Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the monthly
contract or deal price every month. When
the contract ends, and we re-sign the contract, I will again give you 10% of
the monthly contract price. This will go
on until the company no longer employs or contracts me or my agents to look
after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Contact:
Franz
Security
Policies - Part 10
Enable data dictionary protection.
It is good practice to implement data dictionary protection
to prevent users from having “ANY” system privileges, from using such
privileges on the data dictionary.
To enable data dictionary protection, set the following
initialization parameter to FALSE.
07_DICTIONARY_ACCESSIBILITY=FALSE
SQL> show parameter dictionary
NAME TYPE VALUE
------------------------------------ -----------
------------------------------
O7_DICTIONARY_ACCESSIBILITY boolean FALSE
SQL>
By doing this, only those authorized with DBA-privileged
connections will be able to exercise the “ANY” system privileges on the data
dictionary. You can set this in the
parameter file, or the server parameter file and restart the database. After the process remember to create a
parameter file for yourself again.
SQL> create pfile from spfile;
If O7_DICTIONARY_ACCESSIBILITY=TRUE, then any user with an
“ANY” privilege can exercise this privilege in the data dictionary. For example a user with the DROP ANY TABLE
system privilege would be able to drop any table in the data dictionary. This could result in severe damage to the
data dictionary, and ultimately the database, either accidently or maliciously.
If a user needs view access to the data dictionary, then it
is normal practice to grant that user the SELECT ANY DICTIONARY system
orivilege.
07_DICTIONARY_ACCESSIBILITY came out in Oracle 7 with a
default of TRUE. Up to Oracle 8i, the
default was still set to TRUE. From 9i
onwards this parameter is set to FALSE by default.
The SELECT ANY DICTIONARY privilege is not included in the
GRANT ALL PRIVILEGES statement, but it can be granted explicitly to a user, or
through a role. Be careful of running
the GRANT ALL PRIVILEGES statement, because by doing this you are creating
security problems.
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
Classifieds
No comments:
Post a Comment