Good point. Also, SYS becomes AUDITable in 9i, which should help an
after-the-fact whodunnit, especially if the hostname (or IP) is properly
captured. It's not prevention (I still don't think that's possible if the
user has root access), but it can provide a good trail of bread crumbs to
follow back to the crumbdumb.
Rich
Rich Jesse System/Database Administrator
[EMAIL PROTECTED] Quad/Tech Inc, Sussex, WI USA
-----Original Message-----
Sent: Friday, August 29, 2003 9:31 AM
To: Multiple recipients of list ORACLE-L
Walt,
Something that has not been suggested - migrate your database to 9.2.
Connect as internal goes away.
Other than that, I think the best suggestion you got was a conversation, and
granting access to the v$ tables thru a specific account for that person.
And then put a long trigger in place tracking all connections to the
database. Keep track of all SYS connections. At least you know when things
happen. And periodically review the init.ora file for the database to make
sure that nobody changes anything.
Good Luck!
Tom Mercadante
Oracle Certified Professional
-----Original Message-----
Sent: Thursday, August 28, 2003 4:50 PM
To: Multiple recipients of list ORACLE-L
But someone determined to get in the database can simply edit sqlnet.ora
"Tanel Poder" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
08/28/2003 10:24 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L
<[EMAIL PROTECTED]>
cc:
Subject: Re: How to keep "root" out?
Hi!
Put sqlnet.authentication_services = none in your server's sqlnet.ora. Then
everyone has to use a password.
Tanel.
----- Original Message -----
To: Multiple recipients of list ORACLE-L
Sent: Thursday, August 28, 2003 6:34 PM
Just for grins, I'll ask this question... Is there any way to keep the Unix
"root" user from logging into the database (i.e. connect internal or / as
sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
We have a couple people in our Unix admin group that feel the need to "help"
by writing their own DB monitoring scripts. Of course, they don't know what
they're talking about. They do not have formal logins for the database, but
since they are root users they are connecting via "connect internal". This
is not only counterproductive but actually a potential security issue--just
because someone has root doesn't necessarily entitle them to see the data in
the database. What if it is a payroll database?
So, I'm curious, is there any way to prevent access via "connect internal"
or "/ as sysdba"?
Thanks in advance.
W
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Jesse, Rich
INET: [EMAIL PROTECTED]
Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
