Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Security Questions

Re: Security Questions

From: Paul Drake <bdbafh_at_gmail.com>
Date: Tue, 24 Jan 2006 11:07:18 -0500
Message-ID: <910046b40601240807y6da69df2lfc54b1cd7c098e58@mail.gmail.com> 





On 1/24/06, J. Dex <cemail_219_at_hotmail.com> wrote:


>

> For those of you who have had security audits, I am wondering about a

> couple

> of things.....

>

> Does it matter if standard Oracle roles are NOT password protected?  Does

> it

> only need to be non-standard roles that are password protected?

>

> PUBLIC typically has some execute privileges, dbms_random, etc.  Will it

> adversely effect anything if those privileges are revoked?

>

>



Dependency checking is your friend here.
Examine the views dba_dependencies and dba_tab_privs e.g.:



select *


from dba_dependencies


where name='DBMS_RANDOM';



select *


from dba_tab_privs


where table_name='DBMS_RANDOM';



If dependencies are found, grant the required tab_privs to the proper user
accounts.



This won't help you for app code not stored in the database.



Several people have posted docs related to revoking execute privileges from
PUBLIC on certain packages, including dbms_random. Some such docs were in
response to the "Oracle Voyager worm".



Pete Finnigan's site


http://www.petefinnigan.com/orasec.htm



has a link to this paper:



http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf



hth.



Paul




http://www.google.com/search?hl=en&lr=&q=oracle+security+voyager+worm+revoke+execute+public+utl_tcp&btnG=Search


--
http://www.freelists.org/webpage/oracle-l


Received on Tue Jan 24 2006 - 10:07:18 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US