Re: Re: RE: Re: Stop using SYS, SYSTEM?
Facetious, but correct. What you need is auditing. Not clipping userids. Achieves nothing. Cheers Nuno Souto [EMAIL PROTECTED] - Original Message - > What I was saying is that having a different username for each DBA helps you > identify the WHOM. Of course a hacker could always cut knock the DBA unconscious and prop up his head to fool an eye retina scan, à la James Bond, but by that argument any username or IP address or whatever else you use is meaningless. > -- -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Nuno Souto INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Re: RE: Re: Stop using SYS, SYSTEM?
> -Original Message- > Nuno Pinto do Souto > > I don't want to know that SYSTEM or SOUTON with a subset > of its rights stuffed up my database or exported my main accounts > and clients tables. What I want to know is WHY, WHEN, HOW and > by WHOM. What I was saying is that having a different username for each DBA helps you identify the WHOM. Of course a hacker could always cut knock the DBA unconscious and prop up his head to fool an eye retina scan, à la James Bond, but by that argument any username or IP address or whatever else you use is meaningless. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jacques Kilchoer INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
At some point, when you first create your database, you're going to have the passwords to sys and system... you created them. After that point, you create a DBA account for DBA1, DBA2... DBAn. Then you change the passwords for sys and system to something obscure. But keep them somewhere because there will be isolated adventures where you need to log into SYS to do something wacky. The same people who demand that auditing be turned on will probably also demand that the obscure passwords change on a regular basis, btw. They're so unreasonable. HTH, Bambi. -Original Message- Sent: Friday, November 14, 2003 7:39 AM To: Multiple recipients of list ORACLE-L I thought SYS and SYSTEM were NOT 'PUBLIC' accounts. It all depends on how many people you let login as SYS or SYSTEM, and that decision will be different for each individual DBA. But my question is: How can you give a portion of SYS/SYSTEM functionality to Jane DBA and Joe DBA if you DO NOT have SYS and SYSTEM to begin with? Julio Cesar Quijada-Reina Programmer Analyst Computer Services at Alfred State College -Original Message- Cupp Michael E Contr Det 1 AFRL/WSI Sent: Friday, November 14, 2003 8:09 AM To: Multiple recipients of list ORACLE-L -Original Message- Sent: Thursday, November 13, 2003 10:49 PM To: Multiple recipients of list ORACLE-L >Stopping someone from using a given set of accounts achieves preciously >nothing in terms of security (or auditing) IF the functionality of those >accounts >is then replicated to other accounts. Not if someone (I.e. an 'operator') is only using a portion of the access (COMPLETE) that is given to sys and/or system. >Fact is a DBA needs to be able to exp/imp (debatable, but let's ignore >that). >And manage rights. And manage space. And manage allocations, >And monitor the system. And a myriad of other tasks immaterial to the >point I'm trying to make. But a user account for Joe DBA and another user account for Jane DBA, etc, etc will provide accountability and tracability, vs a 'public' account does not. Just my $0.02 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Cupp Michael E Contr Det 1 AFRL/WSI INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: QuijadaReina, Julio C INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Bellow, Bambi INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Stop using SYS, SYSTEM?
I thought SYS and SYSTEM were NOT 'PUBLIC' accounts. It all depends on how many people you let login as SYS or SYSTEM, and that decision will be different for each individual DBA. But my question is: How can you give a portion of SYS/SYSTEM functionality to Jane DBA and Joe DBA if you DO NOT have SYS and SYSTEM to begin with? Julio Cesar Quijada-Reina Programmer Analyst Computer Services at Alfred State College -Original Message- Cupp Michael E Contr Det 1 AFRL/WSI Sent: Friday, November 14, 2003 8:09 AM To: Multiple recipients of list ORACLE-L -Original Message- Sent: Thursday, November 13, 2003 10:49 PM To: Multiple recipients of list ORACLE-L >Stopping someone from using a given set of accounts achieves preciously >nothing in terms of security (or auditing) IF the functionality of those >accounts >is then replicated to other accounts. Not if someone (I.e. an 'operator') is only using a portion of the access (COMPLETE) that is given to sys and/or system. >Fact is a DBA needs to be able to exp/imp (debatable, but let's ignore >that). >And manage rights. And manage space. And manage allocations, >And monitor the system. And a myriad of other tasks immaterial to the >point I'm trying to make. But a user account for Joe DBA and another user account for Jane DBA, etc, etc will provide accountability and tracability, vs a 'public' account does not. Just my $0.02 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Cupp Michael E Contr Det 1 AFRL/WSI INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: QuijadaReina, Julio C INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Re: RE: Re: Stop using SYS, SYSTEM?
-Original Message- Sent: Thursday, November 13, 2003 10:49 PM To: Multiple recipients of list ORACLE-L >Stopping someone from using a given set of accounts achieves preciously >nothing in terms of security (or auditing) IF the functionality of those >accounts >is then replicated to other accounts. Not if someone (I.e. an 'operator') is only using a portion of the access (COMPLETE) that is given to sys and/or system. >Fact is a DBA needs to be able to exp/imp (debatable, but let's ignore >that). >And manage rights. And manage space. And manage allocations, >And monitor the system. And a myriad of other tasks immaterial to the >point I'm trying to make. But a user account for Joe DBA and another user account for Jane DBA, etc, etc will provide accountability and tracability, vs a 'public' account does not. Just my $0.02 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Cupp Michael E Contr Det 1 AFRL/WSI INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Re: RE: Re: Stop using SYS, SYSTEM?
> Arup Nanda <[EMAIL PROTECTED]> wrote: > I'm not sure that's what the OP wanted. He wanted to know if stopping > use of > SYS and SYSTEM on a regular basis will be acceptable, not "disable" > them. It > sure is. > Besides, how does one disable the account? Lock it? SYSTEM can be > locked but > SYS can't be; hence the whole concept of disabling does not make > sense. I hear what you're saying, but define "acceptable". And how do you stop someone from using a given userid other than disabling it? How do you disable is of course dependent on what the software maker provides you. In the case of SYS, probably change passwords is the only way. In the case of SYSTEM I think it can be disabled, although I'm not sure of the impact of that on tools that may need it. I'd rather use the password method, that way all I need do to "enable" it is change the password again. > I feel the auditors merely wanted the OP to stop using SYS and SYSTEM > on a > regular basis in operations that require a DBA access - such as full > exports > and selecting from disctionary tables. IMHO this is a very valid > advisory > and not difficult to follow. Stopping someone from using a given set of accounts achieves preciously nothing in terms of security (or auditing) IF the functionality of those accounts is then replicated to other accounts. Fact is a DBA needs to be able to exp/imp (debatable, but let's ignore that). And manage rights. And manage space. And manage allocations, And monitor the system. And a myriad of other tasks immaterial to the point I'm trying to make. Those are conveniently provided for by Oracle on a default install using the SYSTEM account. This is what it is for, this is the work of a DBA, this is WHY that account has been given those access rights. SYS is debatable and Oracle may now want to discourage people from using it. Fair enough. But SYSTEM is the DBA account par excellence, the same that root is also a sysadmin account. Now you may take away the accounts, but you MUST provide the functionality (or a subset) SOMEHOW, or else the DBA (or the sysadmin) can NOT do his/her work. If you provide the function through another account, then EFFECTIVELY, all you have achievced is change the name of the account that does that function. Security wise, you are back exactly where you started! And all you have achieved is create a whole lot of risks for the next person that comes along and installs some software. The auditors should be defining a set of functions that must be audited and to what level, and the DBA (and Oracle!) should look at how to implement those. If they are executed by logonid A, B or MXYZPTLK is essentially just spurious information (other than of course knowing WHO has the password for that ID!). Does Oracle provide a facility to properly audit all this? IMHO, far from it. But it's getting better. I don't want to know that SYSTEM or SOUTON with a subset of its rights stuffed up my database or exported my main accounts and clients tables. What I want to know is WHY, WHEN, HOW and by WHOM. So that I can reconstruct the events, and hopefully prevent the problem from ever happening again. Changing the login names DBAs use doesn't cut it for this, other than look good in "auditor's reports". If there is one thing that the military are good at (!) is in defining precisely what security and auditing consists of. Have a look at a secure military installation and you'll find it's not about stopping people from using this or that, it's about KNOWING who did what, how and when. Cheers Nuno Souto [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Nuno Pinto do Souto INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
There are fixed tables that are only queryable as SYS, too. Bambi. -Original Message- Sent: Wednesday, November 12, 2003 7:19 PM To: Multiple recipients of list ORACLE-L You would require SYS to carry out tasks like 1. grant execute on dbms_package to 2. grant select on v_$view to Whether to have these things granted to PUBLIC is always debatable. .. .. Tell this to your auditing. And what they suggest too does not seem to hold water. HTH GovindanK Oracle Certified Professional(8,8i) Brainbench Certified Master DBA(8) On Wed, 12 Nov 2003 12:04:35 -0800, "Smith, Ron L." <[EMAIL PROTECTED]> said: > We are being asked by Auditing to stop using the SYS, and SYSTEM > accounts. They would like for us to create an Oracle Role with the same > permissions a SYS and SYSTEM, then grant the role to each of the DBA's. > Don't ask me why. Nothing is being audited in 99% of the databases. > They just say it in a paper some where so they said we shouldn't use it. > This seems like it would cause lots of problems with exports, imports, > installs, etc... Has anyone had to deal with this type of request? Any > potential problems with making the change? > > Thanks! > Ron Smith -- http://www.fastmail.fm - Access your email from home and the web -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: GovindanK INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Bellow, Bambi INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: RE: Re: Stop using SYS, SYSTEM?
Nuno Pinto do Souto" <[EMAIL PROTECTED]> wrote: > And that's why I feel disabling SYS or SYSTEM purely on > "security" grounds makes no sense whatsoever I'm not sure that's what the OP wanted. He wanted to know if stopping use of SYS and SYSTEM on a regular basis will be acceptable, not "disable" them. It sure is. Besides, how does one disable the account? Lock it? SYSTEM can be locked but SYS can't be; hence the whole concept of disabling does not make sense. I feel the auditors merely wanted the OP to stop using SYS and SYSTEM on a regular basis in operations that require a DBA access - such as full exports and selecting from disctionary tables. IMHO this is a very valid advisory and not difficult to follow. Arup - Original Message - To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> Sent: Thursday, November 13, 2003 12:49 AM > > Jacques Kilchoer <[EMAIL PROTECTED]> wrote: > > In my case I also enforce the "don't sign on as SYS/SYSTEM" rule. The > > reasons I do that: > > - The default tablespace for SYS is SYSTEM, and I don't like to > > change that. There are probably reasons why you wouldn't want to > > change that. But when I sign on to do my DBA work to try something I > > don't want to have to specify a tablespace name every time I create a > > test object like CREATE TABLE TEST (X NUMBER) STORAGE (INITIAL 1000M) > > It has nothing to do with the dba role itself and its security. > Oracle just happens to associate user SYS with the SYSTEM tablespace. > Fair enough that you may not want that association by default. > > > - If each DBA has a named account, it's easy to tell who's logged in > > to the database by saying > > SELECT USERNAME FROM V$SESSION ; > > otherwise I would have to figure out who could be logged on as SYSTEM > > to call them and ask them if it's OK to shutdown the database. > > That is a pure audit requirement: you want to know who is using > DBA access. Nothing to do with SYSTEM. If you remove SYS and SYSTEM, > there is nothing in USERNAME in V$SESSION that will tell you username > BLOGGSJ is using DBA rights. Other than your own prior knowledge that > is the case. In a way, you're worse off. > > > Telling all the DBAs "sign on as SYSTEM" would be (IMHO) like telling > > all the programmers "You can all sign on as user 'coder'" and all > > users "you can all sign on in the database as user > > 'data_entry_person'". > > Don't they always? > > Quite frankly, the problem as I see it is that I want to know WHO > "dropped the tablespace" and WHEN and from WHERE. > That whoever did it had DBA access rights is a given, I don't need it > clarified! > > It's the who, when and where that is the province of auditing. And have > nothing to do with SYS, SYSTEM or whatever, other than as information. > Using or not using SYS or SYSTEM adds nothing to this knowledge or > its implicit security. > > And that's why I feel disabling SYS or SYSTEM purely on "security" grounds > makes no sense whatsoever. Of course, one may want to reduce the > risk of accidents and therefore lock those out. Even then, debatable if that is > the best way of doing it: accidentaly "dropping the tablespace" produces > the same chaotic results regardless of what account one does it from. > > > Cheers > Nuno Souto > [EMAIL PROTECTED] > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Nuno Pinto do Souto > INET: [EMAIL PROTECTED] > > Fat City Network Services-- 858-538-5051 http://www.fatcity.com > San Diego, California-- Mailing list and web hosting services > - > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Arup Nanda INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: RE: Re: Stop using SYS, SYSTEM?
> Jacques Kilchoer <[EMAIL PROTECTED]> wrote: > In my case I also enforce the "don't sign on as SYS/SYSTEM" rule. The > reasons I do that: > - The default tablespace for SYS is SYSTEM, and I don't like to > change that. There are probably reasons why you wouldn't want to > change that. But when I sign on to do my DBA work to try something I > don't want to have to specify a tablespace name every time I create a > test object like CREATE TABLE TEST (X NUMBER) STORAGE (INITIAL 1000M) It has nothing to do with the dba role itself and its security. Oracle just happens to associate user SYS with the SYSTEM tablespace. Fair enough that you may not want that association by default. > - If each DBA has a named account, it's easy to tell who's logged in > to the database by saying > SELECT USERNAME FROM V$SESSION ; > otherwise I would have to figure out who could be logged on as SYSTEM > to call them and ask them if it's OK to shutdown the database. That is a pure audit requirement: you want to know who is using DBA access. Nothing to do with SYSTEM. If you remove SYS and SYSTEM, there is nothing in USERNAME in V$SESSION that will tell you username BLOGGSJ is using DBA rights. Other than your own prior knowledge that is the case. In a way, you're worse off. > Telling all the DBAs "sign on as SYSTEM" would be (IMHO) like telling > all the programmers "You can all sign on as user 'coder'" and all > users "you can all sign on in the database as user > 'data_entry_person'". Don't they always? Quite frankly, the problem as I see it is that I want to know WHO "dropped the tablespace" and WHEN and from WHERE. That whoever did it had DBA access rights is a given, I don't need it clarified! It's the who, when and where that is the province of auditing. And have nothing to do with SYS, SYSTEM or whatever, other than as information. Using or not using SYS or SYSTEM adds nothing to this knowledge or its implicit security. And that's why I feel disabling SYS or SYSTEM purely on "security" grounds makes no sense whatsoever. Of course, one may want to reduce the risk of accidents and therefore lock those out. Even then, debatable if that is the best way of doing it: accidentaly "dropping the tablespace" produces the same chaotic results regardless of what account one does it from. Cheers Nuno Souto [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Nuno Pinto do Souto INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Re: Stop using SYS, SYSTEM?
> -Original Message- > Nuno Pinto do Souto > > Fact is: an admin user MUST have access to an admin > privileged account. > Call it whatever you want, root or role, who cares. In my case I also enforce the "don't sign on as SYS/SYSTEM" rule. The reasons I do that: - The default tablespace for SYS is SYSTEM, and I don't like to change that. There are probably reasons why you wouldn't want to change that. But when I sign on to do my DBA work to try something I don't want to have to specify a tablespace name every time I create a test object like CREATE TABLE TEST (X NUMBER) STORAGE (INITIAL 1000M) - If each DBA has a named account, it's easy to tell who's logged in to the database by saying SELECT USERNAME FROM V$SESSION ; otherwise I would have to figure out who could be logged on as SYSTEM to call them and ask them if it's OK to shutdown the database. Telling all the DBAs "sign on as SYSTEM" would be (IMHO) like telling all the programmers "You can all sign on as user 'coder'" and all users "you can all sign on in the database as user 'data_entry_person'". -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jacques Kilchoer INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Stop using SYS, SYSTEM?
You would require SYS to carry out tasks like 1. grant execute on dbms_package to 2. grant select on v_$view to Whether to have these things granted to PUBLIC is always debatable. .. .. Tell this to your auditing. And what they suggest too does not seem to hold water. HTH GovindanK Oracle Certified Professional(8,8i) Brainbench Certified Master DBA(8) On Wed, 12 Nov 2003 12:04:35 -0800, "Smith, Ron L." <[EMAIL PROTECTED]> said: > We are being asked by Auditing to stop using the SYS, and SYSTEM > accounts. They would like for us to create an Oracle Role with the same > permissions a SYS and SYSTEM, then grant the role to each of the DBA's. > Don't ask me why. Nothing is being audited in 99% of the databases. > They just say it in a paper some where so they said we shouldn't use it. > This seems like it would cause lots of problems with exports, imports, > installs, etc... Has anyone had to deal with this type of request? Any > potential problems with making the change? > > Thanks! > Ron Smith -- http://www.fastmail.fm - Access your email from home and the web -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: GovindanK INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Re: Stop using SYS, SYSTEM?
> Arup Nanda <[EMAIL PROTECTED]> wrote: > > Whoa! That came out pretty strong :) Fed-up with these new-fangled security "experts" popping up all over the place. Pretty soon we'll have another marketing driven lot of bullshit going round. With the usual crap associated with it. Next "big thing", you know the sort... > "Oracle provides this via SYS and SYSTEM" > > No, it doesn't. It has the DBA role for that. SYSTEM, I can accept as > a DBA > user, but not SYS; it's not a user to be used as an access mechanism; > it's > purpose is to be a schema - a repository. Splitting hairs here. Point is: SYS and SYSTEM are used by DBAs all over the world. If Oracle has chosen to add AS SYSDBA to SYS as a way of reinforcing that it is only to be used for very special purposes, that only reinforces my point: used ONLY by DBAs. And very sparingly, whenever needed. That has nothing to do with security of the role itself. > Remember the > initial days of Oracle 9i? I even remember the initial days of V5, let alone 9i! > > Take a page from our friendly neighborhood unix sys admins. Most > systems > require direct connect to root user on the console only; Not quite the case. root is accessible from anywhere, unless it's been assigned to a single terminal. It's not, by default. Ask a Unix sysadmin to give up his/hers "sudo" or even "su" and watch the reaction. Nearly impossible to do any work. Fact is: an admin user MUST have access to an admin privileged account. Call it whatever you want, root or role, who cares. If this access is directly on the console, via "sudo", via script, via auditing, via bleeding whatever, is completely the realm of semantics and policy. If a company has a policy that says admins must be "controlled", then do it the same way ANY OTHER engineering technical task is controlled: use auditing. Trying to artificially make access harder for those that need it is absolutely counter-productive and achieves nothing. Other than the Charlie Brown wet pants syndrome: gives you a warm feeling and nobody cares. By definition, the DBA role has certain privileges of access that are far less restrictive than anybody else. If that is granted via SYS, SYSTEM or role is not the issue. The issue is: can it be audited so that it is accountable for, if that is the policy of the company? > follwoing a good practice and obstructing progress. A cowboy > mentality to > approach any such issue might be a little detrimental, I think. > I think the last person you can associate a "cowboy mentality" approach in relation to is me, and I resent that remark. Its not by accident I have a current top level security clearance with the Australian Defense Forces and they don't usually grant them to cowboys... I'm getting a bit fed-up with my name being intentionally or not associated with "examples": there is simply no call for that and it's very old hat. Cheers Nuno Souto [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Nuno Pinto do Souto INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
grant exp_full_database to ; grant imp_full_database to ; No need for system account/dba privs to be used. HTH GovindanK Oracle Certified Professional(8,8i) Brainbench Certified Master DBA(8) > We still have to use SYS and SYSTEM for database creates, full exports, > imports, etc...The only thing I can see creating a dummy SYSTEM > account would do is to add one more userid and dozens of new passwords > to the database and more work for an already short handed staff. > > Ron Smith > -- http://www.fastmail.fm - Sent 0.02 seconds ago -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: GovindanK INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Stop using SYS, SYSTEM?
Whoa! That came out pretty strong :) I will reiterate your point "A DBA needs DBA access to the system.". Absolutely, a DBA needs access to the database for performing certain operations. a DBA does not need access the database as SYS explicitly. "Oracle provides this via SYS and SYSTEM" No, it doesn't. It has the DBA role for that. SYSTEM, I can accept as a DBA user, but not SYS; it's not a user to be used as an access mechanism; it's purpose is to be a schema - a repository. Well, let's take a look at the past to gain some perspective. Remember the initial days of Oracle 9i? Suddenly you couldn't connect to SYS as a regular account, in stead you had to use AS SYSDBA clause. A lot of such strong words must have echoed around the world for Oracle Corp asking us to type the extra eight characters. But the rationale, I think, people have understood by now, is far more valuable than the extra effort. SYS is a special account, not a regular DBA account, pure and simple. SYS owns the special objects that is precious for the database to operate, it is not the requirement of the database that SYS must be used to do certain things such as full export or shutdown/startup. By mandating the AS SYSDBA clause, Oracle at least made us aware that the account should not be used for regular super user type maintenance such as creation of users and full exports. Take a page from our friendly neighborhood unix sys admins. Most systems require direct connect to root user on the console only; and the sys admins always use their own accounts to manage the system. This way they avoid the inadvertent mistake where an important file is overwritten or deleted. The use of home directories prevent such an accident. The same gos here - using named accounts in Oracle such as JDOE as a DBA with default tablespace other than SYSTEM will prevent that. What are the odds of such a thing happening? I don't know; but planning to have a user other than SYS sure beats the odds any day. A security advisory is exactly that, an _advisory_; it's not cast in stone. The needs of the organization dictate what is the good tradeoff between follwoing a good practice and obstructing progress. A cowboy mentality to approach any such issue might be a little detrimental, I think. Arup - Original Message - To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> Sent: Wednesday, November 12, 2003 6:44 PM > > Smith, Ron L. <[EMAIL PROTECTED]> wrote: > > > > We are being asked by Auditing to stop using the SYS, and SYSTEM > > accounts. They would like for us to create an Oracle Role with the > > same > > permissions a SYS and SYSTEM, then grant the role to each of the > > DBA's. > > Don't ask me why. Nothing is being audited in 99% of the databases. > > They just say it in a paper some where so they said we shouldn't use > > it. > > This seems like it would cause lots of problems with exports, > > imports, > > installs, etc... Has anyone had to deal with this type of request? > > Any > > potential problems with making the change? > > > > Quite a few potential problems. This is typical security jackass > kneejerk reaction, pure and simple. A DBA needs DBA access > to the system. Oracle provides this via SYS and SYSTEM. Period. > The rest is just hazy, unprovable, half-cooked "security" bullshit > from people who read this and that everywhere and are by default > considered experts by even less competent damagement. > > Granting all rights of user SYS and SYSTEM to a role and then granting > that role to a DBA user reeks of sheer stupidity. If the issue is auditing, > then use auditing. That's what it's there for. If the issue is use of DBA > access, then get rid of the DBAs. (see how long that lasts...). > > This sort of thing reminds me of the time I used to work at a very secure site > back in the early 90s. Where we had to request a security officer to give us > the password for SYS and SYSTEM in order to do our job. The officer changed > the password before passing it on to us verbally. He then proceeded to watch us > type on the screen, then watched us log out and then changed the password > again on the spot. Very secure, very procedural, very formal. > > Except the officer was not a DBA, knew zilch about SQL and couldn't discern > if we were copying the entire main accounts table to a non-secure area if his life > depended on it. > > Great security! No wonder it got exposed a few years later in a well known > incident. > > The issue of course is that what these people needed was auditing, not security. > But try as we might, we could not make their "experts" understand the > diff... > > Cheers > Nuno Souto > [EMAIL PROTECTED] > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Nuno Pinto do Souto > INET: [EMAIL PROTECTED] > > Fat City Network Services-- 858-538-5051 http://www.fatcity.com > San Diego, California-- Mailing list and web hosting services > -
Re: Stop using SYS, SYSTEM?
Even though RMAN wouldn't be able to connect in sqlplus, it would still be able to via the rman executable. "Oh Mr. RMAN, please backup that critical data to my laptop so I can burn it into a CD" ;) Jared Peter Gram <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/12/2003 12:54 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> cc: Subject: Re: Stop using SYS, SYSTEM? David You can remove the "create session" priv from the RMAN user and this will make a little harder for most users to connect, but RMAN will work fine :-) David Wagoner wrote: > Jared, > > I followed Robert Freeman's advice and created an RMAN user in all my > DBs called backup_admin with SYSDBA privilege so that RMAN doesn't use > SYS or SYSTEM. This allows you to change system passwords at will and > not interfere with backups. Works just fine. > > Is this what you were talking about? Perhaps I misunderstood. > > > Best regards, > > David B. Wagoner > Database Administrator > Arsenal Digital Solutions > Web: http://www.arsenaldigital.com > > "the most trusted source for > STORAGE MANAGEMENT SERVICES" > > > The contents of this e-mail message may be privileged and/or > confidential. If you are not the intended recipient, any review, > dissemination, copying, distribution or other use of the contents of > this message or any attachment by you is strictly prohibited. If you > receive this communication in error, please notify us immediately by > return e-mail or by telephone (919-466-6700), and please delete this > message and all attachments from your system. > > Thank you. > > > -Original Message----- > From: Smith, Ron L. [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 12, 2003 3:05 PM > To: Multiple recipients of list ORACLE-L > Subject: Stop using SYS, SYSTEM? > > > We are being asked by Auditing to stop using the SYS, and SYSTEM > accounts. They would like for us to create an Oracle Role with the same > permissions a SYS and SYSTEM, then grant the role to each of the DBA's. > Don't ask me why. Nothing is being audited in 99% of the databases. > They just say it in a paper some where so they said we shouldn't use it. > This seems like it would cause lots of problems with exports, imports, > installs, etc... Has anyone had to deal with this type of request? Any > potential problems with making the change? > > Thanks! > Ron Smith > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Smith, Ron L. > INET: [EMAIL PROTECTED] > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com > San Diego, California -- Mailing list and web hosting services > - > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- Peter Gram, Miracle A/S Phone : +45 2527 7107, Fax : +45 4466 8856, Home +45 3874 5696 mail : [EMAIL PROTECTED] - http://MiracleAS.dk Upcoming events: Miracle Master Class with Tom Kyte, 12-14 January 2004 Visit http://miracleas.dk/en/events.html#MasterClass Visit http://www.miracleas.dk fore news ! -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Peter Gram INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
The email I replied to stated that all users that required privs (such as DBA) would be given the necessary roles. That's fine for many things, but some accounts still need the SYSDBA priv. The one thing you get from that is accountability, if the database is 9i or later and sysdba can be audited, and if anyone with access to the account is not smart enough or knowledgable enough to cover his tracks, then you might be able to establish a trail. In the case of something like RMAN, you may rarely need to use that account interactively. One solution at times suggested is to lock the password away in safe, usually under the auspices of a manager. This implies that the mgr is somehow more trustworthy, or less likely to muck about in a system using the forbidden account. That just seems naive to me. Jared David Wagoner <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/12/2003 12:44 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> cc: Subject: RE: Stop using SYS, SYSTEM? Jared, I followed Robert Freeman's advice and created an RMAN user in all my DBs called backup_admin with SYSDBA privilege so that RMAN doesn't use SYS or SYSTEM. This allows you to change system passwords at will and not interfere with backups. Works just fine. Is this what you were talking about? Perhaps I misunderstood. Best regards, David B. Wagoner Database Administrator Arsenal Digital Solutions Web: http://www.arsenaldigital.com "the most trusted source for STORAGE MANAGEMENT SERVICES" The contents of this e-mail message may be privileged and/or confidential. If you are not the intended recipient, any review, dissemination, copying, distribution or other use of the contents of this message or any attachment by you is strictly prohibited. If you receive this communication in error, please notify us immediately by return e-mail or by telephone (919-466-6700), and please delete this message and all attachments from your system. Thank you. -Original Message- Sent: Wednesday, November 12, 2003 3:05 PM To: Multiple recipients of list ORACLE-L We are being asked by Auditing to stop using the SYS, and SYSTEM accounts. They would like for us to create an Oracle Role with the same permissions a SYS and SYSTEM, then grant the role to each of the DBA's. Don't ask me why. Nothing is being audited in 99% of the databases. They just say it in a paper some where so they said we shouldn't use it. This seems like it would cause lots of problems with exports, imports, installs, etc... Has anyone had to deal with this type of request? Any potential problems with making the change? Thanks! Ron Smith -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
Ron -- Why do you need SYS or SYSTEM to do full exports and imports? I'll grant that there are those odd times when you need to use SYS and SYSTEM, but not then. Anybody with DBA granted to them can do full exports/imports. I'm doing it right now, as a matter of fact... with fromuser/touser toboot! Bambi. -Original Message- Sent: Wednesday, November 12, 2003 4:24 PM To: Multiple recipients of list ORACLE-L Where we work, there is one DBA responsible for each database. Each DBA is responsible for dozens of databases, servers, and applications. The only time another DBA is in one of my databases is when I am out of the office and can't get to a phone line or network connection. We never use SYS but it was included in the audit so I included it in the question. We still have to use SYS and SYSTEM for database creates, full exports, imports, etc...The only thing I can see creating a dummy SYSTEM account would do is to add one more userid and dozens of new passwords to the database and more work for an already short handed staff. Ron Smith -Original Message- Sent: Wednesday, November 12, 2003 3:59 PM To: Multiple recipients of list ORACLE-L Hi Ron, I just starte to write an answer to agree with your auditor based on accountability and i saw Arup's answer come through so I have deleted my answer and just say i concur whole heartedly with Arup. I also conduct oracle security audits and i suggest to clients not to use SYS or SYSTEM for day to day work. kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Bellow, Bambi INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Stop using SYS, SYSTEM?
> Smith, Ron L. <[EMAIL PROTECTED]> wrote: > > We are being asked by Auditing to stop using the SYS, and SYSTEM > accounts. They would like for us to create an Oracle Role with the > same > permissions a SYS and SYSTEM, then grant the role to each of the > DBA's. > Don't ask me why. Nothing is being audited in 99% of the databases. > They just say it in a paper some where so they said we shouldn't use > it. > This seems like it would cause lots of problems with exports, > imports, > installs, etc... Has anyone had to deal with this type of request? > Any > potential problems with making the change? > Quite a few potential problems. This is typical security jackass kneejerk reaction, pure and simple. A DBA needs DBA access to the system. Oracle provides this via SYS and SYSTEM. Period. The rest is just hazy, unprovable, half-cooked "security" bullshit from people who read this and that everywhere and are by default considered experts by even less competent damagement. Granting all rights of user SYS and SYSTEM to a role and then granting that role to a DBA user reeks of sheer stupidity. If the issue is auditing, then use auditing. That's what it's there for. If the issue is use of DBA access, then get rid of the DBAs. (see how long that lasts...). This sort of thing reminds me of the time I used to work at a very secure site back in the early 90s. Where we had to request a security officer to give us the password for SYS and SYSTEM in order to do our job. The officer changed the password before passing it on to us verbally. He then proceeded to watch us type on the screen, then watched us log out and then changed the password again on the spot. Very secure, very procedural, very formal. Except the officer was not a DBA, knew zilch about SQL and couldn't discern if we were copying the entire main accounts table to a non-secure area if his life depended on it. Great security! No wonder it got exposed a few years later in a well known incident. The issue of course is that what these people needed was auditing, not security. But try as we might, we could not make their "experts" understand the diff... Cheers Nuno Souto [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Nuno Pinto do Souto INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Fw: Stop using SYS, SYSTEM?
Resending this message. The first post was undelivered since listguru thought it was a vacation message. This one has the word _V_acatio_N. - Original Message - To: <[EMAIL PROTECTED]> Sent: Wednesday, November 12, 2003 5:58 PM > Ron, > > I think you answered your own question - technically the auditors are > correct; however your _specific_ situation (short-handed staff) may warrant > this not be done. Perhaps you can use it justify to your management why you > are willing to accept the risk, it's really a simple question of economics. > > However, in your response you have mentioned that you never use SYS, only > when the regular DBA of the database is out and a different DBA, new to the > database is called to fill in. If the fill-in is planned, e.g. the regular > DBA goes on _V_acatio_N, you can create a named account for the new DBA. > > If the absence is unplanned, or the name of the new DBA is not known, I > suggest you create an account called NEWDBA with SYSDBA and DBA privileges, > but lock the account. Have a policy in your organization that the account > NEWDBA is created in all the databases and locked. In emergency, use SYS as > SYSDBA to unlock the account and use it. It is not for security, just to > prevent accidental creation of objects in the SYSTEM tablespace. Imagine > NEWDBA as a different kind of SYS. There is no extra work involved and > sooner or later you will see that most DBA, especially new ones to the > organization fall in line and it becomes a kind of standard. You can lock > NEWDBA account, not the SYS account. > > How many times do you need the SYS account access? Database creation is one > time and a non-regular DBA will not need that. Full export is one, but can > be easily done using the NEWDBA user. How many times do you use the full > import? In emergencies? In that case, use the NEWDBA. Frankly, there are > very few occasions where using SYS accounts is needed. It's mostly laziness > on our part that prompts us to use SYS, simply because we know there will > not be any type of access restriction. > > I guess the important thing auditors are looking for is your acceptance of > the risk and documenting it for used in situations beyond your control - > such as emergencies and the regular DBA is not available. As long you > document that under those extenuating circumstances one is allowed to use > SYS, simply because it is necessary considering the workload, that might be > acceptable to management. Mere rejection of auditors' recommendation without > the justification probably will not help either party. > > Hope this helps. > > Arup > > - Original Message - > From: "Smith, Ron L." <[EMAIL PROTECTED]> > To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> > Sent: Wednesday, November 12, 2003 5:24 PM > Subject: RE: Stop using SYS, SYSTEM? > > > > Where we work, there is one DBA responsible for each database. Each DBA > > is responsible for dozens of databases, servers, and applications. The > > only time another DBA is in one of my databases is when I am out of the > > office and can't get to a phone line or network connection. We never > > use SYS but it was included in the audit so I included it in the > > question. > > > > We still have to use SYS and SYSTEM for database creates, full exports, > > imports, etc...The only thing I can see creating a dummy SYSTEM > > account would do is to add one more userid and dozens of new passwords > > to the database and more work for an already short handed staff. > > > > Ron Smith > > > > -Original Message- > > Sent: Wednesday, November 12, 2003 3:59 PM > > To: Multiple recipients of list ORACLE-L > > > > > > Hi Ron, > > > > I just starte to write an answer to agree with your auditor based on > > accountability and i saw Arup's answer come through so I have deleted my > > answer and just say i concur whole heartedly with Arup. I also conduct > > oracle security audits and i suggest to clients not to use SYS or SYSTEM > > for day to day work. > > > > kind regards > > > > Pete > > -- > > Pete Finnigan > > email:[EMAIL PROTECTED] > > Web site: http://www.petefinnigan.com - Oracle security audit > > specialists Book:Oracle security step-by-step Guide - see > > http://store.sans.org for details. > > > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.net > > -- > > Author: Pete Finnigan > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services-- 858-538-5051 http://www.fatcity.com >
Re: Stop using SYS, SYSTEM?
NO You should be using SYS and SYSTEM. You paid for them, so use them! What's the point in not using something that you've paid for? That would be like buying a Ferrari and then not driving it 150 mph along I-95. Who would want to do that? On 11/12/2003 03:54:25 PM, "Thater, William" wrote: > Smith, Ron L. scribbled on the wall in glitter crayon: > > > We are being asked by Auditing to stop using the SYS, and SYSTEM > > accounts. They would like for us to create an Oracle Role with the > > same permissions a SYS and SYSTEM, then grant the role to each of the > > DBA's. Don't ask me why. Nothing is being audited in 99% of the > > databases. They just say it in a paper some where so they said we > > shouldn't use it. This seems like it would cause lots of problems > > with exports, imports, installs, etc... Has anyone had to deal with > > this type of request? Any potential problems with making the change? > > it would seem to me that this would break things. the only two users Oracle > can be sure are there are SYS and SYSTEM, just like the only tablespace it > can be sure is there is the SYSTEM one. and what about running catalog and > such? i think there are two many possibilities for things to break for me > to be comfortable with this one. > > -- > Bill "Shrek" Thater ORACLE DBA > "I'm going to work my ticket if I can..." -- Gilwell song > [EMAIL PROTECTED] > > Any intelligent fool can make things bigger, more complex, and more violent. > It takes a touch of genius -- and a lot of courage -- to move in the > opposite direction. - Albert Einstein > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Thater, William > INET: [EMAIL PROTECTED] > > Fat City Network Services-- 858-538-5051 http://www.fatcity.com > San Diego, California-- Mailing list and web hosting services > - > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > Mladen Gogala Oracle DBA Note: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Wang Trading LLC and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
Where we work, there is one DBA responsible for each database. Each DBA is responsible for dozens of databases, servers, and applications. The only time another DBA is in one of my databases is when I am out of the office and can't get to a phone line or network connection. We never use SYS but it was included in the audit so I included it in the question. We still have to use SYS and SYSTEM for database creates, full exports, imports, etc...The only thing I can see creating a dummy SYSTEM account would do is to add one more userid and dozens of new passwords to the database and more work for an already short handed staff. Ron Smith -Original Message- Sent: Wednesday, November 12, 2003 3:59 PM To: Multiple recipients of list ORACLE-L Hi Ron, I just starte to write an answer to agree with your auditor based on accountability and i saw Arup's answer come through so I have deleted my answer and just say i concur whole heartedly with Arup. I also conduct oracle security audits and i suggest to clients not to use SYS or SYSTEM for day to day work. kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
Ron, Here's the deal with sys and system. To have ultimate authority (like to shut down and start up the database), you have to log on with sysdba privileges. That means putting a username in the password file, which bestows the ability to log on with sysdba privileges. Here's the thing. No matter who you give those sysdba privileges to by putting their logon in the password file, Oracle sees it as sys. So if you give Fred sysdba privileges, and he logs on like so: connect fred/[EMAIL PROTECTED] as sysdba then do a: select username from v$session it will show: username mary tom sys but no fred, because Oracle sees anyone logged on with sysdba privileges as sys. One other thing. sysdba is a privilege, and can't be granted to a role, only to a user. Then, as I said, Oracle will see that user as sys whenever he or she logs on with that privilege. HTH, Mike -Original Message- Sent: Wednesday, November 12, 2003 1:05 PM To: Multiple recipients of list ORACLE-L We are being asked by Auditing to stop using the SYS, and SYSTEM accounts. They would like for us to create an Oracle Role with the same permissions a SYS and SYSTEM, then grant the role to each of the DBA's. Don't ask me why. Nothing is being audited in 99% of the databases. They just say it in a paper some where so they said we shouldn't use it. This seems like it would cause lots of problems with exports, imports, installs, etc... Has anyone had to deal with this type of request? Any potential problems with making the change? Thanks! Ron Smith This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Michael Milligan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Stop using SYS, SYSTEM?
Hi Ron, I just starte to write an answer to agree with your auditor based on accountability and i saw Arup's answer come through so I have deleted my answer and just say i concur whole heartedly with Arup. I also conduct oracle security audits and i suggest to clients not to use SYS or SYSTEM for day to day work. kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
And as Arup's Oracle Magazine's DBA of the Year for 2003, he's probably right. Congrats, Arup! Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech Inc, Sussex, WI USA > -Original Message- > From: Arup Nanda [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 12, 2003 3:14 PM > To: Multiple recipients of list ORACLE-L > Subject: Re: Stop using SYS, SYSTEM? > > > Ron, > > It is a good practice, in general, to stop using SYS and > SYSTEM accounts for > everyday use. The simplest rule of thumb is accountability > somehow increases > many times over when you link a database named user to a > physical person, > not a ethereal entity like SYS. This is especially true if > you use auditing > and turn on SYSDBA auditing; but even if you don't sometimes > the use of > specific named users put people on the alert when they do something > potentially dangerous and can avoid accidents. > > The other reason of not using SYS is to avoid accidental > creation of objects > in SYS and SYSTEM schema. The best option is to lock SYSTEM > user and never > let SYS user. Unfortunately you can't lock the SYS user. > > Third, you can create default tablespaces for all these DBA > users to hold > their objects, specifically temporary/occasional tables (not > the global > temporary tables), test tables, etc. and all those will not > get into SYSTEM > tablespace. > > Perhaps I should mention here is that I also conduct database security > audits for corporations. But unlike your auditors, I tend to > follow the > advice up with more detailed information :) > > Arup Nanda > www.proligence.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jesse, Rich INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
And for an opposing opinion: Let's see now. We create another user and grant that user all the privileges needed to do ANYTHING. And that makes things so much more secure? If that's the prevailing thought among the database world, then it's safe to say that the Unix admins have infinitely more common sense by logging as root when functioning as root. Well NO! We should create a user named rewt with the same UID and GID as root; and then always log in as rewt (or route). For what it's worth, if you have many databases, it's going to be a real pain in the ass to track every stinkin' DBA account and not have those DBA accounts that we forgot about when old Joe quit or (worse) when Billy Bob decided to become a developer instead of a DBA. If somebody can't log in as SYSTEM or SYS without fouling things up, they shouldn't be logging in at all. And if they have DBA privs, they can make a mess regardless of whether they log in as SYSTEM or CISTUM. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: <[EMAIL PROTECTED] INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Stop using SYS, SYSTEM?
"Smith, Ron L." wrote: > > We are being asked by Auditing to stop using the SYS, and SYSTEM > accounts. They would like for us to create an Oracle Role with the same > permissions a SYS and SYSTEM, then grant the role to each of the DBA's. > Don't ask me why. Nothing is being audited in 99% of the databases. > They just say it in a paper some where so they said we shouldn't use it. > This seems like it would cause lots of problems with exports, imports, > installs, etc... Has anyone had to deal with this type of request? Any > potential problems with making the change? > > Thanks! > Ron Smith > -- I agree about SYS, but I don't have any problem with SYSTEM, which for the ownership of PRODUCT_USER_PROFILE and perhaps a couple of other dictionary-related tables, views or package is as equal a DBA as any other (SYS excepted). I like having an externally identified DBA account for running all those cron scripts etc., but on the other hand I am not in favour of unduly multiplying DBAs. This is pushing democracy too far for my taste. The more DBAs you have, the more chances you take of having an easy-to-guess or leaked password. -- Regards, Stephane Faroult Oriole Software -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Stop using SYS, SYSTEM?
Ron, It is a good practice, in general, to stop using SYS and SYSTEM accounts for everyday use. The simplest rule of thumb is accountability somehow increases many times over when you link a database named user to a physical person, not a ethereal entity like SYS. This is especially true if you use auditing and turn on SYSDBA auditing; but even if you don't sometimes the use of specific named users put people on the alert when they do something potentially dangerous and can avoid accidents. The other reason of not using SYS is to avoid accidental creation of objects in SYS and SYSTEM schema. The best option is to lock SYSTEM user and never let SYS user. Unfortunately you can't lock the SYS user. Third, you can create default tablespaces for all these DBA users to hold their objects, specifically temporary/occasional tables (not the global temporary tables), test tables, etc. and all those will not get into SYSTEM tablespace. Perhaps I should mention here is that I also conduct database security audits for corporations. But unlike your auditors, I tend to follow the advice up with more detailed information :) Arup Nanda www.proligence.com - Original Message - To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> Sent: Wednesday, November 12, 2003 3:04 PM > We are being asked by Auditing to stop using the SYS, and SYSTEM > accounts. They would like for us to create an Oracle Role with the same > permissions a SYS and SYSTEM, then grant the role to each of the DBA's. > Don't ask me why. Nothing is being audited in 99% of the databases. > They just say it in a paper some where so they said we shouldn't use it. > This seems like it would cause lots of problems with exports, imports, > installs, etc... Has anyone had to deal with this type of request? Any > potential problems with making the change? > > Thanks! > Ron Smith > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Smith, Ron L. > INET: [EMAIL PROTECTED] > > Fat City Network Services-- 858-538-5051 http://www.fatcity.com > San Diego, California-- Mailing list and web hosting services > - > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Arup Nanda INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Stop using SYS, SYSTEM?
David You can remove the "create session" priv from the RMAN user and this will make a little harder for most users to connect, but RMAN will work fine :-) David Wagoner wrote: Jared, I followed Robert Freeman's advice and created an RMAN user in all my DBs called backup_admin with SYSDBA privilege so that RMAN doesn't use SYS or SYSTEM. This allows you to change system passwords at will and not interfere with backups. Works just fine. Is this what you were talking about? Perhaps I misunderstood. Best regards, David B. Wagoner Database Administrator Arsenal Digital Solutions Web: http://www.arsenaldigital.com "the most trusted source for STORAGE MANAGEMENT SERVICES" The contents of this e-mail message may be privileged and/or confidential. If you are not the intended recipient, any review, dissemination, copying, distribution or other use of the contents of this message or any attachment by you is strictly prohibited. If you receive this communication in error, please notify us immediately by return e-mail or by telephone (919-466-6700), and please delete this message and all attachments from your system. Thank you. -Original Message- From: Smith, Ron L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 3:05 PM To: Multiple recipients of list ORACLE-L Subject: Stop using SYS, SYSTEM? We are being asked by Auditing to stop using the SYS, and SYSTEM accounts. They would like for us to create an Oracle Role with the same permissions a SYS and SYSTEM, then grant the role to each of the DBA's. Don't ask me why. Nothing is being audited in 99% of the databases. They just say it in a paper some where so they said we shouldn't use it. This seems like it would cause lots of problems with exports, imports, installs, etc... Has anyone had to deal with this type of request? Any potential problems with making the change? Thanks! Ron Smith -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Peter Gram, Miracle A/S Phone : +45 2527 7107, Fax : +45 4466 8856, Home +45 3874 5696 mail : [EMAIL PROTECTED] - http://MiracleAS.dk Upcoming events: Miracle Master Class with Tom Kyte, 12-14 January 2004 Visit http://miracleas.dk/en/events.html#MasterClass Visit http://www.miracleas.dk fore news ! -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Peter Gram INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
We avoid using SYS as much as we can, but we use SYSTEM ... cautiously I might add. Raj Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this email are strictly personal. QOTD: Any clod can have facts, having an opinion is an art ! -Original Message- Sent: Wednesday, November 12, 2003 3:05 PM To: Multiple recipients of list ORACLE-L We are being asked by Auditing to stop using the SYS, and SYSTEM accounts. They would like for us to create an Oracle Role with the same permissions a SYS and SYSTEM, then grant the role to each of the DBA's. Don't ask me why. Nothing is being audited in 99% of the databases. They just say it in a paper some where so they said we shouldn't use it. This seems like it would cause lots of problems with exports, imports, installs, etc... Has anyone had to deal with this type of request? Any potential problems with making the change? Thanks! Ron Smith ** This e-mail message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank you. **5 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jamadagni, Rajendra INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
Smith, Ron L. scribbled on the wall in glitter crayon: > We are being asked by Auditing to stop using the SYS, and SYSTEM > accounts. They would like for us to create an Oracle Role with the > same permissions a SYS and SYSTEM, then grant the role to each of the > DBA's. Don't ask me why. Nothing is being audited in 99% of the > databases. They just say it in a paper some where so they said we > shouldn't use it. This seems like it would cause lots of problems > with exports, imports, installs, etc... Has anyone had to deal with > this type of request? Any potential problems with making the change? it would seem to me that this would break things. the only two users Oracle can be sure are there are SYS and SYSTEM, just like the only tablespace it can be sure is there is the SYSTEM one. and what about running catalog and such? i think there are two many possibilities for things to break for me to be comfortable with this one. -- Bill "Shrek" Thater ORACLE DBA "I'm going to work my ticket if I can..." -- Gilwell song [EMAIL PROTECTED] Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction. - Albert Einstein -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Thater, William INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
I agree 100% with Dick. Nobody should be using SYS or SYSTEM. If RMAN requires a SYS connection, then so be it. Tom Mercadante Oracle Certified Professional -Original Message- Sent: Wednesday, November 12, 2003 3:45 PM To: Multiple recipients of list ORACLE-L Personal Opinion here: I don't use SYS or system for anything where it is not absolutely required. All of the DBA's have the DBA role granted to them & we log on as ourselves. This is simply so that we don't accidentally step on something really important. In general one should never create anything in the SYS schema since it won't get exported when you do a full database export. System is a little safer, but still.. I have seen a couple of "white papers" that have made statements such as "SYS and SYSTEM should be locked and never opened" as well as other similar alarming (to the pointy headed non-technical types) statements that indicate that disaster is waiting in the wings. All of them can be summarily dismissed as having been written by those who are similarly non-technical. BTW: Even if you are auditing, a DBA can eliminate the records in V$Audit of they wish. Dick Goulet Senior Oracle DBA Oracle Certified 8i DBA -Original Message- Sent: Wednesday, November 12, 2003 3:05 PM To: Multiple recipients of list ORACLE-L We are being asked by Auditing to stop using the SYS, and SYSTEM accounts. They would like for us to create an Oracle Role with the same permissions a SYS and SYSTEM, then grant the role to each of the DBA's. Don't ask me why. Nothing is being audited in 99% of the databases. They just say it in a paper some where so they said we shouldn't use it. This seems like it would cause lots of problems with exports, imports, installs, etc... Has anyone had to deal with this type of request? Any potential problems with making the change? Thanks! Ron Smith -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Goulet, Dick INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Mercadante, Thomas F INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
Title: RE: Stop using SYS, SYSTEM? Jared, I followed Robert Freeman's advice and created an RMAN user in all my DBs called backup_admin with SYSDBA privilege so that RMAN doesn't use SYS or SYSTEM. This allows you to change system passwords at will and not interfere with backups. Works just fine. Is this what you were talking about? Perhaps I misunderstood. Best regards, David B. Wagoner Database Administrator Arsenal Digital Solutions Web: http://www.arsenaldigital.com "the most trusted source for STORAGE MANAGEMENT SERVICES" The contents of this e-mail message may be privileged and/or confidential. If you are not the intended recipient, any review, dissemination, copying, distribution or other use of the contents of this message or any attachment by you is strictly prohibited. If you receive this communication in error, please notify us immediately by return e-mail or by telephone (919-466-6700), and please delete this message and all attachments from your system. Thank you. -Original Message- From: Smith, Ron L. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 12, 2003 3:05 PM To: Multiple recipients of list ORACLE-L Subject: Stop using SYS, SYSTEM? We are being asked by Auditing to stop using the SYS, and SYSTEM accounts. They would like for us to create an Oracle Role with the same permissions a SYS and SYSTEM, then grant the role to each of the DBA's. Don't ask me why. Nothing is being audited in 99% of the databases. They just say it in a paper some where so they said we shouldn't use it. This seems like it would cause lots of problems with exports, imports, installs, etc... Has anyone had to deal with this type of request? Any potential problems with making the change? Thanks! Ron Smith -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
Personal Opinion here: I don't use SYS or system for anything where it is not absolutely required. All of the DBA's have the DBA role granted to them & we log on as ourselves. This is simply so that we don't accidentally step on something really important. In general one should never create anything in the SYS schema since it won't get exported when you do a full database export. System is a little safer, but still.. I have seen a couple of "white papers" that have made statements such as "SYS and SYSTEM should be locked and never opened" as well as other similar alarming (to the pointy headed non-technical types) statements that indicate that disaster is waiting in the wings. All of them can be summarily dismissed as having been written by those who are similarly non-technical. BTW: Even if you are auditing, a DBA can eliminate the records in V$Audit of they wish. Dick Goulet Senior Oracle DBA Oracle Certified 8i DBA -Original Message- Sent: Wednesday, November 12, 2003 3:05 PM To: Multiple recipients of list ORACLE-L We are being asked by Auditing to stop using the SYS, and SYSTEM accounts. They would like for us to create an Oracle Role with the same permissions a SYS and SYSTEM, then grant the role to each of the DBA's. Don't ask me why. Nothing is being audited in 99% of the databases. They just say it in a paper some where so they said we shouldn't use it. This seems like it would cause lots of problems with exports, imports, installs, etc... Has anyone had to deal with this type of request? Any potential problems with making the change? Thanks! Ron Smith -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Goulet, Dick INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Stop using SYS, SYSTEM?
Or if you're auditing in a pre-9i DB, which won't audit SYS and SYSDBA. Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech Inc, Sussex, WI USA -Original Message- Sent: Wednesday, November 12, 2003 2:30 PM To: Multiple recipients of list ORACLE-L That won't work if you're using RMAN. The account that makes the backup needs to be able to do so as sysdba. You can't grant that through a role. The reason for separate accounts is accountability. But if you're not auditing, that won't help much, as you already stated. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jesse, Rich INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Stop using SYS, SYSTEM?
That won't work if you're using RMAN. The account that makes the backup needs to be able to do so as sysdba. You can't grant that through a role. The reason for separate accounts is accountability. But if you're not auditing, that won't help much, as you already stated. Jared "Smith, Ron L." <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/12/2003 12:04 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> cc: Subject: Stop using SYS, SYSTEM? We are being asked by Auditing to stop using the SYS, and SYSTEM accounts. They would like for us to create an Oracle Role with the same permissions a SYS and SYSTEM, then grant the role to each of the DBA's. Don't ask me why. Nothing is being audited in 99% of the databases. They just say it in a paper some where so they said we shouldn't use it. This seems like it would cause lots of problems with exports, imports, installs, etc... Has anyone had to deal with this type of request? Any potential problems with making the change? Thanks! Ron Smith -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Stop using SYS, SYSTEM?
We are being asked by Auditing to stop using the SYS, and SYSTEM accounts. They would like for us to create an Oracle Role with the same permissions a SYS and SYSTEM, then grant the role to each of the DBA's. Don't ask me why. Nothing is being audited in 99% of the databases. They just say it in a paper some where so they said we shouldn't use it. This seems like it would cause lots of problems with exports, imports, installs, etc... Has anyone had to deal with this type of request? Any potential problems with making the change? Thanks! Ron Smith -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).