O121-BP-022900 - Oracle application administration roles must be disabled if not required and authorized.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Application administration roles, which are assigned system or elevated application object privileges, must be protected from default activation. Application administration roles are determined by system privilege assignment (create / alter / drop user) and application user role ADMIN OPTION privileges.

Solution

For each role assignment returned, issue:

From SQL*Plus:

alter user [username] default role all except [role];

If the user has more than one application administration role assigned, then remove assigned roles from default assignment and assign individually the appropriate default roles.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V2R9_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000366, Rule-ID|SV-219840r879887_rule, STIG-ID|O121-BP-022900, STIG-Legacy|SV-75935, STIG-Legacy|V-61445, Vuln-ID|V-219840

Plugin: OracleDB

Control ID: 6d3f4c33bbc9148d0d146730f0eabdf012fa5b5b01a8aab1ed3881184d1dc4b7