Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Oracle 19c's Invalid object after hardening

When DBA attempted to harden our Oracle 19c, ran into issues
(& I think this was a recommendation from a tool fr Oracle):

many Oracle  objects (default accounts) became invalid after hardenings
to revoke execute package from PUBLIC:

REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;
REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;
REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;
REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC ;
REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;
REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC ;
REVOKE EXECUTE ON UTL_TCP FROM PUBLIC ;
REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC ;
REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC ;
REVOKE EXECUTE ON UTL_DBWS FROM 'PUBLIC' ;
REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC ;
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC ;
REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_REPACT_SQL_UTL FROM PUBLIC ;
REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_STREAMS_ADM_UTL FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC ;
REVOKE EXECUTE ON WWV_DBMS_SQL FROM PUBLIC;
REVOKE EXECUTE ON WWV_EXECUTE_IMMEDIATE FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC ;
REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC ;
DbaInvalidObjs7May.jpg
Avatar of sunhux
sunhux

ASKER

Our new DBA (as the previous DBA left us a couple months back & there was
a gap of a couple months before new DBA came onboard, ie no hand-over)
is concerned that if we proceed with revoking, will cause patching failures.

Btw, we're migrating from Oracle 11g to 19c & for last 2 years, the
former DBA never apply any patch.

Oracle asks if we use these objects?  How do we check if we use these
objects?  Any logs etc to check for these?
ASKER CERTIFIED SOLUTION
Avatar of Alex [***Alex140181***]
Alex [***Alex140181***]
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

> don't think that Oracle recommended revoking these privileges!
Correction, it's CIS (Center for Internet Security) tt recommends.
I suppose those guys in CIS have tested the benchmarks or havent they?

>I also believe that the same document says that Oracle doesn't support doing the revokes
Oracle support replied: if those objects are not in use, may ignore the messages
"Invalid object" after revoking.   CIS doc for Oracle 12c recommends it ;
the benchmark doc for 19c is due to be released in end June.

So where does this leave us?  Oracle vs CIS?

Test it out in a test environment to see if anything breaks & if it doesn't,
 apply the revokes on Prod to satisfy audit?  I'll need an explicit doc
from Oracle recommending not to do it in order to convince audit

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

This has been a great brainstorming session,
thanks a lot.  Will close in next 2 days if there's
no further inputs.

I'll screen shot that Oracle Doc Id to raise as
exemption