Sei sulla pagina 1di 40

/**************** Inicio - Consultas Guia Oracle 12c Guia Hardening Oracle

****************/

ALTER SESSION SET nls_date_format = 'dd-mm-yyyy hh24:mi:ss';

Session altered.

SELECT SYSDATE AS "FECHA HARDENING ORACLE" FROM DUAL;

FECHA HARDENING ORA

-------------------

16-05-2019 10:31:07

1 row selected.

SELECT * FROM V$VERSION;

BANNER

--------------------------------------------------------------------------------

Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production

PL/SQL Release 11.2.0.1.0 - Production

CORE 11.2.0.1.0 Production

TNS for 64-bit Windows: Version 11.2.0.1.0 - Production

NLSRTL Version 11.2.0.1.0 - Production

5 rows selected.

SELECT INSTANCE_NAME, HOST_NAME, STATUS from v$instance;

INSTANCE_NAME HOST_NAME
STATUS

---------------- ----------------------------------------------------------------
------------

orcl DESKTOP-7JS000T
OPEN

1 row selected.

/* 1. Restricciones inic Sesion */

-- 1.1. Restringir el n�mero de intentos fallidos de autenticaci�n sobre el perfil


por defecto
SELECT * FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND
PROFILE='DEFAULT';
PROFILE RESOURCE_NAME RESOURCE LIMIT

------------------------------ -------------------------------- --------


----------------------------------------

DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 3

1 row selected.

ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 3;

Profile altered.

SELECT * FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND


PROFILE='DEFAULT' AND LIMIT='3';

PROFILE RESOURCE_NAME RESOURCE LIMIT

------------------------------ -------------------------------- --------


----------------------------------------

DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 3

1 row selected.

-- 1.2. Definir el tiempo que permanece bloqueada la contrase�a del usuario despu�s
de bloqueo por intentos fallidos de autenticaci�n sobre el perfil por defecto
SELECT * FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND
PROFILE='DEFAULT';

PROFILE RESOURCE_NAME RESOURCE LIMIT

------------------------------ -------------------------------- --------


----------------------------------------

DEFAULT PASSWORD_LOCK_TIME PASSWORD 10

1 row selected.

ALTER PROFILE DEFAULT LIMIT PASSWORD_LOCK_TIME 10;

Profile altered.

SELECT * FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND


PROFILE='DEFAULT' AND LIMIT='10';

PROFILE RESOURCE_NAME RESOURCE LIMIT

------------------------------ -------------------------------- --------


----------------------------------------

DEFAULT PASSWORD_LOCK_TIME PASSWORD 10


1 row selected.

-- 1.3. Deshabilitar autenticaci�n externa para todos los usuarios


SELECT USERNAME, AUTHENTICATION_TYPE FROM DBA_USERS WHERE
AUTHENTICATION_TYPE='EXTERNAL';

no rows selected

ALTER USER [usuario] IDENTIFIED BY PASSWORD;


ALTER USER [usuario] IDENTIFIED BY PASSWORD
*
ERROR at line 1:
ORA-01935: falta el nombre de usuario o de rol

-- 1.4. Limitar el n�mero de sesiones por usuario sobre el perfil por defecto
SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND
RESOURCE_NAME='SESSIONS_PER_USER';

PROFILE RESOURCE_NAME LIMIT

------------------------------ --------------------------------
----------------------------------------

DEFAULT SESSIONS_PER_USER 1

1 row selected.

ALTER PROFILE DEFAULT LIMIT SESSIONS_PER_USER 1;

Profile altered.

SHOW PARAMETER RESOURCE_LIMIT;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

resource_limit boolean TRUE

ALTER SYSTEM SET RESOURCE_LIMIT=TRUE;

System altered.

/* 2. Parametros Generales */
-- "Esto se debe realizar de manera manual accediendo a la ruta del ORACLE_HOME
debe hacer los cambios reiniciar la BD y luego validar los cambios"

-- 2.1. Establecer seguridad para el listener de la base de datos - Agregar la


siguiente l�nea en el archivo de configuraci�n
ORACLE_HOME/network/admin/listener.ora
SECURE_CNTROL_LISTENER = (IPC ,TCPS)
SP2-0734: unknown command beginning "SECURE_CNT..." - rest of line ignored.
-- Guardar cambios en el archivo listener.ora Reiniciar la instancia de la base de
datos Detener el servicio del listener lsnrctl stop iniciar el servicio del
listener lsnrctl start

-- 2.2. Limitar la ejecuci�n de procedimientos desde librer�as del sistema


operativo - Eliminar la que contiene la palabra EXTPROC del archivo de
configuraci�n ORACLE_HOME/network/admin/listener.ora
NO APLICA PARA BD RRHH, DEBIDO QUE NO ESTA EN RAC
SP2-0734: unknown command beginning "NO APLICA ..." - rest of line ignored.

-- 2.3. Cambiar el puerto de escucha por defecto - Cambiar el valor 1521 de la


sentencia PORT dentro del archivo de configuraci�n
ORACLE_HOME/network/admin/listener.ora
El listener debe estar configurado en el puerto 1532
SP2-0734: unknown command beginning "El listene..." - rest of line ignored.

-- 2.4. Forzar el uso de nombre para links de bases de datos iguales a la base de
datos destino - Verificar que este en TRUE el parametro GLOBAL_NAMES
SHOW PARAMETER GLOBAL_NAMES;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

global_names boolean FALSE

ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;

System altered.

