3.5.1 Protect database object text in syscomments

Information

The syscomments table contains the source code for business logic implementation such as
stored procedures. It also contains the text of views, triggers, default table constraints, and
procedures. By default the public role has select permission on this system table.

Sybase ASE supports a configuration parameter, select on syscomments.txt, that
restricts select permission to the object owner and users with the sa_role. It is
recommended that this configuration is enabled.

Rationale:

select permission should be restricted to the object owner and system administrators
only since stored procedures, triggers and views often contain sensitive information.
Furthermore, source code access is likely to facilitate the discovery of logic flaws that may
result in privilege escalation or information disclosure.

Solution

1. Connect to the database as a user with the sso_role and execute the following SQL
statement:

exec sp_configure 'select on syscomments.text', 0

See Also

https://workbench.cisecurity.org/files/1612