object privilege granted to public a sox problem? (and others)

  • From: Douglas Cowles <dcowles@xxxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Fri, 14 Nov 2008 16:53:46 -0500

I appreciate everyone's responses to the extproc problem I had yesterday.  
I have a further question since many of you seem to know something about 
sox recommendations.    I don't know whether the appdetective application 
is flagging just SOX recommendations or not but some of them seem quite 
daunting to implement and seem contrary to Oracle's own database 
philosophy.  This isn't to say they're wrong I'm just looking for some 

For example.. it flags "Object privilege granted to public"  -  This flags 
over TWO thousand violations - everything from 
Execute on OWA_COOKIE to 
select on ALL_TABLES, ALL_CONSTRAINTS.. standard vanilla stuff   etc.,   I 
 mean select on all_tables is a big security violation?  I mean I guess so 
but how well are my patches and upgrades going to go if I revoke all 2000 
object grants to public?   I'd post the whole list but it would just be 
annoyingly long. 

Is this a SOX requirement?    Should this be risk accepted instead? In 
which case, does anyone have a good way to put that? 

Again, another one is "System privilege granted to public"  128 violations 
-  this includes stuff like "CREATE PROCEDURE" granted to perfstat, or 
"EXECUTE ANY PROCEDURE" granted to OUTLN.    I mean I guess I can see some 
of this but other stuff seems like I could be in a corner if I revoke it 

Most of this stuff is Oracle standard - maybe the idea is it's too loose.  

Any thoughts? 

Doug Cowles

Other related posts: