Call (800) 766-1884 for Oracle support & training
Free Oracle Tips


Oracle Consulting Support
Oracle Upgrades
Use New Oracle Features
Oracle Replication Support
Oracle Training
Remote Oracle DBA
System Documentation
Oracle Tips
Oracle Performance
 

Free Oracle Tips


 
HTML Text

BC Oracle tuning

Oracle training

Oracle support

Remote Oracle

Redneck
 

 

Donald K. Burleson

Oracle Tips

Write a simple security audit script for Oracle

Those who are familiar with the Oracle data dictionary can use the dictionary to find out if their database has any security exposures. Here are some common queries that are used to audit Oracle security.

  1. Search for any system privileges that are granted WITH ADMIN OPTION - Privileges that are granted WITH ADMIN can be passed to other users.  Hence, many companies prohibit this option, and others check to ensure that all user ID’s are proper.  The information for this is located in the DBA_SYS_PRIVS view, and here is the code to do this.

select  

   grantee,

   privilege,   

   admin_option

from    

   sys.dba_sys_privs

where   

   admin_option = 'YES'

and     

   grantee not in (‘SYS’,’SYSTEM’, etc);

  1. Search for any end-users with system privileges - Users with system-level privileges may have access to unwanted areas of the database.  For example the “select any table” system privilege may allow unwanted access to a user.

select  

   grantee      c1,

   privilege    c2,

   admin_option c3

from    

   sys.dba_sys_privs

where   

   grantee not in (‘SYS’,’SYSTEM’, etc);

  1. Search for any non-DBA roles that are granted WITH ADMIN OPTION - This check ensures that there are no customized roles that are granted to users using the WITH ADMIN option.  We need to query the ROLE_SYS_PRIVS view to get this information. To be accurate, we must filter-out all of the installed roles that some with the standard Oracle9i software.

select  

   role,

   privilege,

   admin_option

from    

   sys.role_sys_privs

where   

   admin_option = 'YES'

and     

   role not in

(

   'AQ_ADMINISTRATOR_ROLE',

   'CONNECT',

   'EXP_FULL_DATABASE',

   'IMP_FULL_DATABASE',

   'JAVADEBUGPRIV',

   'OEM_MONITOR',

   'OLAP_DBA',

   'RECOVERY_CATALOG_OWNER',

   'RESOURCE',

   'WKUSER'

)

  1. Search for any non-DBA grantees that are granted a role WITH ADMIN OPTION - Here we check the DBA_ROLE_PRIVS view for all roles that have been granted using the WITH ADMIN option.

select

   grantee,

   granted_role,

   admin_option,

   default_role

from

   sys.dba_role_privs

where   

   admin_option = 'YES'

and     

   grantee not in (‘SYS’,’SYSTEM’, etc);

 

”call
  
 

Oracle performance tuning software 
 
 
 
 

Oracle performance tuning book
 

 
 
 
Oracle performance Tuning 10g reference poster
 
 
 
Oracle training in Linux commands
 
Oracle training Excel
 
Oracle training & performance tuning books
 
   

Copyright © 1996 -  2009 by Burleson Enterprises, Inc. All rights reserved.

Oracle® is the registered trademark of Oracle Corporation.