O121-BP-024000 - Application object owner accounts must be disabled when not performing installation or maintenance actions.

Information

Object ownership provides all database object permissions to the owned object. Access to the application object owner accounts requires special protection to prevent unauthorized access and use of the object ownership privileges. In addition to the high privileges to application objects assigned to this account, it is also an account that, by definition, is not accessed interactively except for application installation and maintenance. This reduced access to the account means that unauthorized access to the account could go undetected. To help protect the account, it must be enabled only when access is required.

Solution

Disable any application object owner accounts.

From SQL*Plus:
alter user [username] account lock;

Enable application object owner accounts only for installation and maintenance.

DBAs are special purpose accounts and do not require disabling although they may own objects.

For application objects that require routine maintenance, e.g. index objects, to maintain performance, consider allowing a special purpose account to own the index or enable the application owner account for the duration of the routine maintenance function only.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V3R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-219851r961863_rule, STIG-ID|O121-BP-024000, STIG-Legacy|SV-75957, STIG-Legacy|V-61467, Vuln-ID|V-219851

Plugin: OracleDB

Control ID: 929998d02d9b6b57c7e84554c71baeae366157797f9b51c11644294c044da5e3