Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: how to revoke access to sys.aud$ in 10G

Re: how to revoke access to sys.aud$ in 10G

From: Andreas Sheriff <spamcontrol_at_iion.com>
Date: Wed, 22 Jun 2005 13:20:16 -0700
Message-ID: <4Kjue.37$8o.18@fed1read03> 





"camnewyork" <cmercer_at_vibrant-1.com> wrote in message 
news:1119469785.343936.42030_at_g49g2000cwa.googlegroups.com...


> forgive me if this is a stupid question, I have been away from Oracle

> for a while.  I have some people in my company who have turned on

> auditing in 10G and they noticed that everyone in the database can

> query sys.aud$. They want this priv removed since the users can seen

> queries this way.  I started poking around and found the following:

>

> I can create a new user, grant only "create session" to the user, login

> as the user and successfully select * from sys.aud$.  When I check the

> session privs doing select * from session_privs I see:

>

> PRIVILEGE


> ----------------------------------------

> CREATE SESSION


> SELECT ANY DICTIONARY


>

> I am suspecting that "select any dictionary" is giving access to

> sys.aud$. I can't prove this though.  I tried revoking it as sys/sysdba

> and can not. It says:

>

> ERROR at line 1:

> ORA-01952: system privileges not granted to 'CARL'

>

> I noticed that select any dictionary was granted to public so... I

> tried revoking it from public.... bad idea.  Package standard went bad

> along with a few others and I could not log back in as "carl". In order

> to get the database working again I needed to regrant select any

> dictionary and compile standard.

>

> So.... what is giving a new user access to sys.aud$? If more info is

> needed let me know.

>

>

> Carl

>




From 10g documentation:




 SELECT ANY DICTIONARY Query any data dictionary object in the SYS schema. 
This privilege lets you selectively override the default FALSE setting of 
the O7_DICTIONARY_ACCESSIBILITY initialization parameter.





Do the rest of the research yourself.


-- 
Andreas
Oracle 9i Certified Professional
Oracle 10g Certified Professional
Oracle 9i Certified PL/SQL Developer


"If you don't eat your meat, you cannot have any pudding.
"How can you have any pudding if you don't eat your meat?!?!"
---

WARNING:
DO NOT REPLY TO THIS EMAIL
Reply to me only on this newsgroup 


Received on Wed Jun 22 2005 - 15:20:16 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US