Facetious, but correct. What you need
is auditing. Not clipping userids.
Achieves nothing.
Cheers
Nuno Souto
[EMAIL PROTECTED]
- Original Message -
What I was saying is that having a different username for each DBA helps you
identify the WHOM. Of course a hacker
could always cut
-Original Message-
Sent: Thursday, November 13, 2003 10:49 PM
To: Multiple recipients of list ORACLE-L
SNIP
Stopping someone from using a given set of accounts achieves preciously
nothing in terms of security (or auditing) IF the functionality of those accounts
is then replicated to
I thought SYS and SYSTEM were NOT 'PUBLIC' accounts. It all depends on
how many people you let login as SYS or SYSTEM, and that decision will
be different for each individual DBA.
But my question is: How can you give a portion of SYS/SYSTEM
functionality to Jane DBA and Joe DBA if you DO NOT have
At some point, when you first create your database, you're going to have the
passwords to sys and system... you created them. After that point, you
create a DBA account for DBA1, DBA2... DBAn. Then you change the passwords
for sys and system to something obscure. But keep them somewhere because
-Original Message-
Nuno Pinto do Souto
I don't want to know that SYSTEM or SOUTON with a subset
of its rights stuffed up my database or exported my main accounts
and clients tables. What I want to know is WHY, WHEN, HOW and
by WHOM.
What I was saying is that having a different
Nuno Pinto do Souto [EMAIL PROTECTED] wrote:
And that's why I feel disabling SYS or SYSTEM purely on
security grounds makes no sense whatsoever
I'm not sure that's what the OP wanted. He wanted to know if stopping use of
SYS and SYSTEM on a regular basis will be acceptable, not disable them. It
There are fixed tables that are only queryable as SYS, too.
Bambi.
-Original Message-
Sent: Wednesday, November 12, 2003 7:19 PM
To: Multiple recipients of list ORACLE-L
You would require SYS to carry out tasks like
1. grant execute on dbms_package to user
2. grant select on v_$view to
Arup Nanda [EMAIL PROTECTED] wrote:
I'm not sure that's what the OP wanted. He wanted to know if stopping
use of
SYS and SYSTEM on a regular basis will be acceptable, not disable
them. It
sure is.
Besides, how does one disable the account? Lock it? SYSTEM can be
locked but
SYS can't be;
That won't work if you're using RMAN.
The account that makes the backup needs to be able to do so as sysdba.
You can't grant that through a role.
The reason for separate accounts is accountability. But if you're not auditing,
that won't help much, as you already stated.
Jared
Smith,
Or if you're auditing in a pre-9i DB, which won't audit SYS and SYSDBA.
Rich
Rich Jesse System/Database Administrator
[EMAIL PROTECTED] Quad/Tech Inc, Sussex, WI USA
-Original Message-
Sent: Wednesday, November 12, 2003 2:30 PM
To: Multiple
Personal Opinion here: I don't use SYS or system for anything where it is not
absolutely required. All of the DBA's have the DBA role granted to them we log on
as ourselves. This is simply so that we don't accidentally step on something really
important. In general one should never create
Title: RE: Stop using SYS, SYSTEM?
Jared,
I followed Robert Freeman's advice and created an RMAN user in all my DBs called backup_admin with SYSDBA privilege so that RMAN doesn't use SYS or SYSTEM. This allows you to change system passwords at will and not interfere with backups. Works just
I agree 100% with Dick. Nobody should be using SYS or SYSTEM. If RMAN
requires a SYS connection, then so be it.
Tom Mercadante
Oracle Certified Professional
-Original Message-
Sent: Wednesday, November 12, 2003 3:45 PM
To: Multiple recipients of list ORACLE-L
Personal Opinion here:
Smith, Ron L. scribbled on the wall in glitter crayon:
We are being asked by Auditing to stop using the SYS, and SYSTEM
accounts. They would like for us to create an Oracle Role with the
same permissions a SYS and SYSTEM, then grant the role to each of the
DBA's. Don't ask me why. Nothing
We avoid using SYS as much as we can, but we use SYSTEM ... cautiously I might add.
Raj
Rajendra dot Jamadagni at nospamespn dot com
All Views expressed in this email are strictly personal.
QOTD: Any clod can have
David
You can remove the create session priv from the RMAN user and this
will make a little
harder for most users to connect, but RMAN will work fine :-)
David Wagoner wrote:
Jared,
I followed Robert Freeman's advice and created an RMAN user in all my
DBs called backup_admin with SYSDBA
Ron,
It is a good practice, in general, to stop using SYS and SYSTEM accounts for
everyday use. The simplest rule of thumb is accountability somehow increases
many times over when you link a database named user to a physical person,
not a ethereal entity like SYS. This is especially true if you
Smith, Ron L. wrote:
We are being asked by Auditing to stop using the SYS, and SYSTEM
accounts. They would like for us to create an Oracle Role with the same
permissions a SYS and SYSTEM, then grant the role to each of the DBA's.
Don't ask me why. Nothing is being audited in 99% of the
And for an opposing opinion:
Let's see now. We create another user and grant that user all the
privileges needed to do ANYTHING. And that makes things so much more
secure? If that's the prevailing thought among the database world, then
it's safe to say that the Unix admins have infinitely
PROTECTED]
Sent: Wednesday, November 12, 2003 3:14 PM
To: Multiple recipients of list ORACLE-L
Subject: Re: Stop using SYS, SYSTEM?
Ron,
It is a good practice, in general, to stop using SYS and
SYSTEM accounts for
everyday use. The simplest rule of thumb is accountability
somehow
Hi Ron,
I just starte to write an answer to agree with your auditor based on
accountability and i saw Arup's answer come through so I have deleted my
answer and just say i concur whole heartedly with Arup. I also conduct
oracle security audits and i suggest to clients not to use SYS or SYSTEM
for
Ron,
Here's the deal with sys and system. To have ultimate authority (like to
shut down and start up the database), you have to log on with sysdba
privileges. That means putting a username in the password file, which
bestows the ability to log on with sysdba privileges. Here's the thing. No
Where we work, there is one DBA responsible for each database. Each DBA
is responsible for dozens of databases, servers, and applications. The
only time another DBA is in one of my databases is when I am out of the
office and can't get to a phone line or network connection. We never
use SYS but
NO You should be using SYS and SYSTEM. You paid for them, so use them!
What's the point in not using something that you've paid for? That would be
like buying a Ferrari and then not driving it 150 mph along I-95. Who would
want to do that?
On 11/12/2003 03:54:25 PM, Thater, William wrote:
Smith, Ron L. [EMAIL PROTECTED] wrote:
We are being asked by Auditing to stop using the SYS, and SYSTEM
accounts. They would like for us to create an Oracle Role with the
same
permissions a SYS and SYSTEM, then grant the role to each of the
DBA's.
Don't ask me why. Nothing is being
Ron --
Why do you need SYS or SYSTEM to do full exports and imports? I'll grant
that there are those odd times when you need to use SYS and SYSTEM, but not
then. Anybody with DBA granted to them can do full exports/imports. I'm
doing it right now, as a matter of fact... with fromuser/touser
:44 PM
Please respond to ORACLE-L
To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:RE: Stop using SYS, SYSTEM?
Jared,
I followed Robert Freeman's advice and created an RMAN user in all my DBs called backup_admin with SYSDBA privilege so that RMAN
respond to ORACLE-L
To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:Re: Stop using SYS, SYSTEM?
David
You can remove the create session priv from the RMAN user and this
will make a little
harder for most users to connect, but RMAN will work fine
Whoa! That came out pretty strong :)
I will reiterate your point A DBA needs DBA access to the system..
Absolutely, a DBA needs access to the database for performing certain
operations. a DBA does not need access the database as SYS explicitly.
Oracle provides this via SYS and SYSTEM
No, it
grant exp_full_database to user;
grant imp_full_database to user;
No need for system account/dba privs to be used.
HTH
GovindanK
Oracle Certified Professional(8,8i)
Brainbench Certified Master DBA(8)
We still have to use SYS and SYSTEM for database creates, full exports,
imports, etc...
Arup Nanda [EMAIL PROTECTED] wrote:
Whoa! That came out pretty strong :)
Fed-up with these new-fangled security experts popping
up all over the place. Pretty soon we'll have another marketing
driven lot of bullshit going round. With the usual crap associated with it.
Next big thing, you
You would require SYS to carry out tasks like
1. grant execute on dbms_package to user
2. grant select on v_$view to user
Whether to have these things granted to PUBLIC is always debatable.
..
..
Tell this to your auditing. And what they suggest too does not seem to
hold water.
HTH
-Original Message-
Nuno Pinto do Souto
Fact is: an admin user MUST have access to an admin
privileged account.
Call it whatever you want, root or role, who cares.
In my case I also enforce the don't sign on as SYS/SYSTEM rule. The reasons I do
that:
- The default tablespace for
Jacques Kilchoer [EMAIL PROTECTED] wrote:
In my case I also enforce the don't sign on as SYS/SYSTEM rule. The
reasons I do that:
- The default tablespace for SYS is SYSTEM, and I don't like to
change that. There are probably reasons why you wouldn't want to
change that. But when I sign on to
34 matches
Mail list logo