-- 2.5. Definir valor para el listener local - Verificar que este definido el
valor del LOCAL_LISTENER - Ejemplo para la BD de RRHH debe estar en LISTENER_RRHH
SHOW PARAMETER LOCAL_LISTENER;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

local_listener string (DESCRIPTION=(ADDRESS= (PROTOC

OL=IPC)(KEY=REGISTER)))

ALTER SYSTEM SET LOCAL_LISTENER='(DESCRIPTION=(ADDRESS= (PROTOCOL=IPC)


(KEY=REGISTER)))' SCOPE = BOTH;

System altered.

-- 2.6. Deshabilitar el uso de grupos del sistema operativo para gesti�n de la base
de datos - Verificar que este en FALSE el parametro OS_ROLES
SHOW PARAMETER OS_ROLES;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

os_roles boolean FALSE

remote_os_roles boolean FALSE


ALTER SYSTEM SET OS_ROLES=FALSE SCOPE=SPFILE;

System altered.

-- 2.7. Deshabilitar la posibilidad de conexi�n al servicio a trav�s de listeners


no presentes de manera local en el servidor de bases de datos - Verificar el
parametro REMOTE_LISTENER
SHOW PARAMETER REMOTE_LISTENER;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

remote_listener string

-- Donde 'nombre equipo BD o IP 10.213.41.10:1521'


ALTER SYSTEM SET REMOTE_LISTENER ='SV934291.bancopopular.net:1521' SCOPE = SPFILE;

System altered.

-- 2.8. Deshabilitar la autenticaci�n remota por sistema operativo - Verificar que


este en FALSE el parametro REMOTE_OS_AUTHENT
SHOW PARAMETER REMOTE_OS_AUTHENT;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

remote_os_authent boolean FALSE

ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;

System altered.

-- 2.9. Deshabilitar el uso de grupos del sistema operativo remoto para gesti�n de
la base de datos tipo UTL_FILE - verificar que este en FALSE el parametro
REMOTE_OS_ROLES
SHOW PARAMETER REMOTE_OS_ROLES;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

remote_os_roles boolean FALSE

ALTER SYSTEM SET REMOTE_OS_ROLES=FALSE SCOPE=SPFILE;

System altered.

-- 2.10. Limitar el n�mero de intentos fallidos de autenticaci�n al proceso de base


de datos - Verificar que este en valor 3 el parametro SEC_MAX_FAILED_LOGIN_ATTEMPTS
SHOW PARAMETER SEC_MAX_FAILED_LOGIN_ATTEMPTS;

NAME TYPE VALUE


------------------------------------ ----------- ------------------------------

sec_max_failed_login_attempts integer 10

ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS=3 SCOPE=SPFILE;

System altered.

-- 2.11. Configurar la respuesta a paquetes malformados - Verificar el parametro


SET SEC_PROTOCOL_ERROR_FURTHER_ACTION - No es necesario dado que el trafico de los
servidores pasa por FIREWALL
SHOW PARAMETER SEC_PROTOCOL_ERROR_FURTHER_ACTION;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

sec_protocol_error_further_action string CONTINUE

ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = [DELAY,3|DROP,3]


SCOPE=SPFILE ;
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = [DELAY,3|DROP,3] SCOPE=SPFILE
*
ERROR at line 1:
ORA-02065: opci�n no v�lida para ALTER SYSTEM

-- 2.12. Configurar el registro de paquetes malformados - Verificar el parametro


SEC_PROTOCOL_ERROR_TRACE_ACTION este debe estar en TRACE
SHOW PARAMETER SEC_PROTOCOL_ERROR_TRACE_ACTION;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

sec_protocol_error_trace_action string TRACE

ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE=SPFILE;

System altered.

-- 2.13. Limitar la informaci�n del n�mero de rel�ase y de actualizaci�n de la base


de datos en el banner del servicio - Verificar que el parametro
SEC_RETURN_SERVER_RELEASE_BANNER este en FALSE
SHOW PARAMETER SEC_RETURN_SERVER_RELEASE_BANNER;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

sec_return_server_release_banner boolean FALSE

ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER=FALSE SCOPE=SPFILE;

System altered.
-- 2.14. Habilitar seguridad sql92 - Verificar que el parametro SQL92_SECURITY este
en FALSE
SHOW PARAMETER SQL92_SECURITY;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

sql92_security boolean FALSE

ALTER SYSTEM SET SQL92_SECURITY=FALSE SCOPE=SPFILE;

System altered.

-- 2.15. Protecci�n de los archivos de traza - Validar que el parametro


_TRACE_FILES_PUBLIC que este en FALSE
SHOW PARAMETER "_TRACE_FILES_PUBLIC";
ALTER SYSTEM SET "_TRACE_FILES_PUBLIC"=FALSE SCOPE=SPFILE;

System altered.

Ojo: Se valida con el DBA y este contro no existe en la BD rrhh


SP2-0734: unknown command beginning "Ojo: Se va..." - rest of line ignored.

-- 2.16. Actualizaci�n controlada servidor - Actualizaci�n de versi�n de Oracle y


aplicaci�n de parches
SELECT * FROM V$VERSION;

BANNER

--------------------------------------------------------------------------------

Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production

PL/SQL Release 11.2.0.1.0 - Production

CORE 11.2.0.1.0 Production

TNS for 64-bit Windows: Version 11.2.0.1.0 - Production

NLSRTL Version 11.2.0.1.0 - Production

5 rows selected.

Actual: Oracle Database 12c Enterprise Edition Release 12.1.0.1.0.


SP2-0734: unknown command beginning "Actual: Or..." - rest of line ignored.
Ultima: Versi�n 12C R2
SP2-0734: unknown command beginning "Ultima: Ve..." - rest of line ignored.

/* 3. Politica De Contrase�as */

-- 3.1. Limitar el tiempo de vigencia de las contrase�as sobre el perfil por


defecto
SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND
RESOURCE_NAME='PASSWORD_LOCK_TIME';
PROFILE RESOURCE_NAME

------------------------------ --------------------------------

DEFAULT PASSWORD_LOCK_TIME

1 row selected.

