Re: object privilege granted to public a sox problem? (and others)
Date: Sat, 15 Nov 2008 15:12:35 +0000
The whole point of ALL_TABLES is that it shows you all the tables that you have privileges to see. If you have been granted suitable privileges on a table in another schema then you have every right to see its definition. If you do not have privileges then it won't be listed. Taking away ALL_TABLES entirely makes no sense.
Show the auditors the source code, I'm sure they'll understand ;)
From: Douglas Cowles
Date: 14/11/08 21:53
> I appreciate everyone's responses to the extproc problem I had
> yesterday. I have a further question since many of you seem to know
> something about sox recommendations. I don't know whether the
> appdetective application is flagging just SOX recommendations or not
> but some of them seem quite daunting to implement and seem contrary to
> Oracle's own database philosophy. This isn't to say they're wrong I'm
> just looking for some advice.
> For example.. it flags "Object privilege granted to public" - This
> flags over TWO thousand violations - everything from
> Execute on OWA_COOKIE to
> select on ALL_TABLES, ALL_CONSTRAINTS.. standard vanilla stuff etc.,
> I mean select on all_tables is a big security violation? I mean I
> guess so but how well are my patches and upgrades going to go if I
> revoke all 2000 object grants to public? I'd post the whole list but
> it would just be annoyingly long.
> Is this a SOX requirement? Should this be risk accepted instead? In
> which case, does anyone have a good way to put that?
> Again, another one is "System privilege granted to public" 128
> violations - this includes stuff like "CREATE PROCEDURE" granted to
> perfstat, or "EXECUTE ANY PROCEDURE" granted to OUTLN. I mean I
> guess I can see some of this but other stuff seems like I could be in
> a corner if I revoke it all.
> Most of this stuff is Oracle standard - maybe the idea is it's too
> Any thoughts?
> Doug Cowles