Re: setting up a new database - remove any permissions?

From: Jeff Chirco <backseatdba_at_gmail.com>
Date: Wed, 10 Aug 2016 08:51:17 -0700
Message-ID: <CAKsxbLq_Ey9Ld=gMeZRYwwaBzky4HWk8ACuezgavTTscVSEyQg_at_mail.gmail.com>

I believe I read before that you should remove dbms_java from public as well as some other java related procedures. But I think this was related to some Database Vault recommendations as it was an exploit only DBA's could use.

On Wed, Aug 10, 2016 at 6:49 AM, Rich J <rjoralist3_at_society.servebeer.com> wrote:

> On 2016/08/09 18:42, Jeff Chirco wrote:
>
> Wondering if any of you have basic scripts you run everytime you create a
> new database. What do you configure? Do you remove any permissions from
> PUBLIC? I know I have experimented with removing certain objects from
> PUBLIC but found that it came back to bite me when applying patches and
> updates. Patches would either fail or cause some components to not be
> valid.
>
>
>
> A few years ago, our auditors asked about EXECUTE privs granted on
> specific database objects to PUBLIC. Here's what I found (and was/is
> hopefully valid for 11gR2!):
>
> Object Name Category Risk Assessment Comment
> ORA_MINING_NUMBER_NT Collection type Low No evidence found that a
> collection type has any security implications
> ORA_MINING_TABLE_TYPE Collection type Low No evidence found that a
> collection type has any security implications
> ORA_MINING_VARCHAR2_NT Collection type Low No evidence found that a
> collection type has any security implications
> URITYPE Object type Low Object created with invoker rights
> FTPURITYPE Object type Low Object created with invoker rights
> AQ$_AGENT Object type Low Contains no methods
> AQ$_DEQUEUE_HISTORY Object type Low Contains no methods
> AQ$_HISTORY Collection type Low No evidence found that a collection type
> has any security implications
> AQ$_MIDARRAY Collection type Low No evidence found that a collection type
> has any security implications
> AQ$_NOTIFY_MSG Collection type Low No evidence found that a collection
> type has any security implications
> UTL_BINARYINPUTSTREAM Object type Low Object created with invoker rights
> UTL_BINARYOUTPUTSTREAM Object type Low Object created with invoker rights
> UTL_CHARACTERINPUTSTREAM Object type Low Object created with invoker
> rights
> UTL_CHARACTEROUTPUTSTREAM Object type Low Object created with invoker
> rights
> ROW_LCR88_T Object type Low Contains no methods
> XDBURITYPE Object type Low Object created with invoker rights
> XMLBINARYINPUTSTREAM Object type Low Unable to locate any security
> concerns on this view from Oracle Corp, CIS, SANS, Red Database Security,
> etc.
> XMLBINARYOUTPUTSTREAM Object type Low Unable to locate any security
> concerns on this view from Oracle Corp, CIS, SANS, Red Database Security,
> etc.
> XMLCHARACTERINPUTSTREAM Object type Low Unable to locate any security
> concerns on this view from Oracle Corp, CIS, SANS, Red Database Security,
> etc.
>
> I'm no security expert, so feedback from someone who's more knowledgeable
> in this area would be a good thing.
>
> Rich
>

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Aug 10 2016 - 17:51:17 CEST

This message: [ Message body ]
Next message: ed lewis: "case insensitvity and cursor sharing"
In reply to Rich J: "Re: setting up a new database - remove any permissions?"
Next in thread: Seth Miller: "Re: setting up a new database - remove any permissions?"
Reply: Seth Miller: "Re: setting up a new database - remove any permissions?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message