Re: Oracle security question
Ron, I have urgent question. Because I want to shutdown my database, I login as oracle and execute dbshut. But later I found that the process is very slow so I realize that I should type shutdown immediate. Then, I use control-D to stop shutdown command. And I re-execute shutdown immediate. Now the shutdown command seems to take longer time to finish. Is there something wrong or normal? Any comments are appreciated! Thanks! Don Ron Rogers wrote: Don, The users need acces to the data that is in the database or what is the purpose of the database? I would change the privileges of the users to CREATE SESSION only and revoke all others. Then I would use ROLES that have select privileges on the tables that they need acces to. By creating roles and granting the role to a user the user can select from the tables. If different groups need acces to different tables you can create different roles and grant them as needed. Roles are an easy method of controlling acces to table data and if changes are needed then you change the role's privileges and all users of the role are effected. Ron [EMAIL PROTECTED] 07/11/03 03:44PM Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Ron Rogers INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Oracle security question
Don, A normal shutdown will wait for all of the users to complete there work and shutdown when the users are off the system. A shutdown immediate wait for the current transactions to complete and not allow any more to start before shutting down. A shutdown abort does just that, I stops all transactions and shutdown the database. A shutdown abort is best followed by a startup restricted and then a shutdown immediate to clear up the database. If you check your alert log you will find that the database does a recovery to clean it's self up after a shutdown abort. When you do an non normal action such as a CTRL-D when shutting down Oracle might be cleaning it's self up or clearing the temp that takes time to accomplish. Take a look at the actions that are going on in the database with temp. Perhaps that is why the shutdown is taking time. A user could be performing a long transaction that has to complete or rollback before Oracle shuts down. There are many possibilities for the lengthy time to shut down. Select count(*) from DBA_EXTENTS where segment_type ='temporary'; will give you the number of extents that are being shrunk if temp is one of your problems. The number will decrease as SMON does it's work. I would also edit the dbshut command to shutdown immediate rather than the plain shutdown. Check the OS to see what processes are consuming the time. That can lead you to the time comsumption. Remember time is relative to the viewer. Ron [EMAIL PROTECTED] 07/15/03 09:29AM Ron, I have urgent question. Because I want to shutdown my database, I login as oracle and execute dbshut. But later I found that the process is very slow so I realize that I should type shutdown immediate. Then, I use control-D to stop shutdown command. And I re-execute shutdown immediate. Now the shutdown command seems to take longer time to finish. Is there something wrong or normal? Any comments are appreciated! Thanks! Don Ron Rogers wrote: Don, The users need acces to the data that is in the database or what is the purpose of the database? I would change the privileges of the users to CREATE SESSION only and revoke all others. Then I would use ROLES that have select privileges on the tables that they need acces to. By creating roles and granting the role to a user the user can select from the tables. If different groups need acces to different tables you can create different roles and grant them as needed. Roles are an easy method of controlling acces to table data and if changes are needed then you change the role's privileges and all users of the role are effected. Ron [EMAIL PROTECTED] 07/11/03 03:44PM Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Ron Rogers INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the
Re: Oracle security question
I'm not Ron; but I'll take a stab at this. The shutdown immediate is hanging probably because there are several transactions that are rolling back. The database is not going to close till all have rolled back completely. HTH. Arup Nanda - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 9:29 AM Ron, I have urgent question. Because I want to shutdown my database, I login as oracle and execute dbshut. But later I found that the process is very slow so I realize that I should type shutdown immediate. Then, I use control-D to stop shutdown command. And I re-execute shutdown immediate. Now the shutdown command seems to take longer time to finish. Is there something wrong or normal? Any comments are appreciated! Thanks! Don Ron Rogers wrote: Don, The users need acces to the data that is in the database or what is the purpose of the database? I would change the privileges of the users to CREATE SESSION only and revoke all others. Then I would use ROLES that have select privileges on the tables that they need acces to. By creating roles and granting the role to a user the user can select from the tables. If different groups need acces to different tables you can create different roles and grant them as needed. Roles are an easy method of controlling acces to table data and if changes are needed then you change the role's privileges and all users of the role are effected. Ron [EMAIL PROTECTED] 07/11/03 03:44PM Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Ron Rogers INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Arup Nanda INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Oracle security question
Don, The users need acces to the data that is in the database or what is the purpose of the database? I would change the privileges of the users to CREATE SESSION only and revoke all others. Then I would use ROLES that have select privileges on the tables that they need acces to. By creating roles and granting the role to a user the user can select from the tables. If different groups need acces to different tables you can create different roles and grant them as needed. Roles are an easy method of controlling acces to table data and if changes are needed then you change the role's privileges and all users of the role are effected. Ron [EMAIL PROTECTED] 07/11/03 03:44PM Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Ron Rogers INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Oracle security question
Hi Don, I wrote a paper for securityfocus.com a while ago that described a simple security scanner for Oracle, there is also a script you can run with the paper. You can get the link on my Oracle security papers page on my site at www.petefinnigan.com/orasec.htm, the paper is near the top and is called a simple Oracle security scanner hth kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Oracle security question
Dear Guang Mei: Thanks for your message. Your suggestion is very helpful. After reviewing all possible uesers, I have locked them. Now I have only one concern that if nobody knows my database's sys and system's password, there should be no way to unlock these accounts. Am I complete right? Thanks! Any comments are appreciated! Don Guang Mei wrote: select * from all_users; to get all users, then change their oracle passwords so that no body can log in except you. This way you know you are the only one who can change the data. Next step is see what application can make the data change. Hope this helps. Guang On Fri, 11 Jul 2003, Don Yu wrote: Dennis Thank you very much. My data in that database is changed three times. The first is whole data being delete. The second is over ten thousands records being added. The third is whole data related to a month being deleted. I know my working environment is very complicated. For this report application, I write shell scripts and C/C++ program to parsing Apache web server access log file (www.welch.jhu.edu) in order to get client ip, access date, and host ip, which are associated with the special pattern as ntlinktrack.cgi, which is associated with Library E-Book,E-Journal, and E-database. Then I need to schedule a solaris cron job to process access log daily and load parsed data into database. Also I create some log files for saving intermediate information from my program. Then I create some ColdFusion pages to post these results into website. In my database there are over million records. Oracle DBA is new duty for me since I had found that my data was missing. This is the reason I post my question on Oracle user group. Now I am trying to read as much as I can but I do not have much time. I want to make sure my database is secure as early as I can. So what do you think of my reason? Thank you very much! Don DENNIS WILLIAMS wrote: Don SYS is the owner of the Oracle dictionary tables. It is a username with DBA privilege, so someone who logs in can change data. If you have changed its password, then you are assured that nobody is using that username right now. If you've changed its password, then I wouldn't worry about it right now. Since it sounds as if you are the only person that accesses this database, then you may want to change the username that owns your tables. Hopefully this username is not SYSTEM or SYS. After that, unless you know of other usernames someone might use to access your Oracle database, don't make any more security changes for awhile. Go back to trying to figure out why your data is changing without your changing it. It may well be there is an innocent reason that has nothing to do with someone else. I've had that happen to me when I've started using an unfamiliar system. And don't forget to buy a good Oracle DBA book like the one I suggested. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 3:49 PM To: Multiple recipients of list ORACLE-L Dennis: Thanks for your message. Now I have changed sys password by the following command: alter user sys identified by xxx But when I try to login from sql plus window by using sys, I cannot successfully login. Also I get an error message. The message is something like connection to sys should be as sysdba or sysoper. So my question is what sys for? Thank you very much! Don DENNIS WILLIAMS wrote: Don If only you can make updates to your Oracle database, then you must enter all the data ;-) From the tone of your posting, I'm going to assume that you are pretty new to Oracle. You may want to get a good basic administration book like Oracle9i DBA 101. http://www.amazon.com/exec/obidos/tg/detail/-/0072224746/qid=1057949734/sr=8 -1/ref=sr_8_1/104-2287688-5574335?v=glances=booksn=507846 It is also a good idea to always mention your Oracle version and platform (Unix, NT, etc.) in your posts. First, log in with the SYSTEM username. Then change the password for SYSTEM and SYS with the command: ALTER USER SYSTEM IDENTIFIED BY x; Where x is your new password. You should be able to make these changes without affecting any end users. Next you should identify your groups of users and how they access Oracle. Basically you need to identify what their access requirements are and then audit the usernames they use to ensure the privileges granted are just what is required. This is also a good time to see about changing passwords, but first buy the book and read up on the basics of Oracle security. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message-
RE: Oracle security question
Don Well, if you changed the password, then you should have the new password. Don't post them, because everyone on the internet will have them. What is your Oracle version? Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Monday, July 14, 2003 3:34 PM To: Multiple recipients of list ORACLE-L Dear Guang Mei: Thanks for your message. Your suggestion is very helpful. After reviewing all possible uesers, I have locked them. Now I have only one concern that if nobody knows my database's sys and system's password, there should be no way to unlock these accounts. Am I complete right? Thanks! Any comments are appreciated! Don Guang Mei wrote: select * from all_users; to get all users, then change their oracle passwords so that no body can log in except you. This way you know you are the only one who can change the data. Next step is see what application can make the data change. Hope this helps. Guang On Fri, 11 Jul 2003, Don Yu wrote: Dennis Thank you very much. My data in that database is changed three times. The first is whole data being delete. The second is over ten thousands records being added. The third is whole data related to a month being deleted. I know my working environment is very complicated. For this report application, I write shell scripts and C/C++ program to parsing Apache web server access log file (www.welch.jhu.edu) in order to get client ip, access date, and host ip, which are associated with the special pattern as ntlinktrack.cgi, which is associated with Library E-Book,E-Journal, and E-database. Then I need to schedule a solaris cron job to process access log daily and load parsed data into database. Also I create some log files for saving intermediate information from my program. Then I create some ColdFusion pages to post these results into website. In my database there are over million records. Oracle DBA is new duty for me since I had found that my data was missing. This is the reason I post my question on Oracle user group. Now I am trying to read as much as I can but I do not have much time. I want to make sure my database is secure as early as I can. So what do you think of my reason? Thank you very much! Don DENNIS WILLIAMS wrote: Don SYS is the owner of the Oracle dictionary tables. It is a username with DBA privilege, so someone who logs in can change data. If you have changed its password, then you are assured that nobody is using that username right now. If you've changed its password, then I wouldn't worry about it right now. Since it sounds as if you are the only person that accesses this database, then you may want to change the username that owns your tables. Hopefully this username is not SYSTEM or SYS. After that, unless you know of other usernames someone might use to access your Oracle database, don't make any more security changes for awhile. Go back to trying to figure out why your data is changing without your changing it. It may well be there is an innocent reason that has nothing to do with someone else. I've had that happen to me when I've started using an unfamiliar system. And don't forget to buy a good Oracle DBA book like the one I suggested. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 3:49 PM To: Multiple recipients of list ORACLE-L Dennis: Thanks for your message. Now I have changed sys password by the following command: alter user sys identified by xxx But when I try to login from sql plus window by using sys, I cannot successfully login. Also I get an error message. The message is something like connection to sys should be as sysdba or sysoper. So my question is what sys for? Thank you very much! Don DENNIS WILLIAMS wrote: Don If only you can make updates to your Oracle database, then you must enter all the data ;-) From the tone of your posting, I'm going to assume that you are pretty new to Oracle. You may want to get a good basic administration book like Oracle9i DBA 101. http://www.amazon.com/exec/obidos/tg/detail/-/0072224746/qid=1057949734/sr=8 -1/ref=sr_8_1/104-2287688-5574335?v=glances=booksn=507846 It is also a good idea to always mention your Oracle version and platform (Unix, NT, etc.) in your posts. First, log in with the SYSTEM username. Then change the password for SYSTEM and SYS with the command: ALTER USER SYSTEM IDENTIFIED BY x; Where x is your new password. You should be able to make these changes without affecting any end users. Next you should identify your groups of users and how they access Oracle. Basically you need to identify what their access requirements are and then
Re: Oracle security question
Hi, I suggest you use sqlldr to load the data into the database.In most case, sqlldr solves this kidn of questions. Second, as dennis said, read more about oracle. oracle Is pretty complicate, and it is hard to manage if you do not understand it. Besides dba 101, you can get free books from otn.oracle.com/documents (free register). Regards zhu chao msn:[EMAIL PROTECTED] www.cnoug.org - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Saturday, July 12, 2003 6:14 AM Dennis Thank you very much. My data in that database is changed three times. The first is whole data being delete. The second is over ten thousands records being added. The third is whole data related to a month being deleted. I know my working environment is very complicated. For this report application, I write shell scripts and C/C++ program to parsing Apache web server access log file (www.welch.jhu.edu) in order to get client ip, access date, and host ip, which are associated with the special pattern as ntlinktrack.cgi, which is associated with Library E-Book,E-Journal, and E-database. Then I need to schedule a solaris cron job to process access log daily and load parsed data into database. Also I create some log files for saving intermediate information from my program. Then I create some ColdFusion pages to post these results into website. In my database there are over million records. Oracle DBA is new duty for me since I had found that my data was missing. This is the reason I post my question on Oracle user group. Now I am trying to read as much as I can but I do not have much time. I want to make sure my database is secure as early as I can. So what do you think of my reason? Thank you very much! Don DENNIS WILLIAMS wrote: Don SYS is the owner of the Oracle dictionary tables. It is a username with DBA privilege, so someone who logs in can change data. If you have changed its password, then you are assured that nobody is using that username right now. If you've changed its password, then I wouldn't worry about it right now. Since it sounds as if you are the only person that accesses this database, then you may want to change the username that owns your tables. Hopefully this username is not SYSTEM or SYS. After that, unless you know of other usernames someone might use to access your Oracle database, don't make any more security changes for awhile. Go back to trying to figure out why your data is changing without your changing it. It may well be there is an innocent reason that has nothing to do with someone else. I've had that happen to me when I've started using an unfamiliar system. And don't forget to buy a good Oracle DBA book like the one I suggested. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 3:49 PM To: Multiple recipients of list ORACLE-L Dennis: Thanks for your message. Now I have changed sys password by the following command: alter user sys identified by xxx But when I try to login from sql plus window by using sys, I cannot successfully login. Also I get an error message. The message is something like connection to sys should be as sysdba or sysoper. So my question is what sys for? Thank you very much! Don DENNIS WILLIAMS wrote: Don If only you can make updates to your Oracle database, then you must enter all the data ;-) From the tone of your posting, I'm going to assume that you are pretty new to Oracle. You may want to get a good basic administration book like Oracle9i DBA 101. http://www.amazon.com/exec/obidos/tg/detail/-/0072224746/qid=1057949734/sr=8 -1/ref=sr_8_1/104-2287688-5574335?v=glances=booksn=507846 It is also a good idea to always mention your Oracle version and platform (Unix, NT, etc.) in your posts. First, log in with the SYSTEM username. Then change the password for SYSTEM and SYS with the command: ALTER USER SYSTEM IDENTIFIED BY x; Where x is your new password. You should be able to make these changes without affecting any end users. Next you should identify your groups of users and how they access Oracle. Basically you need to identify what their access requirements are and then audit the usernames they use to ensure the privileges granted are just what is required. This is also a good time to see about changing passwords, but first buy the book and read up on the basics of Oracle security. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 2:45 PM To: Multiple recipients of list ORACLE-L Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to
RE: Oracle security question
Don Interesting web site. Well, I think you have enough information from us. Now it is just some detective work. The next subject you need to review is backup and recovery. Keep the information in those databases secure. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 5:14 PM To: Multiple recipients of list ORACLE-L Dennis Thank you very much. My data in that database is changed three times. The first is whole data being delete. The second is over ten thousands records being added. The third is whole data related to a month being deleted. I know my working environment is very complicated. For this report application, I write shell scripts and C/C++ program to parsing Apache web server access log file (www.welch.jhu.edu) in order to get client ip, access date, and host ip, which are associated with the special pattern as ntlinktrack.cgi, which is associated with Library E-Book,E-Journal, and E-database. Then I need to schedule a solaris cron job to process access log daily and load parsed data into database. Also I create some log files for saving intermediate information from my program. Then I create some ColdFusion pages to post these results into website. In my database there are over million records. Oracle DBA is new duty for me since I had found that my data was missing. This is the reason I post my question on Oracle user group. Now I am trying to read as much as I can but I do not have much time. I want to make sure my database is secure as early as I can. So what do you think of my reason? Thank you very much! Don DENNIS WILLIAMS wrote: Don SYS is the owner of the Oracle dictionary tables. It is a username with DBA privilege, so someone who logs in can change data. If you have changed its password, then you are assured that nobody is using that username right now. If you've changed its password, then I wouldn't worry about it right now. Since it sounds as if you are the only person that accesses this database, then you may want to change the username that owns your tables. Hopefully this username is not SYSTEM or SYS. After that, unless you know of other usernames someone might use to access your Oracle database, don't make any more security changes for awhile. Go back to trying to figure out why your data is changing without your changing it. It may well be there is an innocent reason that has nothing to do with someone else. I've had that happen to me when I've started using an unfamiliar system. And don't forget to buy a good Oracle DBA book like the one I suggested. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 3:49 PM To: Multiple recipients of list ORACLE-L Dennis: Thanks for your message. Now I have changed sys password by the following command: alter user sys identified by xxx But when I try to login from sql plus window by using sys, I cannot successfully login. Also I get an error message. The message is something like connection to sys should be as sysdba or sysoper. So my question is what sys for? Thank you very much! Don DENNIS WILLIAMS wrote: Don If only you can make updates to your Oracle database, then you must enter all the data ;-) From the tone of your posting, I'm going to assume that you are pretty new to Oracle. You may want to get a good basic administration book like Oracle9i DBA 101. http://www.amazon.com/exec/obidos/tg/detail/-/0072224746/qid=1057949734/sr=8 -1/ref=sr_8_1/104-2287688-5574335?v=glances=booksn=507846 It is also a good idea to always mention your Oracle version and platform (Unix, NT, etc.) in your posts. First, log in with the SYSTEM username. Then change the password for SYSTEM and SYS with the command: ALTER USER SYSTEM IDENTIFIED BY x; Where x is your new password. You should be able to make these changes without affecting any end users. Next you should identify your groups of users and how they access Oracle. Basically you need to identify what their access requirements are and then audit the usernames they use to ensure the privileges granted are just what is required. This is also a good time to see about changing passwords, but first buy the book and read up on the basics of Oracle security. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 2:45 PM To: Multiple recipients of list ORACLE-L Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the
Re: Oracle security question
Don, Look at dba_tab_privs. Stephen [EMAIL PROTECTED] 07/11/03 12:44PM Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Stephen Andert INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Oracle security question
Change the password of all Oracle related users (sys, system,...) Revoke access from all other users or make sure all other users have select only privilege on data. What is the use of such databases ? Stephane Paquette Administrateur de bases de donnees Database Administrator Standard Life www.standardlife.ca Tel. (514) 499-7999 7470 and (514) 925-7187 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- Don Yu Sent: Friday, July 11, 2003 3:45 PM To: Multiple recipients of list ORACLE-L Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Stephane Paquette INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Oracle security question
Don If only you can make updates to your Oracle database, then you must enter all the data ;-) From the tone of your posting, I'm going to assume that you are pretty new to Oracle. You may want to get a good basic administration book like Oracle9i DBA 101. http://www.amazon.com/exec/obidos/tg/detail/-/0072224746/qid=1057949734/sr=8 -1/ref=sr_8_1/104-2287688-5574335?v=glances=booksn=507846 It is also a good idea to always mention your Oracle version and platform (Unix, NT, etc.) in your posts. First, log in with the SYSTEM username. Then change the password for SYSTEM and SYS with the command: ALTER USER SYSTEM IDENTIFIED BY x; Where x is your new password. You should be able to make these changes without affecting any end users. Next you should identify your groups of users and how they access Oracle. Basically you need to identify what their access requirements are and then audit the usernames they use to ensure the privileges granted are just what is required. This is also a good time to see about changing passwords, but first buy the book and read up on the basics of Oracle security. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 2:45 PM To: Multiple recipients of list ORACLE-L Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: DENNIS WILLIAMS INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Oracle security question
Stephane, Thanks for your message. The reason I ask this question is that now I am responsible for creating some reports based upon this database. But I have found that there are unaccountable data in my database, which is not from my insert script or my cron job program. Thanks! Don Stephane Paquette wrote: Change the password of all Oracle related users (sys, system,...) Revoke access from all other users or make sure all other users have select only privilege on data. What is the use of such databases ? Stephane Paquette Administrateur de bases de donnees Database Administrator Standard Life www.standardlife.ca Tel. (514) 499-7999 7470 and (514) 925-7187 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- Don Yu Sent: Friday, July 11, 2003 3:45 PM To: Multiple recipients of list ORACLE-L Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Stephane Paquette INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Oracle security question
