6.1.8 Ensure 'LOGMINING' Is Revoked From Unauthorized 'GRANTEE'

Information

The LOGMINING system privilege in Oracle Database is a powerful privilege that allows users to query online and archived database redo log files through a SQL interface.

Redo log files contain information about the history of activity on a database, including sensitive data like credit card numbers or passwords. Allowing unauthorized access to log mining could expose this sensitive data.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke. Please ensure proper impact analysis is done before revoking the privilege from a role.

REVOKE LOGMINING FROM <grantee>;

In the case of a grant via a role:

REVOKE <rolename> FROM <grantee>;

See Also

https://workbench.cisecurity.org/benchmarks/16474

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: OracleDB

Control ID: 259036c1a3a5790a012b1af82ee592576553db3384d656790d26e4664ca0b9da