RE: object privilege granted to public a sox problem? (and others)
- From: "Newman, Christopher" <cjnewman@xxxxxxxxxxxxx>
- To: <dcowles@xxxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
- Date: Fri, 14 Nov 2008 15:57:12 -0600
Be very careful implementing any of the changes Oracle is calling 'Violations'.
Chances are, they will horrible break your application.
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On
Behalf Of Douglas Cowles
Sent: Friday, November 14, 2008 3:54 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: object privilege granted to public a sox problem? (and others)
I appreciate everyone's responses to the extproc problem I had yesterday. I
have a further question since many of you seem to know something about sox
recommendations. I don't know whether the appdetective application is
flagging just SOX recommendations or not but some of them seem quite daunting
to implement and seem contrary to Oracle's own database philosophy. This isn't
to say they're wrong I'm just looking for some advice.
For example.. it flags "Object privilege granted to public" - This flags over
TWO thousand violations - everything from
Execute on OWA_COOKIE to
select on ALL_TABLES, ALL_CONSTRAINTS.. standard vanilla stuff etc., I
mean select on all_tables is a big security violation? I mean I guess so but
how well are my patches and upgrades going to go if I revoke all 2000 object
grants to public? I'd post the whole list but it would just be annoyingly
long.
Is this a SOX requirement? Should this be risk accepted instead? In which
case, does anyone have a good way to put that?
Again, another one is "System privilege granted to public" 128 violations -
this includes stuff like "CREATE PROCEDURE" granted to perfstat, or "EXECUTE
ANY PROCEDURE" granted to OUTLN. I mean I guess I can see some of this but
other stuff seems like I could be in a corner if I revoke it all.
Most of this stuff is Oracle standard - maybe the idea is it's too loose.
Any thoughts?
Doug Cowles
--
//www.freelists.org/webpage/oracle-l
Other related posts:
