Re: Security Questions

• From: Paul Drake <bdbafh@xxxxxxxxx>
• To: cemail_219@xxxxxxxxxxx
• Date: Tue, 24 Jan 2006 11:07:18 -0500

On 1/24/06, J. Dex <cemail_219@xxxxxxxxxxx> wrote:
>
> For those of you who have had security audits, I am wondering about a
> couple
> of things.....
>
> Does it matter if standard Oracle roles are NOT password protected?  Does
> it
> only need to be non-standard roles that are password protected?
>
> PUBLIC typically has some execute privileges, dbms_random, etc.  Will it
> adversely effect anything if those privileges are revoked?
>
>
Dependency checking is your friend here.
Examine the views dba_dependencies and dba_tab_privs e.g.:

select *
from dba_dependencies
where name='DBMS_RANDOM';

select *
from dba_tab_privs
where table_name='DBMS_RANDOM';

If dependencies are found, grant the required tab_privs to the proper user
accounts.

This won't help you for app code not stored in the database.

Several people have posted docs related to revoking execute privileges from
PUBLIC on certain packages, including dbms_random. Some such docs were in
response to the "Oracle Voyager worm".

Pete Finnigan's site
http://www.petefinnigan.com/orasec.htm

has a link to this paper:

http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf

hth.

Paul


http://www.google.com/search?hl=en&lr=&q=oracle+security+voyager+worm+revoke+execute+public+utl_tcp&btnG=Search

• References:
  • Security Questions
    • From: J. Dex

Other related posts:

• » Security Questions
• » Re: Security Questions
• » Re: Security Questions
• » Re: Security Questions
• » RE: Security Questions

1. Home
2. oracle-l
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---