On 1/24/06, J. Dex <cemail_219@xxxxxxxxxxx> wrote: > > For those of you who have had security audits, I am wondering about a > couple > of things..... > > Does it matter if standard Oracle roles are NOT password protected? Does > it > only need to be non-standard roles that are password protected? > > PUBLIC typically has some execute privileges, dbms_random, etc. Will it > adversely effect anything if those privileges are revoked? > > Dependency checking is your friend here. Examine the views dba_dependencies and dba_tab_privs e.g.: select * from dba_dependencies where name='DBMS_RANDOM'; select * from dba_tab_privs where table_name='DBMS_RANDOM'; If dependencies are found, grant the required tab_privs to the proper user accounts. This won't help you for app code not stored in the database. Several people have posted docs related to revoking execute privileges from PUBLIC on certain packages, including dbms_random. Some such docs were in response to the "Oracle Voyager worm". Pete Finnigan's site http://www.petefinnigan.com/orasec.htm has a link to this paper: http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf hth. Paul http://www.google.com/search?hl=en&lr=&q=oracle+security+voyager+worm+revoke+execute+public+utl_tcp&btnG=Search