ALTER PROFILE DEFAULT LIMIT PASSWORD_LOCK_TIME 90;

Profile altered.

SELECT * FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_LOCK_TIME' AND


PROFILE='DEFAULT' AND LIMIT='90';

PROFILE RESOURCE_NAME RESOURCE LIMIT

------------------------------ -------------------------------- --------


----------------------------------------

DEFAULT PASSWORD_LOCK_TIME PASSWORD 90

1 row selected.

-- 3.2. Restringir el hist�rico de contrase�as


SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND
RESOURCE_NAME='PASSWORD_REUSE_MAX';

PROFILE RESOURCE_NAME

------------------------------ --------------------------------

DEFAULT PASSWORD_REUSE_MAX

1 row selected.

ALTER PROFILE DEFAULT LIMIT PASSWORD_REUSE_MAX 20;

Profile altered.

SELECT * FROM DBA_PROFILES WHERE RESOURCE_NAME='PASSWORD_REUSE_MAX' AND


PROFILE='DEFAULT' AND LIMIT='90';

no rows selected

-- 3.3. Restringir el n�mero de d�as que tienen que pasar para cambiar una
contrase�a sobre el perfil por defecto
SELECT PROFILE, RESOURCE_NAME FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND
RESOURCE_NAME='PASSWORD_REUSE_TIME';

PROFILE RESOURCE_NAME

------------------------------ --------------------------------
DEFAULT PASSWORD_REUSE_TIME

1 row selected.

ALTER PROFILE DEFAULT LIMIT PASSWORD_REUSE_TIME 365;

Profile altered.

SELECT * FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND


RESOURCE_NAME='PASSWORD_REUSE_TIME'AND LIMIT='365';

PROFILE RESOURCE_NAME RESOURCE LIMIT

------------------------------ -------------------------------- --------


----------------------------------------

DEFAULT PASSWORD_REUSE_TIME PASSWORD 365

1 row selected.

-- 3.4. Deshabilitar el uso de archivos de contrase�as a nivel de sistema operativo


para conexiones remotas
SELECT * FROM SYS.V$PARAMETER WHERE NAME='remote_login_passwordfile';

NUM NAME
TYPE

----------
--------------------------------------------------------------------------------
----------

VALUE

-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
--
DISPLAY_VALUE

-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
--
ISDEFAULT ISSES ISSYS_MOD ISINS ISMODIFIED ISADJ ISDEP ISBAS DESCRIPTION

--------- ----- --------- ----- ---------- ----- ----- -----


-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
------
UPDATE_COMMENT
HASH

-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
------ ----------

1412 remote_login_passwordfile
2

EXCLUSIVE

EXCLUSIVE

FALSE FALSE FALSE FALSE FALSE FALSE FALSE TRUE password file usage
parameter

3127891494

1 row selected.

SHOW PARAMETER REMOTE_LOGIN_PASSWORDFILE;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

remote_login_passwordfile string EXCLUSIVE

ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE=NONE SCOPE=SPFILE;

System altered.

/* 4. Privilegios de Paquetes y Objetos */

-- 4.1. Eliminar usuarios de ejemplo BI HR OE PM IX SH SCOTT


SELECT USERNAME FROM ALL_USERS WHERE USERNAME='BI' OR USERNAME='HR' OR
USERNAME='OE' OR USERNAME='PM' OR USERNAME='IX' OR USERNAME='SH' OR
USERNAME='SCOTT';

no rows selected

-- DROP USER [usuario] CASCADE;


DROP USER BI CASCADE;
DROP USER BI CASCADE
*
ERROR at line 1:
ORA-01918: el usuario 'BI' no existe

DROP USER HR CASCADE;


DROP USER HR CASCADE
*
ERROR at line 1:
ORA-01918: el usuario 'HR' no existe

DROP USER OE CASCADE;


DROP USER OE CASCADE
*
ERROR at line 1:
ORA-01918: el usuario 'OE' no existe

DROP USER PM CASCADE;


DROP USER PM CASCADE
*
ERROR at line 1:
ORA-01918: el usuario 'PM' no existe

DROP USER IX CASCADE;


DROP USER IX CASCADE
*
ERROR at line 1:
ORA-01918: el usuario 'IX' no existe

DROP USER SH CASCADE;


DROP USER SH CASCADE
*
ERROR at line 1:
ORA-01918: el usuario 'SH' no existe

DROP USER SCOTT CASCADE;


DROP USER SCOTT CASCADE
*
ERROR at line 1:
ORA-01918: el usuario 'SCOTT' no existe

SELECT USERNAME FROM ALL_USERS;

USERNAME

------------------------------

DIEGO

ITSS_TUNJA

ITSECURITY

OWBSYS_AUDIT

OWBSYS

APEX_030200

APEX_PUBLIC_USER
FLOWS_FILES

MGMT_VIEW

SYSMAN

SPATIAL_CSW_ADMIN_USR

SPATIAL_WFS_ADMIN_USR

MDDATA

MDSYS

SI_INFORMTN_SCHEMA

ORDPLUGINS

ORDDATA

ORDSYS

OLAPSYS

ANONYMOUS

XDB

CTXSYS

EXFSYS

XS$NULL

WMSYS

APPQOSSYS

DBSNMP

ORACLE_OCM

DIP

OUTLN

SYSTEM

SYS

32 rows selected.

