6.1.10 Ensure 'CREATE LIBRARY' Is Revoked From Unauthorized 'GRANTEE'

Information

The Oracle database CREATE LIBRARY privilege allows the designated user to create objects that are associated with the shared libraries. Unauthorized grantees should not have that privilege.

The CREATE LIBRARY privilege can allow the creation of numerous library-associated objects and potentially corrupt the libraries' integrity.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke. Please ensure proper impact analysis is done before revoking the privilege from a role.

REVOKE CREATE LIBRARY FROM <grantee>;

In the case of a grant via a role:

REVOKE <rolename> FROM <grantee>;

See Also

https://workbench.cisecurity.org/benchmarks/16474

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: OracleDB

Control ID: 9c5e2b0ab25796c58ce2a3a0d646294d36b7ed7a81ca05c5908b9e9f7ca5e002