Re: object privilege granted to public a sox problem? (and others)
Date: Fri, 14 Nov 2008 17:08:03 -0600
Dont get me started on Sox. The problem is that it was written by politicians and too often accountants are responsible for auditing the implementation. Not people with an IT background. The law itself only requires reasonable security requirements, but all the audits I have seen go well past st*p*d in their suggestsions.
On Fri, Nov 14, 2008 at 3:53 PM, Douglas Cowles <dcowles_at_us.ibm.com> wrote:
> I appreciate everyone's responses to the extproc problem I had yesterday.
> I have a further question since many of you seem to know something about sox
> recommendations. I don't know whether the appdetective application is
> flagging just SOX recommendations or not but some of them seem quite
> daunting to implement and seem contrary to Oracle's own database philosophy.
> This isn't to say they're wrong I'm just looking for some advice.
> For example.. it flags "Object privilege granted to public" - This flags
> over TWO thousand violations - everything from
> Execute on OWA_COOKIE to
> select on ALL_TABLES, ALL_CONSTRAINTS.. standard vanilla stuff etc., I
> mean select on all_tables is a big security violation? I mean I guess so
> but how well are my patches and upgrades going to go if I revoke all 2000
> object grants to public? I'd post the whole list but it would just be
> annoyingly long.
> Is this a SOX requirement? Should this be risk accepted instead? In
> which case, does anyone have a good way to put that?
> Again, another one is "System privilege granted to public" 128 violations
> - this includes stuff like "CREATE PROCEDURE" granted to perfstat, or
> "EXECUTE ANY PROCEDURE" granted to OUTLN. I mean I guess I can see some
> of this but other stuff seems like I could be in a corner if I revoke it
> Most of this stuff is Oracle standard - maybe the idea is it's too loose.
> Any thoughts?
> Doug Cowles
-- Andrew W. Kerber 'If at first you dont succeed, dont take up skydiving.' -- http://www.freelists.org/webpage/oracle-lReceived on Fri Nov 14 2008 - 17:08:03 CST