Details
Unused, unnecessary DBMS components increase the attack surface for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.
However, dependencies exist among Oracle components that could result in the removal of an apparently unnecessary component interfering with the operation of a required component. Therefore, thorough testing is required before removing components from a production server.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Review the list of installed products available for the DBMS install. If any are required and licensed for operation of applications that will be accessing the DBMS, include them in the application design specification and list them in the System Security Plan. If any are not, but have been installed, uninstall them and remove any database schemas, objects, applications and security principals that exclusively support them.
Verify correct operation of the required Oracle components in a test environment before aplying these changes to a production system.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.
References
- 800-53|CM-6b.
- CAT|III
- Rule-ID|SV-24359r2_rule
- STIG-ID|DG0016-ORACLE11
- Vuln-ID|V-3728