RE: object privilege granted to public a sox problem? (and others)

Be very careful implementing any of the changes Oracle is calling 'Violations'. Chances are, they will horrible break your application.

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Douglas Cowles Sent: Friday, November 14, 2008 3:54 PM
To: oracle-l_at_freelists.org
Subject: object privilege granted to public a sox problem? (and others)

I appreciate everyone's responses to the extproc problem I had yesterday. � I have a further question since many of you seem to know something about sox recommendations. � �I don't know whether the appdetective application is flagging just SOX recommendations or not but some of them seem quite daunting to implement and seem contrary to Oracle's own database philosophy. �This isn't to say they're wrong I'm just looking for some advice.

For example.. it flags "Object privilege granted to public" �- �This flags over TWO thousand violations - everything from Execute on OWA_COOKIE to
select on ALL_TABLES, ALL_CONSTRAINTS.. standard vanilla stuff � etc., � I �mean select on all_tables is a big security violation? �I mean I guess so but how well are my patches and upgrades going to go if I revoke all 2000 object grants to public? � I'd post the whole list but it would just be annoyingly long.

Is this a SOX requirement? � �Should this be risk accepted instead? In which case, does anyone have a good way to put that? �

Again, another one is "System privilege granted to public" �128 violations - �this includes stuff like "CREATE PROCEDURE" granted to perfstat, or "EXECUTE ANY PROCEDURE" granted to OUTLN. � �I mean I guess I can see some of this but other stuff seems like I could be in a corner if I revoke it all.

Most of this stuff is Oracle standard - maybe the idea is it's too loose. � Any thoughts?

Doug Cowles

--
http://www.freelists.org/webpage/oracle-l