-- Consulta pantallazo guia hardening


SELECT OWNER, OBJECT_NAME, OBJECT_TYPE, STATUS, COUNT(1) FROM ALL_OBJECTS WHERE
OBJECT_NAME = 'DBMS_JOB' AND OBJECT_TYPE LIKE 'PACKAGE%' AND STATUS = 'INVALID'
GROUP BY OWNER, OBJECT_NAME, OBJECT_TYPE, STATUS;
OWNER OBJECT_NAME OBJECT_TYPE
STATUS COUNT(1)

------------------------------ ------------------------------ -------------------


------- ----------

SYS DBMS_JOB PACKAGE BODY


INVALID 1

1 row selected.

SELECT OWNER, OBJECT_TYPE, STATUS, COUNT(1) FROM ALL_OBJECTS WHERE OBJECT_TYPE LIKE
'PACKAGE%' AND STATUS = 'INVALID' GROUP BY OWNER, OBJECT_TYPE, STATUS;

OWNER OBJECT_TYPE STATUS COUNT(1)

------------------------------ ------------------- ------- ----------

WMSYS PACKAGE INVALID 1

EXFSYS PACKAGE INVALID 1

ORDSYS PACKAGE BODY INVALID 9

ORDPLUGINS PACKAGE BODY INVALID 2

SYS PACKAGE INVALID 23

SYS PACKAGE BODY INVALID 200

SYSTEM PACKAGE BODY INVALID 1

XDB PACKAGE BODY INVALID 10

DBSNMP PACKAGE BODY INVALID 2

EXFSYS PACKAGE BODY INVALID 6

MDSYS PACKAGE BODY INVALID 12

MDSYS PACKAGE INVALID 1

SYSMAN PACKAGE BODY INVALID 10

APEX_030200 PACKAGE BODY INVALID 85

ORACLE_OCM PACKAGE BODY INVALID 2

WMSYS PACKAGE BODY INVALID 13

OLAPSYS PACKAGE BODY INVALID 12

APEX_030200 PACKAGE INVALID 14

CTXSYS PACKAGE BODY INVALID 9


19 rows selected.

-- 4.2. Limitar el acceso al paquete DBMS_ADVISOR (rol PUBLIC) - Para otrorgar el


acceso nuevamente se utiliza GRANT EXECUTE ON DBMS_ADVISOR TO PUBLIC;
SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_ADVISOR' AND
GRANTEE='PUBLIC';

GRANTEE OWNER TABLE_NAME


GRANTOR PRIVILEGE GRA HIE

------------------------------ ------------------------------
------------------------------ ------------------------------
---------------------------------------- --- ---

PUBLIC SYS DBMS_ADVISOR


SYS EXECUTE NO NO

1 row selected.

REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;

Revoke succeeded.

-- 4.3. Limitar el acceso al paquete DBMS_CRYPTO (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_CRYPTO' AND
GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;


REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.4. Limitar el acceso a los paquetes DBMS_JAVA y DBMS_JAVA_TEST (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_JAVA' AND
GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;


REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_JAVA_TEST' AND


GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;


REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.5. Limitar el acceso al paquete DBMS_JOB (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_JOB' AND GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;


REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.6. Limitar el acceso al paquete DBMS_LDAP (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_LDAP' AND
GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;


REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.7. Limitar el acceso al paquete DBMS_LOB (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_LOB' AND GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;


REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.8. Limitar el acceso al paquete DBMS_OBFUSCATI ON_TOOLKIT (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_OBFUSCATION_TOOLKIT' AND
GRANTEE='PUBLIC';

GRANTEE OWNER TABLE_NAME


GRANTOR PRIVILEGE GRA HIE

------------------------------ ------------------------------
------------------------------ ------------------------------
---------------------------------------- --- ---

PUBLIC SYS
DBMS_OBFUSCATION_TOOLKIT SYS EXECUTE
NO NO

1 row selected.

REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;

Revoke succeeded.

-- 4.9. Limitar el acceso al paquete DBMS_RANDOM (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_RANDOM' AND
GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;


REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.10. Limitar el acceso al paquete DBMS_SCHEDULER (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_SCHEDULER' AND
GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;


REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.11. Limitar el acceso al paquete DBMS_SQL (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_SQL' AND GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;


REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.12. Limitar el acceso al paquete DBMS_XMLGEN (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_XMLGEN' AND
GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;


REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.13. Limitar el acceso al paquete DBMS_XMLQUERY (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='UTL_FILE' AND GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;


REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.14. Limitar el acceso al paquete UTL_FILE (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='' AND GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;


REVOKE EXECUTE ON UTL_FILE FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.15. Limitar el acceso al paquete UTL_INADDR (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='UTL_INADDR' AND
GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;


REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.16. Limitar el acceso al paquete UTL_TCP (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='UTL_TCP' AND GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;


REVOKE EXECUTE ON UTL_TCP FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado
-- 4.17. Limitar el acceso al paquete UTL_MAIL (rol PUBLIC)
SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='UTL_MAIL' AND GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;


REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC
*
ERROR at line 1:
ORA-04042: el procedimiento, la funci�n, el paquete o el cuerpo del paquete no
existen

-- 4.18. Limitar el acceso al paquete UTL_SMTP (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='UTL_SMTP' AND GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;


REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.19. Limitar el acceso al paquete UTL_DBWS (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='' AND GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON UTL_DBWS FROM PUBLIC;


REVOKE EXECUTE ON UTL_DBWS FROM PUBLIC
*
ERROR at line 1:
ORA-04042: el procedimiento, la funci�n, el paquete o el cuerpo del paquete no
existen

-- 4.20. Limitar el acceso al paquete UTL_HTTP (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='UTL_HTTP' AND GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;


REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.21. Limitar el acceso al paquete DBMS_SYS_SQL (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_SYS_SQL' AND
GRANTEE='PUBLIC';
no rows selected

REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;


REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.22. Limitar el acceso al paquete DBMS_BACKUP_RE STORE (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_BACKUP_RESTORE' AND
GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;


REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

-- 4.23. Limitar el acceso al paquete DBMS_FILE_TRANS FER (rol PUBLIC)


SELECT * FROM ALL_TAB_PRIVS_MADE WHERE TABLE_NAME ='DBMS_FILE_TRANSFER' AND
GRANTEE='PUBLIC';

no rows selected

REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;


REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC
*
ERROR at line 1:
ORA-01927: no se puede revocar (REVOKE) privilegios que no se han otorgado

/* 5. Privilegios de Sistema */

-- 5.1. Restricci�n del privilegio SELECT ANY DICTIONARY


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS where PRIVILEGE='SELECT ANY
DICTIONARY' AND GRANTEE NOT IN
('DBA','DBSNMP','OEM_MONITOR','OLAPSYS','ORACLE_OCM',' SYSMAN','WMSYS');

GRANTEE PRIVILEGE

------------------------------ ----------------------------------------

SYSMAN SELECT ANY DICTIONARY

1 row selected.

REVOKE SELECT ANY DICTIONARY FROM [usuario];


REVOKE SELECT ANY DICTIONARY FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos
-- 5.2. Restricci�n del privilegio SELECT ANY TABLE
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS where PRIVILEGE='SELECT ANY TABLE';

GRANTEE PRIVILEGE

------------------------------ ----------------------------------------

DBA SELECT ANY TABLE

MDSYS SELECT ANY TABLE

SYS SELECT ANY TABLE

IMP_FULL_DATABASE SELECT ANY TABLE

EXP_FULL_DATABASE SELECT ANY TABLE

DATAPUMP_IMP_FULL_DATABASE SELECT ANY TABLE

OLAP_DBA SELECT ANY TABLE

WMSYS SELECT ANY TABLE

SYSTEM SELECT ANY TABLE

OLAPSYS SELECT ANY TABLE

10 rows selected.

REVOKE SELECT ANY TABLE FROM [usuario];


REVOKE SELECT ANY TABLE FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 5.3. Restricci�n del privilegio AUDIT SYSTEM


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS where PRIVILEGE='AUDIT SYSTEM' AND
GRANTEE NOT IN ('DBA','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE ','SYS');

GRANTEE PRIVILEGE

------------------------------ ----------------------------------------

IMP_FULL_DATABASE AUDIT SYSTEM

1 row selected.

REVOKE AUDIT SYSTEM FROM [usuario];


REVOKE AUDIT SYSTEM FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos
-- 5.4. Restricci�n del privilegio EXEMPT ACCESS POLICY
SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='EXEMPT ACCESS POLICY';

no rows selected

REVOKE EXEMPT ACCESS POLICY FROM [usuario];


REVOKE EXEMPT ACCESS POLICY FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 5.5. Restricci�n del privilegio BECOME USER


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS where PRIVILEGE='BECOME USER' AND
GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE');

no rows selected

REVOKE BECOME USER FROM [usuario];


REVOKE BECOME USER FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 5.6. Restricci�n del privilegio CREATE PROCEDURE


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS where PRIVILEGE='CREATE PROCEDURE' and
GRANTEE NOT IN
( 'DBA','DBSNMP','MDSYS','OLAPSYS','OWB$CLIENT','OWBSYS','RECOVERY_CATALOG_OWNER','
SPATIAL_CSW_ADMIN_USR','SPA TIAL_WFS_ADMIN_USR','SYS','APEX_030200','APEX_040000',
'APEX_040100','APEX_040200');

GRANTEE PRIVILEGE

------------------------------ ----------------------------------------

SPATIAL_WFS_ADMIN_USR CREATE PROCEDURE

RESOURCE CREATE PROCEDURE

2 rows selected.

REVOKE CREATE PROCEDURE FROM [usuario];


REVOKE CREATE PROCEDURE FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 5.7. Restricci�n del privilegio ALTER SYSTEM


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='ALTER SYSTEM' and
GRANTEE NOT IN ('SYS','DBA','SYSTEM','APEX_030200','APEX_040000','APE
X_040100','APEX_040200');

no rows selected

REVOKE ALTER SYSTEM FROM [usuario];


REVOKE ALTER SYSTEM FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 5.8. Restricci�n del privilegio CREATE ANY LIBRARY


SELECT * FROM DBA_SYS_PRIVS where (PRIVILEGE='CREATE LIBRARY' or PRIVILEGE='CREATE
ANY LIBRARY') AND GRANTEE NOT IN ('SYS','SYSTEM','DBA');

GRANTEE PRIVILEGE ADM

------------------------------ ---------------------------------------- ---

SPATIAL_CSW_ADMIN_USR CREATE LIBRARY NO

IMP_FULL_DATABASE CREATE ANY LIBRARY NO

XDB CREATE LIBRARY NO

EXFSYS CREATE LIBRARY NO

MDSYS CREATE LIBRARY NO

SPATIAL_WFS_ADMIN_USR CREATE LIBRARY NO

6 rows selected.

REVOKE CREATE LIBRARY FROM [usuario];


REVOKE CREATE LIBRARY FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

REVOKE CREATE ANY LIBRARY FROM [usuario];


REVOKE CREATE ANY LIBRARY FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 5.9. Restricci�n del privilegio GRANT ANY OBJECT PRIVILEGE


SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY OBJECT PRIVILEGE' AND
GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DA TABASE');

GRANTEE PRIVILEGE ADM

------------------------------ ---------------------------------------- ---

DATAPUMP_IMP_FULL_DATABASE GRANT ANY OBJECT PRIVILEGE NO


1 row selected.

