| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle security question
Don
Well, if you changed the password, then you should have the new password. Don't post them, because everyone on the internet will have them.
What is your Oracle version?
Dennis Williams
DBA, 80%OCP, 100% DBA
Lifetouch, Inc.
dwilliams_at_lifetouch.com
-----Original Message-----
From: Don Yu [mailto:donyu_at_jhu.edu]
Sent: Monday, July 14, 2003 3:34 PM
To: Multiple recipients of list ORACLE-L
Subject: Re: Oracle security question
Dear Guang Mei:
Thanks for your message. Your suggestion is very helpful. After reviewing
all possible
uesers, I have locked them. Now I have only one concern that if nobody knows
my
database's sys and system's password, there should be no way to unlock these
accounts.
Am I complete right?
Thanks! Any comments are appreciated!
Don
Guang Mei wrote:
> select * from all_users;
>
> to get all users, then change their oracle passwords so that no body can
> log in except you. This way you know you are the only one who can change
> the data. Next step is see what application can make the data change.
>
> Hope this helps.
>
> Guang
>
> On Fri, 11 Jul 2003, Don Yu wrote:
>
> > Dennis
> >
> > Thank you very much. My data in that database is changed three times.
The first
> > is whole data being delete. The second is over ten thousands records
being
> > added. The third is whole data related to a month being deleted. I know
my
> > working environment is very complicated. For this report application, I
write
> > shell scripts and C/C++ program to parsing Apache web server access log
file
> > (www.welch.jhu.edu) in order to get client ip, access date, and host ip,
which
> > are associated with the special pattern as "ntlinktrack.cgi", which is
> > associated with Library E-Book,E-Journal, and E-database. Then I need to
> > schedule a solaris cron job to process access log daily and load parsed
data
> > into database. Also I create some log files for saving intermediate
information
> > from my program. Then I create some ColdFusion pages to post these
results into
> > website. In my database there are over million records. Oracle DBA is
new duty
> > for me since I had found that my data was missing. This is the reason I
post my
> > question on Oracle user group. Now I am trying to read as much as I can
but I do
> > not have much time. I want to make sure my database is secure as early
as I can.
> > So what do you think of my reason?
> > Thank you very much!
> >
> >
> > Don
> >
> >
> > DENNIS WILLIAMS wrote:
> >
> > > Don
> > > SYS is the owner of the Oracle dictionary tables. It is a username
with
> > > DBA privilege, so someone who logs in can change data. If you have
changed
> > > its password, then you are assured that nobody is using that username
right
> > > now. If you've changed its password, then I wouldn't worry about it
right
> > > now.
> > > Since it sounds as if you are the only person that accesses this
> > > database, then you may want to change the username that owns your
tables.
> > > Hopefully this username is not SYSTEM or SYS.
> > > After that, unless you know of other usernames someone might use
to
> > > access your Oracle database, don't make any more security changes for
> > > awhile. Go back to trying to figure out why your data is changing
without
> > > your changing it. It may well be there is an innocent reason that has
> > > nothing to do with someone else. I've had that happen to me when I've
> > > started using an unfamiliar system.
> > > And don't forget to buy a good Oracle DBA book like the one I
suggested.
> > >
> > > Dennis Williams
> > > DBA, 80%OCP, 100% DBA
> > > Lifetouch, Inc.
> > > dwilliams_at_lifetouch.com
> > >
> > >
> > >
> > > -----Original Message-----
> > > Sent: Friday, July 11, 2003 3:49 PM
> > > To: Multiple recipients of list ORACLE-L
> > >
> > > Dennis:
> > >
> > > Thanks for your message. Now I have changed sys password by the
following
> > > command:
> > > alter user sys identified by xxxxxxx
> > > But when I try to login from sql plus window by using sys, I cannot
> > > successfully
> > > login. Also I get an error message. The message is something like
> > > "connection to
> > > sys should be as sysdba or sysoper". So my question is what sys for?
> > > Thank you very much!
> > >
> > > Don
> > >
> > > DENNIS WILLIAMS wrote:
> > >
> > > > Don
> > > > If only you can make updates to your Oracle database, then you
must
> > > enter
> > > > all the data ;-)
> > > > From the tone of your posting, I'm going to assume that you are
pretty
> > > > new to Oracle. You may want to get a good basic administration book
like
> > > > Oracle9i DBA 101.
> > > >
> > >
http://www.amazon.com/exec/obidos/tg/detail/-/0072224746/qid=1057949734/sr=8
> > > > -1/ref=sr_8_1/104-2287688-5574335?v=glance&s=books&n=507846
> > > > It is also a good idea to always mention your Oracle version and
platform
> > > > (Unix, NT, etc.) in your posts.
> > > > First, log in with the SYSTEM username. Then change the password for
> > > SYSTEM
> > > > and SYS with the command:
> > > > ALTER USER SYSTEM IDENTIFIED BY xxxxx;
> > > > Where xxxxx is your new password.
> > > > You should be able to make these changes without affecting any end
users.
> > > > Next you should identify your groups of users and how they access
Oracle.
> > > > Basically you need to identify what their access requirements are
and then
> > > > audit the usernames they use to ensure the privileges granted are
just
> > > what
> > > > is required. This is also a good time to see about changing
passwords, but
> > > > first buy the book and read up on the basics of Oracle security.
> > > >
> > > > Dennis Williams
> > > > DBA, 80%OCP, 100% DBA
> > > > Lifetouch, Inc.
> > > > dwilliams_at_lifetouch.com
> > > >
> > > > -----Original Message-----
> > > > Sent: Friday, July 11, 2003 2:45 PM
> > > > To: Multiple recipients of list ORACLE-L
> > > >
> > > > Hi,
> > > >
> > > > I have a security question about Oracle database. Recently I have
taken
> > > > full control an Oracle database in my department. Now I would like
to
> > > > make sure that no other people except myself can update data in that
> > > > database. Can somebody tell me what it is necessary steps to do
that?
> > > > Any comments are highly appreciated. Thanks!
> > > >
> > > > Don
> > > >
> > > > --
> > > > Please see the official ORACLE-L FAQ: http://www.orafaq.net
> > > > --
> > > > Author: Don Yu
> > > > INET: donyu_at_jhu.edu
> > > >
> > > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> > > > San Diego, California -- Mailing list and web hosting
services
> > > >
-- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: donyu_at_jhu.edu Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail messageReceived on Mon Jul 14 2003 - 14:41:38 CDT
 |
 |