Re: setting up a new database - remove any permissions?

From: Seth Miller <sethmiller.sm_at_gmail.com>
Date: Mon, 15 Aug 2016 12:53:53 -0500
Message-ID: <CAEueRAXQ9LcPkke6eOQncwfSz4tb4DaEmGdaiOaGKMLCwiH8Xg_at_mail.gmail.com>

Jeff,

I would suggest starting with ORACHK. It is not specific to security but has a number of security checks included.

Seth Miller

On Wed, Aug 10, 2016 at 10:51 AM, Jeff Chirco <backseatdba_at_gmail.com> wrote:

> I believe I read before that you should remove dbms_java from public as
> well as some other java related procedures. But I think this was related
> to some Database Vault recommendations as it was an exploit only DBA's
> could use.
>
> On Wed, Aug 10, 2016 at 6:49 AM, Rich J <rjoralist3_at_society.servebeer.com>
> wrote:
>
>> On 2016/08/09 18:42, Jeff Chirco wrote:
>>
>> Wondering if any of you have basic scripts you run everytime you create a
>> new database. What do you configure? Do you remove any permissions from
>> PUBLIC? I know I have experimented with removing certain objects from
>> PUBLIC but found that it came back to bite me when applying patches and
>> updates. Patches would either fail or cause some components to not be
>> valid.
>>
>>
>>
>> A few years ago, our auditors asked about EXECUTE privs granted on
>> specific database objects to PUBLIC. Here's what I found (and was/is
>> hopefully valid for 11gR2!):
>>
>> Object Name Category Risk Assessment Comment
>> ORA_MINING_NUMBER_NT Collection type Low No evidence found that a
>> collection type has any security implications
>> ORA_MINING_TABLE_TYPE Collection type Low No evidence found that a
>> collection type has any security implications
>> ORA_MINING_VARCHAR2_NT Collection type Low No evidence found that a
>> collection type has any security implications
>> URITYPE Object type Low Object created with invoker rights
>> FTPURITYPE Object type Low Object created with invoker rights
>> AQ$_AGENT Object type Low Contains no methods
>> AQ$_DEQUEUE_HISTORY Object type Low Contains no methods
>> AQ$_HISTORY Collection type Low No evidence found that a collection type
>> has any security implications
>> AQ$_MIDARRAY Collection type Low No evidence found that a collection
>> type has any security implications
>> AQ$_NOTIFY_MSG Collection type Low No evidence found that a collection
>> type has any security implications
>> UTL_BINARYINPUTSTREAM Object type Low Object created with invoker rights
>> UTL_BINARYOUTPUTSTREAM Object type Low Object created with invoker rights
>> UTL_CHARACTERINPUTSTREAM Object type Low Object created with invoker
>> rights
>> UTL_CHARACTEROUTPUTSTREAM Object type Low Object created with invoker
>> rights
>> ROW_LCR88_T Object type Low Contains no methods
>> XDBURITYPE Object type Low Object created with invoker rights
>> XMLBINARYINPUTSTREAM Object type Low Unable to locate any security
>> concerns on this view from Oracle Corp, CIS, SANS, Red Database Security,
>> etc.
>> XMLBINARYOUTPUTSTREAM Object type Low Unable to locate any security
>> concerns on this view from Oracle Corp, CIS, SANS, Red Database Security,
>> etc.
>> XMLCHARACTERINPUTSTREAM Object type Low Unable to locate any security
>> concerns on this view from Oracle Corp, CIS, SANS, Red Database Security,
>> etc.
>>
>> I'm no security expert, so feedback from someone who's more knowledgeable
>> in this area would be a good thing.
>>
>> Rich
>>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Aug 15 2016 - 19:53:53 CEST

This message: [ Message body ]
Next message: Freeman, Donald G. CTR: "Another Oracle Licensing Question"
Previous message: Norman Dunbar: "Re: Silly question about GENERATED column of DBA_INDEXES"
In reply to: Jeff Chirco: "Re: setting up a new database - remove any permissions?"
In reply to Jeff Chirco: "Re: setting up a new database - remove any permissions?"
Next in thread: Stefan Koehler: "Re: Seeing more ORA-04031 errors in 12c"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message