RE: object privilege granted to public a sox problem? (and others)

• From: "Bellows, Bambi \(Comsys\)" <bbel5@xxxxxxxxxxxx>
• To: <dcowles@xxxxxxxxxx>
• Date: Fri, 14 Nov 2008 17:19:56 -0600

That's pretty rich.  Sorry, you have to restrict ALL_TABLES.  Yeah,
uh-huh.  Also, you have to disable root.  And take away the dba group.
Not going to happen.   

 

If you're having problems with your audit, here's my suggestion: tell
the auditors that, in Unix, an audit flag is thrown on files which are
777 or 4777 because anyone can change the contents of a file.  This is
equivalent to having universal write privileges on tables.  However, 744
is a perfectly reasonable privilege level, because anyone can read the
contents of a file, but only the owner can *change* said contents.  In
the same way, *some* underlying Oracle dictionary objects allow for
universal read, but not universal write.  Applying the same principles
that allow your computer system to go on functioning normally, the
database should pass its audit.

 

HTH,

Bambi.

 

On Fri, Nov 14, 2008 at 3:53 PM, Douglas Cowles <dcowles@xxxxxxxxxx>
wrote:


I appreciate everyone's responses to the extproc problem I had
yesterday.   I have a further question since many of you seem to know
something about sox recommendations.    I don't know whether the
appdetective application is flagging just SOX recommendations or not but
some of them seem quite daunting to implement and seem contrary to
Oracle's own database philosophy.  This isn't to say they're wrong I'm
just looking for some advice. 

For example.. it flags "Object privilege granted to public"  -  This
flags over TWO thousand violations - everything from 
Execute on OWA_COOKIE to 
select on ALL_TABLES, ALL_CONSTRAINTS.. standard vanilla stuff   etc.,
I  mean select on all_tables is a big security violation?  I mean I
guess so but how well are my patches and upgrades going to go if I
revoke all 2000 object grants to public?   I'd post the whole list but
it would just be annoyingly long. 

Is this a SOX requirement?    Should this be risk accepted instead? In
which case, does anyone have a good way to put that?   

Again, another one is "System privilege granted to public"  128
violations -  this includes stuff like "CREATE PROCEDURE" granted to
perfstat, or "EXECUTE ANY PROCEDURE" granted to OUTLN.    I mean I guess
I can see some of this but other stuff seems like I could be in a corner
if I revoke it all. 

Most of this stuff is Oracle standard - maybe the idea is it's too
loose.   
Any thoughts? 


Doug Cowles




-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

• Follow-Ups:
  • Re: object privilege granted to public a sox problem? (and others)
    • From: Gus Spier

• References:
  • object privilege granted to public a sox problem? (and others)
    • From: Douglas Cowles
  • Re: object privilege granted to public a sox problem? (and others)
    • From: Andrew Kerber

Other related posts:

• » object privilege granted to public a sox problem? (and others) - Douglas Cowles
• » RE: object privilege granted to public a sox problem? (and others) - Newman, Christopher
• » RE: object privilege granted to public a sox problem? (and others) - Michael Fontana
• » Re: object privilege granted to public a sox problem? (and others) - Andrew Kerber
• » RE: object privilege granted to public a sox problem? (and others) - Bellows, Bambi \(Comsys\)
• » Re: object privilege granted to public a sox problem? (and others) - Gus Spier
• » Re: object privilege granted to public a sox problem? (and others) - William Robertson
• » Re: object privilege granted to public a sox problem? (and others) - Pete Finnigan

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription