Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: OK to revoke privileges from SYS or DBA?

Re: OK to revoke privileges from SYS or DBA?

From: Denis Do <nospam.denisdo_at_yahoo.com>
Date: Wed, 08 Dec 2004 02:26:31 GMT
Message-ID: <slrncrcpki.3q4.nospam.denisdo@denisdo.news.google.com> 





On 2004-12-07, DA Morgan <damorgan_at_x.washington.edu> wrote:


> Thanks but having been corrected by Tom and reviewing it I agree that

> the DBA role should not be dropped ... but also should not be assigned.

> I too work in a high-security environment and am aware of break-ins and

> break-in attempts using the default roles. I do believe CONNECT and

> RESOURCE should be dropped or at least heavily pruned.

>

> Then again I also don't install Oracle with a user account named Oracle.

> Don't create groups named oinstall and dba on *NIX platforms and don't

> use port 1521 so I guess that puts me well outside the curve.




This comment makes a good point.


Please consider the fact, that I am talking about HIGHLY secure
Oracle installation (that was a question in original post, wasn't it?)



Obviously, I do not delete DBA, resource and connect for average server,
working behind firewalls etc. In such situation everything you guys told here is
100% true. 



But please see my point as well - if you want security - you must (and will) pay for it. 
The more secure site - the less "out of the box" features you have and
less convenient your administrating day-by-day activity.



Are you really talking seriously about stored outlines, WM etc in highly secure system? 
If you do - you are wrong, and any security cpecialist will confirm it.
In such system absolutely NO NEW FEATURES are installed after "golive date", no new 
scripts run by DBA without supervision and nobody knows full password - just part of it. 
And as for me, if you log into that system as SYSDBA, you will find there only 1/3 of 
standard Oracle dictionary. Not even talking about DBMS_x packages etc. 



YES, it IS unsupported and "risky", and 2/3 of cool latest Ora features will not work there, 
yes - this DB is supposed to run ONLY pre-defined and tested subset of SQL statements and 
pl/sql code - so what? That is the price you pay for real security. 
And obviously, it is NOT recommended for public:_)



Just another point - I do respect all your opinions and never thought to try argue with you 
- I am just demonstrating absolutely "untypical" configuration for highly-secure systems. 
And, may be it is a surprise :_) - but I do have some servers running with DELETED DBA role. 



They even report themselves as Ms SQL 2000 when you query v$version :-)) 
(that was a joke, sorry :-)



Please do not consider my post as offendive - it is my own IMHO :-)
Received on Tue Dec 07 2004 - 20:26:31 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US