Call: +44 (0)7759 277220 Call
Forum

Welcome, Guest. Please Login.
Nov 23rd, 2024, 1:51pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   DBA using SYS and SYSTEM
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: DBA using SYS and SYSTEM  (Read 4216 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
DBA using SYS and SYSTEM
« on: Feb 1st, 2006, 3:56pm »
Quote | Modify

This is my first post, please be gentle.
Where I work, rather than the DBAs being given unique logins with the necessary privileges to do their job, they log on using SYS or SYSTEM.
I am sure this can't be good practice, but other than the lack of accountability and clear audit trail, I can't come up with an argument that will convince management that changing this is worthwhile.
I would like to perform a simple cost / benefit analysis on changing the process, but without a better idea of the risks intrinsic in the existing practice, I am finding it difficult.  
What do you feel are the problems with using this practice?
How much effort would be involved in ensuring each user had a unique login that gave enough rights for them to do their daily tasks?  
I understand that the answers would depend on the number of databases being administered and how much the DBAs actually do on a daily basis, but any help would be welcome.
Thank you in advance.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: DBA using SYS and SYSTEM
« Reply #1 on: Feb 1st, 2006, 8:33pm »
Quote | Modify

Hi Martin,
 
The two comments I have for now. The first is as you pointed out, using SYS and SYSTEM, especially if multiple users use these accounts is that there is no accountability for actions. Most government organisations require this to be done anyway.
 
The second issue depends on the role of the DBA and what they need to do daily. In most cases they do not need the DBA role or SYSDBA, some DBA's do of course. You need, in my opinion to establish the exact job requirements and then design a database role to suit.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: DBA using SYS and SYSTEM
« Reply #2 on: Feb 2nd, 2006, 10:46am »
Quote | Modify

Hi Martin.
 
I agree totally wth Pete's point of accountability.
 
One of the best methods I have found is to use that on the DBA's.  
 
If there was a problem either from an audit or from a technical point of view, could the DBA's prove it wasn't them that did it?
 
This is not the big brother approach, but does ensure that the technical staff have protection if something goes wrong.
 
The argument from most DBA's has always been that to correct problems quickly, they need access to SYS or SYSTEM. This is ok, if access to those accounts is controlled. Something as simple as the password being held by security in an envolope, and security/user admin having the ability to reset that password once it has been used can be put in place. The DBA then signs out that they have the SYS password.
 
Day to day functions such as monitoring space, and jobs etc can be carried out via none DBA accounts given the correct level of access.
 
Even if the DBA's own accounts have full DBA rights, it at least provides a better method of accountability than them all sharing a high level password.
 
Kevin Else
NoFools
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: DBA using SYS and SYSTEM
« Reply #3 on: Feb 3rd, 2006, 9:54am »
Quote | Modify

Thank you Pete and Kevin for your responses.
 
I have an issue with relying on the accountability argument alone at the moment. Users with DBA privileges, can currently alter the audit log should they want to.  
When I have tried the line of 'can you prove it wasn't you?' I received the response of 'no, but you can't prove it was me!' - Not very helpful, I am afraid.
This is the one of the main reason for me looking for additional reasons to limit the access the DBAs are using on a daily basis.
As an alternative, how easy would it be to move the audit logs to somewhere that DBAs couldn't access?
 
Cheers,
 
Martin
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: DBA using SYS and SYSTEM
« Reply #4 on: Feb 3rd, 2006, 4:55pm »
Quote | Modify

Martin,
 
I don't know which Oracle version you are using but  
in 9i and 10g (and probably in 8i aswell) you can set your audit trail to a syslog-file
(parameter audit_trail=os). The syslog (on a Unix system) will log the audit to a log-file. Syslog kan even log to another machine way out the reach of your "dba's"
 
Ivan
 
on Feb 3rd, 2006, 9:54am, Martin wrote:

As an alternative, how easy would it be to move the audit logs to somewhere that DBAs couldn't access?
 
Cheers,
 
Martin

IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: DBA using SYS and SYSTEM
« Reply #5 on: Feb 3rd, 2006, 7:15pm »
Quote | Modify

on Feb 3rd, 2006, 9:54am, Martin wrote:
When I have tried the line of 'can you prove it wasn't you?' I received the response of 'no, but you can't prove it was me!' - Not very helpful, I am afraid.
Martin

 
Hi Martin,
 
I dont want to seem arrogant but I suspect if I looked aftr they had played around trying to cover their tracks I probably could prove it was them, at least when it was done and from which terminal. I have seen a lot of attempts to delete and alter records in the audit trail and almost all times its done badly and leaves such a trail of evidence you would be surprised.
 
I think Ivans suggestion is the better one though to write the audit trail to the OS and to use syslog to save it to a safe location.  
 
The only issue with OS based audit is that there are no standard tools to review the trail.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: DBA using SYS and SYSTEM
« Reply #6 on: Feb 3rd, 2006, 8:16pm »
Quote | Modify

Pete, Martin,
 
There is no way you can 'legally' prove someone did something to your database based only on ip-addresses in a audit log. People can allways deny they did it. And just having an ip-addres an try to match it to a person is not a very solid legal prove.
I'm convinced that strong authentication (a PKI) is the only way to go if you want/need non-repudation and accountability.  
 
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: DBA using SYS and SYSTEM
« Reply #7 on: Feb 7th, 2006, 1:33pm »
Quote | Modify

One of the issues I sometimes come across with using external audit trails is that the Unix admins are sometimes DBA's as well!
 
Or DBA's have ready access to a Admin account on the host.
 
As to the "you can't prove it was me" line, my normal response is, "but how much time and effort is it going to take you to prove it wasn't".  
 
It is part of an adminsitrators job to maintain the security and integrity of the data they are manageing, and any lapse in that can cause reprecussions.
 
Just because they can't prove who left the door open, doesn't mean the owners of a house will not suffer a lose!
 
Kevin
 
Nofools
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues