Jeff,
I would suggest starting with ORACHK. It is not specific to security but
has a number of security checks included.
Seth Miller
On Wed, Aug 10, 2016 at 10:51 AM, Jeff Chirco <backseatdba@xxxxxxxxx> wrote:
I believe I read before that you should remove dbms_java from public as
well as some other java related procedures. But I think this was related
to some Database Vault recommendations as it was an exploit only DBA's
could use.
On Wed, Aug 10, 2016 at 6:49 AM, Rich J <rjoralist3@xxxxxxxxxxxxxxxxxxxxx>
wrote:
On 2016/08/09 18:42, Jeff Chirco wrote:
Wondering if any of you have basic scripts you run everytime you create a
new database. What do you configure? Do you remove any permissions from
PUBLIC? I know I have experimented with removing certain objects from
PUBLIC but found that it came back to bite me when applying patches and
updates. Patches would either fail or cause some components to not be
valid.
A few years ago, our auditors asked about EXECUTE privs granted on
specific database objects to PUBLIC. Here's what I found (and was/is
hopefully valid for 11gR2!):
Object Name Category Risk Assessment Comment
ORA_MINING_NUMBER_NT Collection type Low No evidence found that a
collection type has any security implications
ORA_MINING_TABLE_TYPE Collection type Low No evidence found that a
collection type has any security implications
ORA_MINING_VARCHAR2_NT Collection type Low No evidence found that a
collection type has any security implications
URITYPE Object type Low Object created with invoker rights
FTPURITYPE Object type Low Object created with invoker rights
AQ$_AGENT Object type Low Contains no methods
AQ$_DEQUEUE_HISTORY Object type Low Contains no methods
AQ$_HISTORY Collection type Low No evidence found that a collection type
has any security implications
AQ$_MIDARRAY Collection type Low No evidence found that a collection
type has any security implications
AQ$_NOTIFY_MSG Collection type Low No evidence found that a collection
type has any security implications
UTL_BINARYINPUTSTREAM Object type Low Object created with invoker rights
UTL_BINARYOUTPUTSTREAM Object type Low Object created with invoker rights
UTL_CHARACTERINPUTSTREAM Object type Low Object created with invoker
rights
UTL_CHARACTEROUTPUTSTREAM Object type Low Object created with invoker
rights
ROW_LCR88_T Object type Low Contains no methods
XDBURITYPE Object type Low Object created with invoker rights
XMLBINARYINPUTSTREAM Object type Low Unable to locate any security
concerns on this view from Oracle Corp, CIS, SANS, Red Database Security,
etc.
XMLBINARYOUTPUTSTREAM Object type Low Unable to locate any security
concerns on this view from Oracle Corp, CIS, SANS, Red Database Security,
etc.
XMLCHARACTERINPUTSTREAM Object type Low Unable to locate any security
concerns on this view from Oracle Corp, CIS, SANS, Red Database Security,
etc.
I'm no security expert, so feedback from someone who's more knowledgeable
in this area would be a good thing.
Rich