REVOKE GRANT ANY OBJECT PRIVILEGE FROM [usuario];


REVOKE GRANT ANY OBJECT PRIVILEGE FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 5.10. Restricci�n del privilegio GRANT ANY ROLE


SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY ROLE' AND GRANTEE NOT IN
('DBA','SYS','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DA
TABASE','SPATIAL_WFS_ADMIN_USR','SPATIAL_CSW_ADMIN_USR');

GRANTEE PRIVILEGE ADM

------------------------------ ---------------------------------------- ---

IMP_FULL_DATABASE GRANT ANY ROLE NO

1 row selected.

REVOKE GRANT ANY ROLE FROM [usuario];


REVOKE GRANT ANY ROLE FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 5.11. Restricci�n del privilegio GRANT ANY PRIVILEGE


SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT
IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DA TABASE');

GRANTEE PRIVILEGE ADM

------------------------------ ---------------------------------------- ---

DATAPUMP_IMP_FULL_DATABASE GRANT ANY PRIVILEGE NO

1 row selected.

REVOKE GRANT ANY PRIVILEGE FROM [usuario];


REVOKE GRANT ANY PRIVILEGE FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 5.12. Restricci�n del privilegio SYSBACKUP


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SYSBACKUP' and
GRANTEE NOT IN ('SYS','DBA','SYSTEM','OSBACKUP');
no rows selected

REVOKE SYSBACKUP FROM [usuario];


REVOKE SYSBACKUP FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 5.13. Restricci�n privilegio SYSDG


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SYSDG' and GRANTEE
NOT IN ('SYS','DBA','SYSTEM','OSDG');

no rows selected

REVOKE SYSDG FROM [usuario];


REVOKE SYSDG FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 5.14. Restricci�n privilegio SYSKM


SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SYSKM' and GRANTEE
NOT IN ('SYS','DBA','SYSTEM','OSKM');

no rows selected

REVOKE SYSKM FROM [usuario];


REVOKE SYSKM FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

/* 6. Privilegios de Tablas y Vistas */

-- 6.1. Limitar autorizaci�n a la tabla SYS.AUD$


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='AUD$' AND GRANTEE
NOT IN ('DELETE_CATALOG_ROLE');

no rows selected

REVOKE ALL ON AUD$ FROM [usuario];


REVOKE ALL ON AUD$ FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 6.2. Limitar autorizaci�n a la tabla SYS.USER_HISTORY$


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='USER_HISTORY$';

no rows selected
REVOKE ALL ON USER_HISTORY$ FROM [usuario];
REVOKE ALL ON USER_HISTORY$ FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 6.3. Limitar autorizaci�n a la tabla SYS.LINK$


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='LINK$';

no rows selected

REVOKE ALL ON LINK$ FROM [usuario];


REVOKE ALL ON LINK$ FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 6.4. Limitar autorizaci�n a las vistas DBA_


SELECT owner FROM dba_tab_privs WHERE TABLE_NAME LIKE 'DBA_%' and grantee not in
('APEX_030200','APPQOSSYS','AQ_ADMINISTRATOR_ROLE','CT
XSYS','EXFSYS','MDSYS','OLAP_XS_ADMIN','OLAPSYS','ORDS
YS','OWB$CLIENT','OWBSYS','SELECT_CATALOG_ROLE','WM_ADMIN_ROLE','WMSYS','XDBADMIN')
and table_name not in ('DBA_SDO_MAPS','DBA_SDO_STYLES','DBA_SDO_THEMES','LBA
CSYS','ADM_PARALLEL_EXECUTE_TASK') group by owner;

OWNER

------------------------------

SYS

1 row selected.

REVOKE ALL ON DBA_ FROM [usuario/rol];


REVOKE ALL ON DBA_ FROM [usuario/rol]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 6.5. Limitar autorizaci�n a la tabla SYS.SCHEDULER$_ CREDENTIAL


SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE
TABLE_NAME='SCHEDULER$_CREDENTIAL';

no rows selected

REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM [usuario];


REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos
-- 6.6. Eliminar la tabla SYS.USER$MIG
SELECT OWNER, TABLE_NAME FROM ALL_TABLES WHERE OWNER='SYS' AND
TABLE_NAME='USER$MIG';

no rows selected

DROP TABLE SYS.USER$MIG;


DROP TABLE SYS.USER$MIG
*
ERROR at line 1:
ORA-00942: la tabla o vista no existe

-- 6.7. Limitar los privilegios ANY de los usuarios.


SELECT GRANTEE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '%ANY%' AND GRANTEE NOT IN
('AQ_ADMINISTRATOR_ROLE','DBA','DBSNMP','EXFSYS','EXP_
FULL_DATABASE','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_
DATABASE','JAVADEBUGPRIV','MDSYS','OEM_MONITOR','OLAPS
YS','OLAP_DBA','ORACLE_OCM','OWB$CLIENT','OWBSYS','SCH
EDULER_ADMIN','SPATIAL_CSW_ADMIN_USR','SPATIAL_WFS_ADM
IN_USR','SYS','SYSMAN','SYSTEM','WMSYS','APEX_030200',
'APEX_040000','APEX_040100','APEX_040200','LBACSYS') group by GRANTEE;

GRANTEE

------------------------------

EXP_FULL_DATABASE

SPATIAL_WFS_ADMIN_USR

SCHEDULER_ADMIN

OLAPSYS

OUTLN

DATAPUMP_IMP_FULL_DATABASE

6 rows selected.

REVOKE ALL ON '[privilegio any]' FROM [usuario];


REVOKE ALL ON '[privilegio any]' FROM [usuario]
*
ERROR at line 1:
ORA-00903: nombre de tabla no v�lido

-- 6.8. Limitar el privilegio WITH_ADMIN.


