Resolve default database security violations

When I configure OEM Database Control for my database.Below privileges are assigned to Public. it is a database security violations. These privileges are assigned by default at time of database creation.

execute privileges on DBMS_LOB to PUBLIC;
execute privileges on UTL_FILE to PUBLIC;
execute privileges on UTL_SMTP to PUBLIC;
Restricted privileges to Execute UTL_SMTP;
Restricted privileges to Execute UTL_HTTP;
execute privileges on UTL_TCP to PUBLIC;
Restricted privileges to Execute UTL_TCP;
execute privileges on DBMS_EXPORT_EXTENSION to PUBLIC;
execute privileges on DBMS_RANDOM to PUBLIC;

To Resolve this issue, I make a Role and assign all these privileges to that Role then i revoke all these privileges from Public.

When i need these privileges for a user I assign created role to the user.

Following are the steps to follow:

1. Create a role:

Connect to database using sys user and crate role.

Sql> Create role Role_Name;

2. Give all the grants to created role:

Sql> grant execute on DBMS_LOB to Role_Name;
Sql> grant execute on UTL_FILE to Role_Name;
Sql> grant execute on UTL_SMTP to Role_Name;
Sql> grant debug on UTL_SMTP to Role_Name;
Sql> grant execute on UTL_HTTP to Role_Name;
Sql> grant execute on UTL_TCP to Role_Name;
Sql> grant debug on UTL_TCP to Role_Name;
Sql> grant execute on DBMS_EXPORT_EXTENSION to Role_Name;
Sql> grant execute on DBMS_RANDOM to Role_Name;

We can crosscheck all grants given to the role using command:

Sql > SELECT * FROM role_tab_privs where ROLE like Role_Name;

3. Grant role to a specified user:

Sql> Grant Role_Name to User_Name;

If grant are assigned to the user then we can revoke grants from public.

4.  Revoke grants from public:

Sql> revoke execute on DBMS_LOB from public;
Sql> revoke execute on UTL_FILE from public;
Sql> revoke execute on UTL_SMTP from public;
Sql> revoke execute on UTL_HTTP from public;
Sql> revoke execute on UTL_TCP from public;
Sql> revoke execute on DBMS_EXPORT_EXTENSION from public;
Sql> revoke execute on DBMS_RANDOM from public;

Note :- User_Name is the Schema User Name.

Now, DBA has secured the Database. 

No comments:

Post a Comment