Oracle has three totally separate and distinct ways for managing data access.

1. Grant privilege security – The traditional approach of granting privileges to users or roles.

2. Grant Execute security – This manages security, but all users must be granted execute privileges on all the procedures within the application.

3. Row-level security (a.k.a. fine-grained access control, Virtual private databases) – This scheme enhances traditional grant security by appending a WHERE clause to all SQL, depending on the current user ID.

Oracle security has become extremely complex, and an important job of a DBA is to audit security.  When dealing with a database as complex as Oracle, writing a working audit script is a formidable challenge because you must ignore all of the internal grants and roles, and focus on non-system users.

With increasing security concerns, Oracle DBAs are often called-upon to perform security audits of an Oracle environment to ensure that there are no loopholes in security.

Note:  These scripts below only check traditional Oracle security and do not address "grant execute" security and row-level security (Virtual Private Databases, a.k.a. Fine-grained access control).

The items below are some of the top items that I check when auditing an Oracle database.  Of course, you may have other queries, and I am always interested in new techniques.  Feel free to e-mail me at info@remote-dba.net with suggested improvements.

Search for any system privileges that are granted WITH ADMIN OPTION

Privileges that are granted WITH ADMIN can be passed to other users.  Hence, many companies prohibit this option, and others check to ensure that all user ID's are proper.  The information for this is located in the DBA_SYS_PRIVS view, and here is the code to do this.

select  
   grantee,
   privilege,   
   admin_option
from    
   sys.dba_sys_privs
where   
   admin_option = 'YES'
and     
   grantee not in (‘SYS','SYSTEM', etc);

Search for any end-users with system privileges

Users with system-level privileges may have access to unwanted areas of the database.  For example the "select any table" system privilege may allow unwanted access to a user.

select  
   grantee      c1,
   privilege    c2,
   admin_option c3
from    
   sys.dba_sys_privs
where   
   grantee not in (‘SYS','SYSTEM', etc);

Search for any non-DBA roles that are granted WITH ADMIN OPTION

This check ensures that there are no customized roles that are granted to users using the WITH ADMIN option.  We need to query the ROLE_SYS_PRIVS view to get this information. To be accurate, we must filter-out all of the installed roles that some with the standard Oracle software.

select  
   role,
   privilege,
   admin_option
from    
   sys.role_sys_privs
where   
   admin_option = 'YES'
and     
   role not in
(
   'AQ_ADMINISTRATOR_ROLE',
   'CONNECT',
   'EXP_FULL_DATABASE',
   'IMP_FULL_DATABASE',
   'JAVADEBUGPRIV',
   'OEM_MONITOR',
   'OLAP_DBA',
   'RECOVERY_CATALOG_OWNER',
   'RESOURCE',
   'WKUSER'
)

Search for any non-DBA grantees that are granted a role WITH ADMIN OPTION.

Here we check the DBA_ROLE_PRIVS view for all roles that have been granted using the WITH ADMIN option.

select
   grantee,
   granted_role,
   admin_option,
   default_role
from
   sys.dba_role_privs
where   
   admin_option = 'YES'
and     
   grantee not in (‘SYS','SYSTEM', etc);

Search for any table privileges that can be granted to others

Here we check the DBA_TAB_PRIVS view to locate any table privileges that have been created as grantable.

select  
   grantee,
   owner,
   table_name,
   grantor,
   privilege,
   grantable
from    
   sys.dba_tab_privs
where   
   grantable = 'YES'
and
   owner not in (‘SYS','SYSTEM', etc);

Search for any non-DBA who is granted DBA and RESOURCE Roles

This query uses the DBA_ROLE_PRIVS view to locate all grantees who are granted the DBA or the RESOURCE role.

select
   grantee,
   granted_role,
   admin_option,
   default_role
from    
   sys.dba_role_privs
where   
   granted_role in ('RESOURCE','DBA')
and
   grantee not in (‘SYS','SYSTEM', etc);

Search for all tables granted to PUBLIC 

Tables that are granted to PUBLIC are open for anyone to see.  The following script checks the DBA_TAB_PRIVS view to locate all tables that have been granted PUBLIC access.

select distinct
   owner,
   table_name,
   privilege,
   grantor
from
   sys.dba_tab_privs
where
   grantee = 'PUBLIC'
and
   owner not in (‘SYS','SYSTEM', etc);

Generating a filer condition

The huge amount of system grants at Oracle install time makes a bewildering array of users.  If you install the full array of Oracle options, Oracle will create over 170 user IDs inside the Oracle database.

