Re: object privilege granted to public a sox problem? (and others)

The whole point of ALL_TABLES is that it shows you all the tables that you have privileges to see. If you have been granted suitable privileges on a table in another schema then you have every right to see its definition. If you do not have privileges then it won't be listed. Taking away ALL_TABLES entirely makes no sense.

Show the auditors the source code, I'm sure they'll understand ;)

-----Original message-----
From: Douglas Cowles
Date: 14/11/08 21:53
>
> I appreciate everyone's responses to the extproc problem I had
> yesterday. I have a further question since many of you seem to know
> something about sox recommendations. I don't know whether the
> appdetective application is flagging just SOX recommendations or not
> but some of them seem quite daunting to implement and seem contrary to
> Oracle's own database philosophy. This isn't to say they're wrong I'm
> just looking for some advice.
>
> For example.. it flags "Object privilege granted to public" - This
> flags over TWO thousand violations - everything from
> Execute on OWA_COOKIE to
> select on ALL_TABLES, ALL_CONSTRAINTS.. standard vanilla stuff etc.,
> I mean select on all_tables is a big security violation? I mean I
> guess so but how well are my patches and upgrades going to go if I
> revoke all 2000 object grants to public? I'd post the whole list but
> it would just be annoyingly long.
>
> Is this a SOX requirement? Should this be risk accepted instead? In
> which case, does anyone have a good way to put that?
>
> Again, another one is "System privilege granted to public" 128
> violations - this includes stuff like "CREATE PROCEDURE" granted to
> perfstat, or "EXECUTE ANY PROCEDURE" granted to OUTLN. I mean I
> guess I can see some of this but other stuff seems like I could be in
> a corner if I revoke it all.
>
> Most of this stuff is Oracle standard - maybe the idea is it's too
> loose.
> Any thoughts?
>
>
> Doug Cowles
>

--
http://www.freelists.org/webpage/oracle-l