Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Stop using SYS, SYSTEM?

Re: Stop using SYS, SYSTEM?

From: Nuno Pinto do Souto <nsouto_at_optusnet.com.au>
Date: Wed, 12 Nov 2003 15:44:24 -0800
Message-ID: <F001.005D6750.20031112154424@fatcity.com> 

 ('binary' encoding is not supported, stored as-is)


> Smith, Ron L. <rlsmith_at_kmg.com> wrote:

> 

> We are being asked by Auditing to stop using the SYS, and SYSTEM

> accounts.  They would like for us to create an Oracle Role with the

> same

> permissions a SYS and SYSTEM, then grant the role to each of the

> DBA's.

> Don't ask me why.  Nothing is being audited in 99% of the databases.

> They just say it in a paper some where so they said we shouldn't use

> it.

> This seems like it would cause lots of problems with exports,

> imports,

> installs, etc...  Has anyone had to deal with this type of request? 

> Any

> potential problems with making the change?

> 




Quite a few potential problems.  This is typical security jackass
kneejerk reaction, pure and simple.  A DBA needs DBA access
to the system.  Oracle provides this via SYS and SYSTEM.  Period.
The rest is just hazy, unprovable, half-cooked "security" bullshit
from people who read this and that everywhere and are by default
considered experts by even less competent damagement.  



Granting all rights of user SYS and SYSTEM to a role and then granting
that role to a DBA user reeks of sheer stupidity.  If the issue is auditing,
then use auditing.  That's what it's there for.  If the issue is use of DBA 
access, then get rid of the DBAs.  (see how long that lasts...).  



This sort of thing reminds me of the time I used to work at a very secure site
back in the early 90s.  Where we had to request a security officer to give us
the password for SYS and SYSTEM in order to do our job.  The officer changed
the password before passing it on to us verbally.  He then proceeded to watch us 
type on the screen, then watched us log out and then changed the password
again on the spot.  Very secure, very procedural, very formal.



Except the officer was not a DBA, knew zilch about SQL and couldn't discern
if we were copying the entire main accounts table to a non-secure area if his life
depended on it.



Great security!   No wonder it got exposed a few years later in a well known
incident.  



The issue of course is that what these people needed was auditing, not security.
But try as we might, we could not make their "experts" understand the
diff...



Cheers


Nuno Souto


nsouto_at_wizofoz2k.com.au

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Nuno Pinto do Souto
  INET: nsouto_at_optusnet.com.au

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Wed Nov 12 2003 - 17:44:24 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US