Skip to Main Content
  • Questions

  • DISA STIG Requiremnt on Oracle Provided Accoounts

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Demitry.

Asked: June 23, 2020 - 1:21 pm UTC

Last updated: June 26, 2020 - 4:20 am UTC

Version: 12.2.0

Viewed 1000+ times

You Asked

Hi Tom,
First time participating in asking a question. I have used and love your portal for information regarding any Oracle topic/s next to Oracle's knowledge base. Currently I am working on ensuring my Oracle Databases are in compliance with DISA STIG requirements. To implement the April,2020 Release 17 publication of the STIG, I have few questions I need your expert advice on:

1) From the Oracle provided schemas (shown in the query results below), which ones can I safely remove/drop without affecting my oracle instance and database operation?

SQL> --query to identify other schemas owning installed component
set lines 200 pages 500
col SCHEMA for a25
col COMP_NAME for a35
SQL> SQL> SQL> SQL> col VERSION for a25
col STATUS for a15
col OTHER_SCHEMAS for a35
SELECT OTHER_SCHEMAS,COMP_NAME,VERSION,STATUS FROM DBA_REGISTRY;SQL> SQL> SQL>

OTHER_SCHEMAS COMP_NAME VERSION STATUS
----------------------------------- ----------------------------------- ------------------------- ---------------
Oracle Database Catalog Views 12.2.0.1.0 VALID
APPQOSSYS,AUDSYS,DBSFWUSER,DBSNMP,D Oracle Database Packages and Types 12.2.0.1.0 VALID
IP,GGSYS,GSMADMIN_INTERNAL,GSMCATUS
ER,GSMUSER,ORACLE_OCM,OUTLN,REMOTE_
SCHEDULER_AGENT,SYS$UMF,SYSBACKUP,S
YSDG,SYSKM,SYSRAC,SYSTEM

OJVMSYS JServer JAVA Virtual Machine 12.2.0.1.0 VALID
Oracle XDK 12.2.0.1.0 VALID
Oracle Database Java Packages 12.2.0.1.0 VALID
OLAP Analytic Workspace 12.2.0.1.0 VALID
Oracle Real Application Clusters 12.2.0.1.0 VALID
ANONYMOUS,XS$NULL Oracle XML Database 12.2.0.1.0 VALID
Oracle Workspace Manager 12.2.0.1.0 VALID
Oracle Text 12.2.0.1.0 VALID
ORDDATA,ORDPLUGINS,SI_INFORMTN_SCHE Oracle Multimedia 12.2.0.1.0 VALID
MA

MDDATA,MDSYS,SPATIAL_CSW_ADMIN_USR Spatial 12.2.0.1.0 VALID
Oracle OLAP API 12.2.0.1.0 VALID
Oracle Label Security 12.2.0.1.0 VALID
APEX_INSTANCE_ADMIN_USER,APEX_PUBLI Oracle Application Express 19.1.0.00.15 VALID
C_USER,FLOWS_FILES

DVF Oracle Database Vault 12.2.0.1.0 VALID

16 rows selected.


SQL>
SQL>
SQL> --query to identify schemas owning installed component
set lines 200 pages 500
col SCHEMA for a25
col COMP_NAME for a35
col VERSION for a25
col STATUS for a15
col OTHER_SCHEMAS for a35
SELECT SCHEMA,COMP_NAME,VERSION,STATUS FROM DBA_REGISTRY;
SQL> SQL> SQL> SQL> SQL> SQL> SQL>
SCHEMA COMP_NAME VERSION STATUS
------------------------- ----------------------------------- ------------------------- ---------------
SYS Oracle Database Catalog Views 12.2.0.1.0 VALID
SYS Oracle Database Packages and Types 12.2.0.1.0 VALID
SYS JServer JAVA Virtual Machine 12.2.0.1.0 VALID
SYS Oracle XDK 12.2.0.1.0 VALID
SYS Oracle Database Java Packages 12.2.0.1.0 VALID
SYS OLAP Analytic Workspace 12.2.0.1.0 VALID
SYS Oracle Real Application Clusters 12.2.0.1.0 VALID
XDB Oracle XML Database 12.2.0.1.0 VALID
MDSYS Spatial 12.2.0.1.0 VALID
WMSYS Oracle Workspace Manager 12.2.0.1.0 VALID
CTXSYS Oracle Text 12.2.0.1.0 VALID
ORDSYS Oracle Multimedia 12.2.0.1.0 VALID
DVSYS Oracle Database Vault 12.2.0.1.0 VALID
OLAPSYS Oracle OLAP API 12.2.0.1.0 VALID
LBACSYS Oracle Label Security 12.2.0.1.0 VALID
APEX_190100 Oracle Application Express 19.1.0.00.15 VALID

16 rows selected.

SQL>
SQL>
SQL>

2) Do you recommend setting the SYSTEM schema to expired? why or why not?

3) Does setting valid node checking parameter in the $ORACLE_HOME/network/admin/sqlnet.ora file required in 12cR2 and latter versions as a security measure?

tcp.validnode_checking = yes
tcp.invited_nodes = (x.x.x.x | name, x.x.x.x | name)
tcp.excluded_nodes=( x.x.x.x | name, x.x.x.x | name)

4) Is the rate limit parameter still required in 12cR2 to prevent denial of service (DOS) attacks?

CONNECTION_RATE_LISTENER=10

LISTENER=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)(RATE_LIMIT=yes))
(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1522)(RATE_LIMIT=yes))
(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1526))
)
LISTENER=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)(RATE_LIMIT=8))
(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1522)(RATE_LIMIT=12))
(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1526))
)

Thanks.
V/R

and Connor said...

1) That totally depends on what features and facilities you are using. But you don't just "drop" schemas. Each facility will typically have a removal script that you need to run. Mike Dietrich did a nice series of posts about this here

https://mikedietrichde.com/2017/07/26/remove-clean-components-oracle-11-2-12-2/

2) Any privileged account which you do not need on a regular basis should be reviewed and locked.

3) Yes

4) Yes, but typically this is more about login storms, because you would hope you have DoS prevention at much higher in the stack than your database.

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Demitry, June 24, 2020 - 2:16 pm UTC

Most accurate and helpful response to my question. Much appreciated and thanks to Mr. Connor.
Connor McDonald
June 26, 2020 - 4:20 am UTC

Glad we could help
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Design

New to good database design? Check out Chris Saxon's full fundamentals class.