Re: Stop using SYS, SYSTEM?

Ron,

It is a good practice, in general, to stop using SYS and SYSTEM accounts for everyday use. The simplest rule of thumb is accountability somehow increases many times over when you link a database named user to a physical person, not a ethereal entity like SYS. This is especially true if you use auditing and turn on SYSDBA auditing; but even if you don't sometimes the use of specific named users put people on the alert when they do something potentially dangerous and can avoid accidents.

The other reason of not using SYS is to avoid accidental creation of objects in SYS and SYSTEM schema. The best option is to lock SYSTEM user and never let SYS user. Unfortunately you can't lock the SYS user.

Third, you can create default tablespaces for all these DBA users to hold their objects, specifically temporary/occasional tables (not the global temporary tables), test tables, etc. and all those will not get into SYSTEM tablespace.

Perhaps I should mention here is that I also conduct database security audits for corporations. But unlike your auditors, I tend to follow the advice up with more detailed information :)

Arup Nanda
www.proligence.com

• Original Message ----- To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com> Sent: Wednesday, November 12, 2003 3:04 PM

> We are being asked by Auditing to stop using the SYS, and SYSTEM
> accounts. They would like for us to create an Oracle Role with the same
> permissions a SYS and SYSTEM, then grant the role to each of the DBA's.
> Don't ask me why. Nothing is being audited in 99% of the databases.
> They just say it in a paper some where so they said we shouldn't use it.
> This seems like it would cause lots of problems with exports, imports,
> installs, etc... Has anyone had to deal with this type of request? Any
> potential problems with making the change?
>
> Thanks!
> Ron Smith
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Smith, Ron L.
> INET: rlsmith_at_kmg.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Arup Nanda
  INET: orarup_at_hotmail.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).