6.1.1 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE'

Information

The Oracle database ANY keyword provides the user the capability to alter any item in the catalog of the database. Unauthorized grantees should not have that keyword assigned to them.

Authorization to use the ANY expansion of a privilege can allow an unauthorized user to potentially change confidential data or damage the data catalog.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke. Please ensure proper impact analysis is done before revoking the privilege from a role.

REVOKE <ANY Privilege> FROM <grantee>;

In the case of a grant via a role :

REVOKE <rolename> FROM <grantee>;

See Also

https://workbench.cisecurity.org/benchmarks/16474

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: OracleDB

Control ID: 03881e0b88763e2b4aab4a5e0973fe7a3cb2f87f82af348d71e2e5bbd4730bf7