Re: OK to revoke privileges from SYS or DBA?

Denis Do wrote:

> I must admit, this is one REALLY good advice.
> (And this kind of advice is usually not free (if we are talking about
> some 3rd party commsec consultant):_))
>
> I agree with DA Morgan, since I know some REAL cases of intrusion through
> well-known pre-existing RESOURCE and DBA roles.
> Besides of that, we are talking about PRODUCTION, so what relation
> those rdbms/admin
> scripts have to "official production environment"?
> Even more, they MUST NOT BE there at all :-)

Thanks but having been corrected by Tom and reviewing it I agree that the DBA role should not be dropped ... but also should not be assigned. I too work in a high-security environment and am aware of break-ins and break-in attempts using the default roles. I do believe CONNECT and RESOURCE should be dropped or at least heavily pruned.

Then again I also don't install Oracle with a user account named Oracle. Don't create groups named oinstall and dba on *NIX platforms and don't use port 1521 so I guess that puts me well outside the curve.

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)