Dennis: Thanks for your message. Now I have changed sys password by the following command: alter user sys identified by xxx But when I try to login from sql plus window by using sys, I cannot successfully login. Also I get an error message. The message is something like connection to sys should be as sysdba or sysoper. So my question is what sys for? Thank you very much! Don DENNIS WILLIAMS wrote: Don If only you can make updates to your Oracle database, then you must enter all the data ;-) From the tone of your posting, I'm going to assume that you are pretty new to Oracle. You may want to get a good basic administration book like Oracle9i DBA 101. http://www.amazon.com/exec/obidos/tg/detail/-/0072224746/qid=1057949734/sr=8 -1/ref=sr_8_1/104-2287688-5574335?v=glances=booksn=507846 It is also a good idea to always mention your Oracle version and platform (Unix, NT, etc.) in your posts. First, log in with the SYSTEM username. Then change the password for SYSTEM and SYS with the command: ALTER USER SYSTEM IDENTIFIED BY x; Where x is your new password. You should be able to make these changes without affecting any end users. Next you should identify your groups of users and how they access Oracle. Basically you need to identify what their access requirements are and then audit the usernames they use to ensure the privileges granted are just what is required. This is also a good time to see about changing passwords, but first buy the book and read up on the basics of Oracle security. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 2:45 PM To: Multiple recipients of list ORACLE-L Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: DENNIS WILLIAMS INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Oracle security question
Don SYS is the owner of the Oracle dictionary tables. It is a username with DBA privilege, so someone who logs in can change data. If you have changed its password, then you are assured that nobody is using that username right now. If you've changed its password, then I wouldn't worry about it right now. Since it sounds as if you are the only person that accesses this database, then you may want to change the username that owns your tables. Hopefully this username is not SYSTEM or SYS. After that, unless you know of other usernames someone might use to access your Oracle database, don't make any more security changes for awhile. Go back to trying to figure out why your data is changing without your changing it. It may well be there is an innocent reason that has nothing to do with someone else. I've had that happen to me when I've started using an unfamiliar system. And don't forget to buy a good Oracle DBA book like the one I suggested. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 3:49 PM To: Multiple recipients of list ORACLE-L Dennis: Thanks for your message. Now I have changed sys password by the following command: alter user sys identified by xxx But when I try to login from sql plus window by using sys, I cannot successfully login. Also I get an error message. The message is something like connection to sys should be as sysdba or sysoper. So my question is what sys for? Thank you very much! Don DENNIS WILLIAMS wrote: Don If only you can make updates to your Oracle database, then you must enter all the data ;-) From the tone of your posting, I'm going to assume that you are pretty new to Oracle. You may want to get a good basic administration book like Oracle9i DBA 101. http://www.amazon.com/exec/obidos/tg/detail/-/0072224746/qid=1057949734/sr=8 -1/ref=sr_8_1/104-2287688-5574335?v=glances=booksn=507846 It is also a good idea to always mention your Oracle version and platform (Unix, NT, etc.) in your posts. First, log in with the SYSTEM username. Then change the password for SYSTEM and SYS with the command: ALTER USER SYSTEM IDENTIFIED BY x; Where x is your new password. You should be able to make these changes without affecting any end users. Next you should identify your groups of users and how they access Oracle. Basically you need to identify what their access requirements are and then audit the usernames they use to ensure the privileges granted are just what is required. This is also a good time to see about changing passwords, but first buy the book and read up on the basics of Oracle security. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 2:45 PM To: Multiple recipients of list ORACLE-L Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: DENNIS WILLIAMS INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru')
RE: Oracle security question
Oops. I meant to say that you might consider changing the PASSWORD of the username that owns your tables. -Original Message- Sent: Friday, July 11, 2003 4:14 PM To: Multiple recipients of list ORACLE-L Don SYS is the owner of the Oracle dictionary tables. It is a username with DBA privilege, so someone who logs in can change data. If you have changed its password, then you are assured that nobody is using that username right now. If you've changed its password, then I wouldn't worry about it right now. Since it sounds as if you are the only person that accesses this database, then you may want to change the username that owns your tables. Hopefully this username is not SYSTEM or SYS. After that, unless you know of other usernames someone might use to access your Oracle database, don't make any more security changes for awhile. Go back to trying to figure out why your data is changing without your changing it. It may well be there is an innocent reason that has nothing to do with someone else. I've had that happen to me when I've started using an unfamiliar system. And don't forget to buy a good Oracle DBA book like the one I suggested. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 3:49 PM To: Multiple recipients of list ORACLE-L Dennis: Thanks for your message. Now I have changed sys password by the following command: alter user sys identified by xxx But when I try to login from sql plus window by using sys, I cannot successfully login. Also I get an error message. The message is something like connection to sys should be as sysdba or sysoper. So my question is what sys for? Thank you very much! Don DENNIS WILLIAMS wrote: Don If only you can make updates to your Oracle database, then you must enter all the data ;-) From the tone of your posting, I'm going to assume that you are pretty new to Oracle. You may want to get a good basic administration book like Oracle9i DBA 101. http://www.amazon.com/exec/obidos/tg/detail/-/0072224746/qid=1057949734/sr=8 -1/ref=sr_8_1/104-2287688-5574335?v=glances=booksn=507846 It is also a good idea to always mention your Oracle version and platform (Unix, NT, etc.) in your posts. First, log in with the SYSTEM username. Then change the password for SYSTEM and SYS with the command: ALTER USER SYSTEM IDENTIFIED BY x; Where x is your new password. You should be able to make these changes without affecting any end users. Next you should identify your groups of users and how they access Oracle. Basically you need to identify what their access requirements are and then audit the usernames they use to ensure the privileges granted are just what is required. This is also a good time to see about changing passwords, but first buy the book and read up on the basics of Oracle security. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 2:45 PM To: Multiple recipients of list ORACLE-L Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: DENNIS WILLIAMS INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and
Re: Oracle security question
Dennis Thank you very much. My data in that database is changed three times. The first is whole data being delete. The second is over ten thousands records being added. The third is whole data related to a month being deleted. I know my working environment is very complicated. For this report application, I write shell scripts and C/C++ program to parsing Apache web server access log file (www.welch.jhu.edu) in order to get client ip, access date, and host ip, which are associated with the special pattern as ntlinktrack.cgi, which is associated with Library E-Book,E-Journal, and E-database. Then I need to schedule a solaris cron job to process access log daily and load parsed data into database. Also I create some log files for saving intermediate information from my program. Then I create some ColdFusion pages to post these results into website. In my database there are over million records. Oracle DBA is new duty for me since I had found that my data was missing. This is the reason I post my question on Oracle user group. Now I am trying to read as much as I can but I do not have much time. I want to make sure my database is secure as early as I can. So what do you think of my reason? Thank you very much! Don DENNIS WILLIAMS wrote: Don SYS is the owner of the Oracle dictionary tables. It is a username with DBA privilege, so someone who logs in can change data. If you have changed its password, then you are assured that nobody is using that username right now. If you've changed its password, then I wouldn't worry about it right now. Since it sounds as if you are the only person that accesses this database, then you may want to change the username that owns your tables. Hopefully this username is not SYSTEM or SYS. After that, unless you know of other usernames someone might use to access your Oracle database, don't make any more security changes for awhile. Go back to trying to figure out why your data is changing without your changing it. It may well be there is an innocent reason that has nothing to do with someone else. I've had that happen to me when I've started using an unfamiliar system. And don't forget to buy a good Oracle DBA book like the one I suggested. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 3:49 PM To: Multiple recipients of list ORACLE-L Dennis: Thanks for your message. Now I have changed sys password by the following command: alter user sys identified by xxx But when I try to login from sql plus window by using sys, I cannot successfully login. Also I get an error message. The message is something like connection to sys should be as sysdba or sysoper. So my question is what sys for? Thank you very much! Don DENNIS WILLIAMS wrote: Don If only you can make updates to your Oracle database, then you must enter all the data ;-) From the tone of your posting, I'm going to assume that you are pretty new to Oracle. You may want to get a good basic administration book like Oracle9i DBA 101. http://www.amazon.com/exec/obidos/tg/detail/-/0072224746/qid=1057949734/sr=8 -1/ref=sr_8_1/104-2287688-5574335?v=glances=booksn=507846 It is also a good idea to always mention your Oracle version and platform (Unix, NT, etc.) in your posts. First, log in with the SYSTEM username. Then change the password for SYSTEM and SYS with the command: ALTER USER SYSTEM IDENTIFIED BY x; Where x is your new password. You should be able to make these changes without affecting any end users. Next you should identify your groups of users and how they access Oracle. Basically you need to identify what their access requirements are and then audit the usernames they use to ensure the privileges granted are just what is required. This is also a good time to see about changing passwords, but first buy the book and read up on the basics of Oracle security. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 2:45 PM To: Multiple recipients of list ORACLE-L Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Don Yu INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note
RE: Oracle security question
