DG0085-ORACLE11 - The DBA role should not be assigned excessive or unauthorized privileges.

Information

Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down or open in restricted mode) in addition to all privileges controlled under database operation. Assignment of SYSDBA privileges in the Oracle password file to unauthorized persons can compromise all DBMS activities.

Solution

If a REMOTE_LOGIN_PASSWORDFILE is in use (='EXCLUSIVE'), list database accounts assigned SYSDBA and SYSOPER database privileges and review for appropriate authorization.

Document authorized SYSDBA and SYSOPER users in the System Security Plan.

From SQL*Plus:
select * from v$pwfile_users;

To revoke SYSDBA or SYSOPER from accounts:

From SQL*Plus:
revoke sysdba from [username];
revoke sysoper from [username];

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CAT|II, Rule-ID|SV-24673r2_rule, STIG-ID|DG0085-ORACLE11, Vuln-ID|V-15615

Plugin: OracleDB

Control ID: 85e0a1a02406cdc536fbcbd3f110e431033d0eb20facc2fe11f22500449fb215