Here is the filter condition that I use to ignore the Oracle-supplied users:

Where
   owner not in
( 
   'ADAMS',
   'ADLDEMO',
   'ADMIN',
   'APPLSYS',
   'APPLYSYSPUB',
   'APPS',
   'AQ',
   'AQDEMO',
   'AQJAVA',
   'AQUSER',
   'AUDIOUSER',
   'AURORA$JIS$UTILITY$',
   'AURORA$ORB$UNAUTHENTICATED',
   'BC4J',
   'BLAKE',
   'CATALOG',
   'CDEMO82',
   'CDEMOCOR',
   'CDEMORID',
   'CDEMOUCB',
   'CENTRA',
   'CIDS',
   'CIS',
   'CISINFO',
   'CLARK',
   'COMPANY',
   'COMPIERE',
   'CQSCHEMAUSER',
   'CSMIG',
   'CTXDEMO',
   'CTXSYS',
   'DBA',
   'DBI',
   'DBSNMP',
   'DEMO',
   'DEMO8',
   'DEMO9',
   'DES',
   'EJSADMIN',
   'EMP',
   'ESTOREUSER',
   'EVENT',
   'FINANCE',
   'FND',
   'FROSTY',
   'GPFD',
   'GPLD',
   'HCPARK',
   'HLW',
   'HR',
   'IMAGEUSER',
   'IMEDIA',
   'JMUSER',
   'JONES',
   'LBACSYS',
   'LIBRARIAN',
   'MASTER',
   'MDSYS',
   'MFG',
   'MIGRATE',
   'MILLER',
   'MMO2',
   'MODTEST',
   'MOREAU',
   'MTS_USER',
   'MTSSYS',
   'MXAGENT',
   'NAMES',
   'OAS_PUBLIC',
   'OCITEST',
   'ODS',
   'ODSCOMMON',
   'OE',
   'OEMADM',
   'OLAPDBA',
   'OLAPSVR',
   'OLAPSYS',
   'OMWB_EMULATION',
   'OPENSPIRIT',
   'ORACACHE',
   'ORAREGSYS',
   'ORDPLUGINS',
   'ORDSYS',
   'ORACLE',
   'OSE$HTTP$ADMIN',
   'OSP22',
   'OUTLN',
   'OWA',
   'OWA_PUBLIC',
   'PANAMA',
   'PATROL',
   'PERFSTAT',
   'PLSQL',
   'PM',
   'PO',
   'PO7',
   'PO8',
   'PORTAL30',
   'PORTAL30_DEMO',
   'PORTAL30_PUBLIC',
   'PORTAL30_SSO',
   'PORTAL30_SSO_PS',
   'PORTAL30_SSO_PUBLIC',
   'POWERCARTUSER',
   'PRIMARY',
   'PUBSUB',
   'QS',
   'QS_ADM',
   'QS_CB',
   'QS_CBADM',
   'QS_CS',
   'QS_ES',
   'QS_OS',
   'QS_WS',
   'RE',
   'REP_MANAGER',
   'REP_OWNER',
   'REP_OWNER',
   'REPADMIN',
   'RMAIL',
   'RMAN',
   'SAMPLE',
   'SAP',
   'SCOTT',
   'SDOS_ICSAP',
   'SECDEMO',
   'SH',
   'SITEMINDER',
   'SLIDE',
   'STARTER',
   'STRAT_USER',
   'SWPRO',
   'SWUSER',
   'SYMPA',
   'SYS',
   'SYSADM',
   'SYSMAN',
   'SYSTEM',
   'TAHITI',
   'TDOS_ICSAP',
   'TESTPILOT',
   'TRACESVR',
   'TRAVEL',
   'TSDEV',
   'TSUSER',
   'TURBINE',
   'ULTIMATE',
   'USER',
   'USER0',
   'USER1',
   'USER2',
   'USER3',
   'USER4',
   'USER5',
   'USER6',
   'USER7',
   'USER8',
   'USER9',
   'UTLBSTATU',
   'VIDEOUSER',
   'VIF_DEVELOPER',
   'VIRUSER',
   'VRR1',
   'WEBCAL01',
   'WEBDB',
   'WEBREAD',
   'WKSYS',
   'WWW',
   'WWWUSER',
   'XPRT',
)

Putting it all together

The full audit script is extremely useful for auditing unknown Oracle databases, and it has proved indispensable for locating security loopholes.  Sadly, the script is hundreds of lines of code, and it is too cumbersome to publish here