5.2.16 Ensure 'GRANT ANY PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE'

Information

The Oracle database GRANT ANY PRIVILEGE keyword provides the grantee the capability to grant any single privilege to any item in the catalog of the database. Unauthorized grantees should not have that privilege.

The GRANT ANY PRIVILEGE capability can allow an unauthorized user to potentially access or change confidential data or damage the data catalog due to potential complete instance access.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

REVOKE GRANT ANY PRIVILEGE FROM <grantee>;

See Also

https://workbench.cisecurity.org/benchmarks/11760

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: OracleDB

Control ID: 60b1054df92f4eb979ffbff0bd9af3a0f87c57dc49433d2c8f1d41a917e95d86