SELECT * FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION='YES' and GRANTEE not in
('AQ_ADMINISTRATOR_ROLE','DBA','OWBSYS','SCHEDULER_ADMIN','SYS','SYSTEM','WMSYS');

GRANTEE PRIVILEGE ADM

------------------------------ ---------------------------------------- ---


APEX_030200 CREATE PROCEDURE YES

APEX_030200 CREATE TYPE YES

APEX_030200 UNLIMITED TABLESPACE YES

APEX_030200 CREATE INDEXTYPE YES

APEX_030200 CREATE SYNONYM YES

APEX_030200 CREATE CLUSTER YES

APEX_030200 CREATE ANY CONTEXT YES

APEX_030200 CREATE TABLE YES

APEX_030200 CREATE MATERIALIZED VIEW YES

APEX_030200 CREATE TRIGGER YES

APEX_030200 CREATE VIEW YES

APEX_030200 CREATE DIMENSION YES

APEX_030200 CREATE OPERATOR YES

APEX_030200 CREATE SEQUENCE YES

APEX_030200 CREATE JOB YES

15 rows selected.

REVOKE '[privilegio]' FROM [usuario];


REVOKE '[privilegio]' FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

/* 7. Privilegios de Roles */

-- 7.1. Limitar asignaci�n de usuarios al rol DELETE_CATALOG_ ROLE


SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DELETE_CATALOG_ROLE' AND GRANTEE
NOT IN ('DBA','SYS');

no rows selected

REVOKE DELETE_CATALOG_ROLE FROM [usuario];


REVOKE DELETE_CATALOG_ROLE FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 7.2.Limitar asignaci�n de usuarios al rol SELECT_CATALOG_ ROLE


SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='SELECT_CATALOG_ROLE' AND GRANTEE
NOT IN ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE','OEM_MONITOR');

GRANTEE GRANTED_ROLE ADM DEF

------------------------------ ------------------------------ --- ---

SYSMAN SELECT_CATALOG_ROLE YES YES

1 row selected.

REVOKE SELECT_CATALOG_ROLE FROM [usuario];


REVOKE SELECT_CATALOG_ROLE FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 7.3.Limitar asignaci�n de usuarios al rol EXECUTE_CATALO G_ROLE


SELECT* FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='EXECUTE_CATALOG_ROLE' AND GRANTEE
NOT IN ('DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE');

no rows selected

REVOKE EXECUTE_CATALOG_ROLE FROM [usuario];


REVOKE EXECUTE_CATALOG_ROLE FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

-- 7.4.Limitar asignaci�n de usuarios al rol DBA


SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA' AND
GRANTEE NOT IN ('SYS','SYSTEM');

GRANTEE GRANTED_ROLE

------------------------------ ------------------------------

ITSECURITY DBA

1 row selected.

REVOKE DBA FROM [usuario];


REVOKE DBA FROM [usuario]
*
ERROR at line 1:
ORA-00987: faltan los nombres de usuario o no son v�lidos

/* 8. Auditoria */

-- 8.1. Definir el lugar almacenamiento del log de auditor�a


SHOW PARAMETER AUDIT_TRAIL;
NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

audit_trail string DB

-- Activar auditoria
ALTER SYSTEM SET AUDIT_TRAIL='DB' SCOPE=SPFILE;

System altered.

-- Desactivar auditoria
ALTER SYSTEM SET audit_trail = "NONE" SCOPE=SPFILE;

System altered.

-- DB - Los eventos se registrar�n en la base de datos


-- OS - Los eventos se registran en archivos del sistema operativos,se guardar�n en
el directorio por el par�metro audit_file_dest
-- NONE - Se desactiva el registro de eventos
-- TRUE - habilita la auditoria
-- FALSE - Deshabilita la auditoria

-- 8.2. Auditar actividades de tipo CREATE PROCEDURE


SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION = 'CREATE PROCEDURE';

USER_NAME PROXY_NAME AUDIT_OPTION


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

CREATE PROCEDURE
BY ACCESS BY ACCESS

1 row selected.

SELECT * FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE = 'CREATE PROCEDURE';

USER_NAME PROXY_NAME PRIVILEGE


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

CREATE PROCEDURE
BY ACCESS BY ACCESS

1 row selected.

AUDIT CREATE PROCEDURE;

Audit succeeded.

-- 8.3. Auditar actividades de tipo CREATE ANY PROCEDURE


SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION = 'CREATE ANY PROCEDURE';

USER_NAME PROXY_NAME AUDIT_OPTION


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

CREATE ANY PROCEDURE


BY ACCESS BY ACCESS

1 row selected.

SELECT * FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE = 'CREATE ANY PROCEDURE';

USER_NAME PROXY_NAME PRIVILEGE


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

CREATE ANY PROCEDURE


BY ACCESS BY ACCESS

1 row selected.

AUDIT CREATE ANY PROCEDURE;

Audit succeeded.

-- 8.4. Auditar actividades de tipo ALTER ANY PROCEDURE y DROP ANY PROCEDURE
SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION = 'ALTER ANY PROCEDURE';

USER_NAME PROXY_NAME AUDIT_OPTION


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

ALTER ANY PROCEDURE


BY ACCESS BY ACCESS

1 row selected.

SELECT * FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE = 'ALTER ANY PROCEDURE';

USER_NAME PROXY_NAME PRIVILEGE


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

ALTER ANY PROCEDURE


BY ACCESS BY ACCESS
1 row selected.

AUDIT ALTER ANY PROCEDURE;

Audit succeeded.

SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION = 'DROP ANY PROCEDURE';

USER_NAME PROXY_NAME AUDIT_OPTION


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

DROP ANY PROCEDURE


BY ACCESS BY ACCESS

1 row selected.

SELECT * FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE = 'DROP ANY PROCEDURE';

USER_NAME PROXY_NAME PRIVILEGE


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

DROP ANY PROCEDURE


BY ACCESS BY ACCESS

1 row selected.

AUDIT DROP ANY PROCEDURE;

Audit succeeded.

-- 8.5. Auditar actividades de tipo CREATE ANY LIBRARY y DROP ANY LIBRARY
SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION = 'CREATE ANY LIBRARY';

USER_NAME PROXY_NAME AUDIT_OPTION


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

CREATE ANY LIBRARY


BY ACCESS BY ACCESS

1 row selected.

SELECT * FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE = 'CREATE ANY LIBRARY';

USER_NAME PROXY_NAME PRIVILEGE


SUCCESS FAILURE
------------------------------ ------------------------------
---------------------------------------- ---------- ----------

CREATE ANY LIBRARY


BY ACCESS BY ACCESS

1 row selected.

AUDIT CREATE ANY LIBRARY;

Audit succeeded.

SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION = 'DROP ANY LIBRARY';

USER_NAME PROXY_NAME AUDIT_OPTION


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

DROP ANY LIBRARY


BY ACCESS BY ACCESS

1 row selected.

SELECT * FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE = 'DROP ANY LIBRARY';

USER_NAME PROXY_NAME PRIVILEGE


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

DROP ANY LIBRARY


BY ACCESS BY ACCESS

1 row selected.

AUDIT DROP ANY LIBRARY;

Audit succeeded.

-- 8.6. Auditar actividades de tipo CREATE ANY TRIGGER, ALTER ANY TRIGGER y DROP
ANY TRIGGER
SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION = 'CREATE ANY TRIGGER';

USER_NAME PROXY_NAME AUDIT_OPTION


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

CREATE ANY TRIGGER


BY ACCESS BY ACCESS
1 row selected.

SELECT * FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE = 'CREATE ANY TRIGGER';

USER_NAME PROXY_NAME PRIVILEGE


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

CREATE ANY TRIGGER


BY ACCESS BY ACCESS

1 row selected.

AUDIT CREATE ANY TRIGGER;

Audit succeeded.

SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION = 'ALTER ANY TRIGGER';

USER_NAME PROXY_NAME AUDIT_OPTION


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

ALTER ANY TRIGGER


BY ACCESS BY ACCESS

1 row selected.

SELECT * FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE = 'ALTER ANY TRIGGER';

USER_NAME PROXY_NAME PRIVILEGE


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

ALTER ANY TRIGGER


BY ACCESS BY ACCESS

1 row selected.

AUDIT ALTER ANY TRIGGER;

Audit succeeded.

SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION = 'DROP ANY TRIGGER';

USER_NAME PROXY_NAME AUDIT_OPTION


SUCCESS FAILURE
------------------------------ ------------------------------
---------------------------------------- ---------- ----------

DROP ANY TRIGGER


BY ACCESS BY ACCESS

1 row selected.

SELECT * FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE = 'DROP ANY TRIGGER';

USER_NAME PROXY_NAME PRIVILEGE


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

DROP ANY TRIGGER


BY ACCESS BY ACCESS

1 row selected.

AUDIT DROP ANY TRIGGER;

Audit succeeded.

-- 8.7. Auditar todas las acciones sobre las tablas de auditor�a de la base de
datos (AUD$)
--SELECT * FROM DBA_AUDIT_TRAIL;
AUDIT ALL ON SYS.AUD$;

Audit succeeded.

-- 8.8. Auditar las acciones de alteraci�n de configuraci�n del sistema (ALTER


SYSTEM)
SELECT * FROM DBA_STMT_AUDIT_OPTS WHERE AUDIT_OPTION = 'ALTER SYSTEM';

USER_NAME PROXY_NAME AUDIT_OPTION


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------

ALTER SYSTEM
BY ACCESS BY ACCESS

1 row selected.

SELECT * FROM DBA_PRIV_AUDIT_OPTS WHERE PRIVILEGE = 'ALTER SYSTEM';

USER_NAME PROXY_NAME PRIVILEGE


SUCCESS FAILURE

------------------------------ ------------------------------
---------------------------------------- ---------- ----------
ALTER SYSTEM
BY ACCESS BY ACCESS

1 row selected.

SELECT USERNAME, OBJ_NAME, ACTION_NAME, COMMENT_TEXT, PRIV_USED, SQL_TEXT FROM


DBA_AUDIT_TRAIL WHERE PRIV_USED LIKE 'ALTER SYSTEM%';

USERNAME OBJ_NAME
ACTION_NAME

------------------------------
-----------------------------------------------------------------------------------
--------------------------------------------- ----------------------------

COMMENT_TEXT

-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
--
PRIV_USED

----------------------------------------

SQL_TEXT

-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
--
ITSECURITY
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM
SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM
ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM
SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM
SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM
ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

SYSTEM
ALTER SYSTEM

ALTER SYSTEM

26 rows selected.

AUDIT ALTER SYSTEM;

Audit succeeded.

-- 8.9. Activar la auditor�a para las operaciones hechas por los roles SYSDBA y
SYSOPER
SHOW PARAMETER AUDIT_SYS_OPERATIONS;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

audit_sys_operations boolean FALSE

ALTER SYSTEM SET AUDIT_SYS_OPERATIONS=TRUE SCOPE=SPFILE;

System altered.

/**************** Fin - Consultas Guia Oracle 12c Guia Hardening Oracle


****************/

spool off

Potrebbero piacerti anche