Nuno Pinto do Souto" <[EMAIL PROTECTED]> wrote: > And that's why I feel disabling SYS or SYSTEM purely on > "security" grounds makes no sense whatsoever
I'm not sure that's what the OP wanted. He wanted to know if stopping use of SYS and SYSTEM on a regular basis will be acceptable, not "disable" them. It sure is. Besides, how does one disable the account? Lock it? SYSTEM can be locked but SYS can't be; hence the whole concept of disabling does not make sense. I feel the auditors merely wanted the OP to stop using SYS and SYSTEM on a regular basis in operations that require a DBA access - such as full exports and selecting from disctionary tables. IMHO this is a very valid advisory and not difficult to follow. Arup ----- Original Message ----- To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> Sent: Thursday, November 13, 2003 12:49 AM > > Jacques Kilchoer <[EMAIL PROTECTED]> wrote: > > In my case I also enforce the "don't sign on as SYS/SYSTEM" rule. The > > reasons I do that: > > - The default tablespace for SYS is SYSTEM, and I don't like to > > change that. There are probably reasons why you wouldn't want to > > change that. But when I sign on to do my DBA work to try something I > > don't want to have to specify a tablespace name every time I create a > > test object like CREATE TABLE TEST (X NUMBER) STORAGE (INITIAL 1000M) > > It has nothing to do with the dba role itself and its security. > Oracle just happens to associate user SYS with the SYSTEM tablespace. > Fair enough that you may not want that association by default. > > > - If each DBA has a named account, it's easy to tell who's logged in > > to the database by saying > > SELECT USERNAME FROM V$SESSION ; > > otherwise I would have to figure out who could be logged on as SYSTEM > > to call them and ask them if it's OK to shutdown the database. > > That is a pure audit requirement: you want to know who is using > DBA access. Nothing to do with SYSTEM. If you remove SYS and SYSTEM, > there is nothing in USERNAME in V$SESSION that will tell you username > BLOGGSJ is using DBA rights. Other than your own prior knowledge that > is the case. In a way, you're worse off. > > > Telling all the DBAs "sign on as SYSTEM" would be (IMHO) like telling > > all the programmers "You can all sign on as user 'coder'" and all > > users "you can all sign on in the database as user > > 'data_entry_person'". > > Don't they always? <G> > > Quite frankly, the problem as I see it is that I want to know WHO > "dropped the tablespace" and WHEN and from WHERE. > That whoever did it had DBA access rights is a given, I don't need it > clarified! > > It's the who, when and where that is the province of auditing. And have > nothing to do with SYS, SYSTEM or whatever, other than as information. > Using or not using SYS or SYSTEM adds nothing to this knowledge or > its implicit security. > > And that's why I feel disabling SYS or SYSTEM purely on "security" grounds > makes no sense whatsoever. Of course, one may want to reduce the > risk of accidents and therefore lock those out. Even then, debatable if that is > the best way of doing it: accidentaly "dropping the tablespace" produces > the same chaotic results regardless of what account one does it from. > > > Cheers > Nuno Souto > [EMAIL PROTECTED] > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Nuno Pinto do Souto > INET: [EMAIL PROTECTED] > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com > San Diego, California -- Mailing list and web hosting services > --------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Arup Nanda INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
