Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.

An XCCDF Rule

Description

<VulnDiscussion>The WITH ADMIN OPTION allows the grantee to grant a role to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include DBAs, object owners, and, where designed and included in the application's functions, application administrators. Restricting privilege-granting functions to authorized accounts can help decrease mismanagement of privileges and wrongful assignments to unauthorized accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-219836r961863_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

Revoke assignment of roles with the WITH ADMIN OPTION from unauthorized grantees and re-grant them without the option if required.

SQL statements to remove the admin option from an unauthorized grantee:
  revoke <role name> from <grantee>;
  grant <role name> to <grantee>;
Restrict use of the WITH ADMIN OPTION to authorized administrators.

Document authorized role assignments with the WITH ADMIN OPTION in the System Security Plan.

Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.

Description

Remediation - Manual Procedure