Author |
Topic: DBA using SYS and SYSTEM (Read 4216 times) |
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
DBA using SYS and SYSTEM
« on: Feb 1st, 2006, 3:56pm » |
Quote | Modify
|
This is my first post, please be gentle. Where I work, rather than the DBAs being given unique logins with the necessary privileges to do their job, they log on using SYS or SYSTEM. I am sure this can't be good practice, but other than the lack of accountability and clear audit trail, I can't come up with an argument that will convince management that changing this is worthwhile. I would like to perform a simple cost / benefit analysis on changing the process, but without a better idea of the risks intrinsic in the existing practice, I am finding it difficult. What do you feel are the problems with using this practice? How much effort would be involved in ensuring each user had a unique login that gave enough rights for them to do their daily tasks? I understand that the answers would depend on the number of databases being administered and how much the DBAs actually do on a daily basis, but any help would be welcome. Thank you in advance.
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: DBA using SYS and SYSTEM
« Reply #1 on: Feb 1st, 2006, 8:33pm » |
Quote | Modify
|
Hi Martin, The two comments I have for now. The first is as you pointed out, using SYS and SYSTEM, especially if multiple users use these accounts is that there is no accountability for actions. Most government organisations require this to be done anyway. The second issue depends on the role of the DBA and what they need to do daily. In most cases they do not need the DBA role or SYSDBA, some DBA's do of course. You need, in my opinion to establish the exact job requirements and then design a database role to suit. cheers Pete
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: DBA using SYS and SYSTEM
« Reply #2 on: Feb 2nd, 2006, 10:46am » |
Quote | Modify
|
Hi Martin. I agree totally wth Pete's point of accountability. One of the best methods I have found is to use that on the DBA's. If there was a problem either from an audit or from a technical point of view, could the DBA's prove it wasn't them that did it? This is not the big brother approach, but does ensure that the technical staff have protection if something goes wrong. The argument from most DBA's has always been that to correct problems quickly, they need access to SYS or SYSTEM. This is ok, if access to those accounts is controlled. Something as simple as the password being held by security in an envolope, and security/user admin having the ability to reset that password once it has been used can be put in place. The DBA then signs out that they have the SYS password. Day to day functions such as monitoring space, and jobs etc can be carried out via none DBA accounts given the correct level of access. Even if the DBA's own accounts have full DBA rights, it at least provides a better method of accountability than them all sharing a high level password. Kevin Else NoFools
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: DBA using SYS and SYSTEM
« Reply #3 on: Feb 3rd, 2006, 9:54am » |
Quote | Modify
|
Thank you Pete and Kevin for your responses. I have an issue with relying on the accountability argument alone at the moment. Users with DBA privileges, can currently alter the audit log should they want to. When I have tried the line of 'can you prove it wasn't you?' I received the response of 'no, but you can't prove it was me!' - Not very helpful, I am afraid. This is the one of the main reason for me looking for additional reasons to limit the access the DBAs are using on a daily basis. As an alternative, how easy would it be to move the audit logs to somewhere that DBAs couldn't access? Cheers, Martin
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: DBA using SYS and SYSTEM
« Reply #4 on: Feb 3rd, 2006, 4:55pm » |
Quote | Modify
|
Martin, I don't know which Oracle version you are using but in 9i and 10g (and probably in 8i aswell) you can set your audit trail to a syslog-file (parameter audit_trail=os). The syslog (on a Unix system) will log the audit to a log-file. Syslog kan even log to another machine way out the reach of your "dba's" Ivan on Feb 3rd, 2006, 9:54am, Martin wrote: As an alternative, how easy would it be to move the audit logs to somewhere that DBAs couldn't access? Cheers, Martin |
|
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: DBA using SYS and SYSTEM
« Reply #5 on: Feb 3rd, 2006, 7:15pm » |
Quote | Modify
|
on Feb 3rd, 2006, 9:54am, Martin wrote:When I have tried the line of 'can you prove it wasn't you?' I received the response of 'no, but you can't prove it was me!' - Not very helpful, I am afraid. Martin |
| Hi Martin, I dont want to seem arrogant but I suspect if I looked aftr they had played around trying to cover their tracks I probably could prove it was them, at least when it was done and from which terminal. I have seen a lot of attempts to delete and alter records in the audit trail and almost all times its done badly and leaves such a trail of evidence you would be surprised. I think Ivans suggestion is the better one though to write the audit trail to the OS and to use syslog to save it to a safe location. The only issue with OS based audit is that there are no standard tools to review the trail. cheers Pete
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: DBA using SYS and SYSTEM
« Reply #7 on: Feb 7th, 2006, 1:33pm » |
Quote | Modify
|
One of the issues I sometimes come across with using external audit trails is that the Unix admins are sometimes DBA's as well! Or DBA's have ready access to a Admin account on the host. As to the "you can't prove it was me" line, my normal response is, "but how much time and effort is it going to take you to prove it wasn't". It is part of an adminsitrators job to maintain the security and integrity of the data they are manageing, and any lapse in that can cause reprecussions. Just because they can't prove who left the door open, doesn't mean the owners of a house will not suffer a lose! Kevin Nofools
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com) Oracle Security Web site: http://www.petefinnigan.com Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
|