70388f467ecce3e52cb91fcf643020