In addition to what Dennis said: if Orace init parameter O7_DICTIONARY_ACCESSIBILITY = FALSE (the default in 9.0 and 9.2) then to connect as user SYS you need to specify the connect string like this: connect SYS/password AS SYSDBA The reason the user SYS is more protected than the user SYSTEM is because: a) the user SYS is the owner of the data dictionary - the set of tables that are used by Oracle to store internal information about the objects in the database; b) the user SYS is the one you use for tasks such as starting up or shutting down the database. SYSTEM is s DBA user created along with the database. In general, you should do the following: only sign on as SYS to startup and shutdown the database, or for recovery. create another DBA user and sign on as that other user for any DBA tasks. I hardly ever use the SYSTEM account except for creation of some Oracle-related objects (like a public PLAN_TABLE or the PRODUCT_USER_PROFILE table.) -Original Message- From: Don Yu [mailto:[EMAIL PROTECTED] Sent: vendredi, 11. juillet 2003 13:49 To: Multiple recipients of list ORACLE-L Subject: Re: Oracle security question Dennis: Thanks for your message. Now I have changed sys password by the following command: alter user sys identified by xxx But when I try to login from sql plus window by using sys, I cannot successfully login. Also I get an error message. The message is something like connection to sys should be as sysdba or sysoper. So my question is what sys for? Thank you very much! -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jacques Kilchoer INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Oracle security question
select * from all_users; to get all users, then change their oracle passwords so that no body can log in except you. This way you know you are the only one who can change the data. Next step is see what application can make the data change. Hope this helps. Guang On Fri, 11 Jul 2003, Don Yu wrote: Dennis Thank you very much. My data in that database is changed three times. The first is whole data being delete. The second is over ten thousands records being added. The third is whole data related to a month being deleted. I know my working environment is very complicated. For this report application, I write shell scripts and C/C++ program to parsing Apache web server access log file (www.welch.jhu.edu) in order to get client ip, access date, and host ip, which are associated with the special pattern as ntlinktrack.cgi, which is associated with Library E-Book,E-Journal, and E-database. Then I need to schedule a solaris cron job to process access log daily and load parsed data into database. Also I create some log files for saving intermediate information from my program. Then I create some ColdFusion pages to post these results into website. In my database there are over million records. Oracle DBA is new duty for me since I had found that my data was missing. This is the reason I post my question on Oracle user group. Now I am trying to read as much as I can but I do not have much time. I want to make sure my database is secure as early as I can. So what do you think of my reason? Thank you very much! Don DENNIS WILLIAMS wrote: Don SYS is the owner of the Oracle dictionary tables. It is a username with DBA privilege, so someone who logs in can change data. If you have changed its password, then you are assured that nobody is using that username right now. If you've changed its password, then I wouldn't worry about it right now. Since it sounds as if you are the only person that accesses this database, then you may want to change the username that owns your tables. Hopefully this username is not SYSTEM or SYS. After that, unless you know of other usernames someone might use to access your Oracle database, don't make any more security changes for awhile. Go back to trying to figure out why your data is changing without your changing it. It may well be there is an innocent reason that has nothing to do with someone else. I've had that happen to me when I've started using an unfamiliar system. And don't forget to buy a good Oracle DBA book like the one I suggested. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 3:49 PM To: Multiple recipients of list ORACLE-L Dennis: Thanks for your message. Now I have changed sys password by the following command: alter user sys identified by xxx But when I try to login from sql plus window by using sys, I cannot successfully login. Also I get an error message. The message is something like connection to sys should be as sysdba or sysoper. So my question is what sys for? Thank you very much! Don DENNIS WILLIAMS wrote: Don If only you can make updates to your Oracle database, then you must enter all the data ;-) From the tone of your posting, I'm going to assume that you are pretty new to Oracle. You may want to get a good basic administration book like Oracle9i DBA 101. http://www.amazon.com/exec/obidos/tg/detail/-/0072224746/qid=1057949734/sr=8 -1/ref=sr_8_1/104-2287688-5574335?v=glances=booksn=507846 It is also a good idea to always mention your Oracle version and platform (Unix, NT, etc.) in your posts. First, log in with the SYSTEM username. Then change the password for SYSTEM and SYS with the command: ALTER USER SYSTEM IDENTIFIED BY x; Where x is your new password. You should be able to make these changes without affecting any end users. Next you should identify your groups of users and how they access Oracle. Basically you need to identify what their access requirements are and then audit the usernames they use to ensure the privileges granted are just what is required. This is also a good time to see about changing passwords, but first buy the book and read up on the basics of Oracle security. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Friday, July 11, 2003 2:45 PM To: Multiple recipients of list ORACLE-L Hi, I have a security question about Oracle database. Recently I have taken full control an Oracle database in my department. Now I would like to make sure that no other people except myself can update data in that database. Can somebody tell me what it is necessary steps to do that? Any comments are highly appreciated. Thanks! Don -- Please
