O121-BP-022300 - System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.

Information

The WITH ADMIN OPTION allows the grantee to grant a privilege to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include DBAs, object owners, and, where designed and included in the application's functions, application administrators. Restricting privilege-granting functions to authorized accounts can help decrease mismanagement of privileges and wrongful assignments to unauthorized accounts.

Solution

Revoke assignment of privileges with the WITH ADMIN OPTION from unauthorized users and re-grant them without the option.

From SQL*Plus:

revoke [privilege name] from user [username];

Replace [privilege name] with the named privilege and [username] with the named user.

Restrict use of the WITH ADMIN OPTION to authorized administrators.

Document authorized privilege assignments with the WITH ADMIN OPTION in the System Security Plan.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V3R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-219834r961863_rule, STIG-ID|O121-BP-022300, STIG-Legacy|SV-75923, STIG-Legacy|V-61433, Vuln-ID|V-219834

Plugin: OracleDB

Control ID: 58831e3dcc8e5d1cf1ee3df04ece943ed83d107311ea2af111fca1c132d1fcad