5.1.3.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%'

Information

The Oracle database DBA_ views show all information which is relevant to administrative accounts. Unauthorized grantees should not have full access to those views.

Permitting users the authorization to manipulate the DBA_ views can expose sensitive data.

Solution

Replace

<Non-DBA/SYS grantee>

in the query below, with the Oracle login(s) or role(s) returned from the associated audit procedure and execute, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke:

REVOKE ALL ON <DBA_%> FROM <Non-DBA/SYS grantee>;

See Also

https://workbench.cisecurity.org/benchmarks/11760

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: OracleDB

Control ID: 5a716e0af377a7a897e0db42c4202039d6a46732f029580b9ab935fdcb6e4dfc