Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> DBA using SYS and SYSTEM
(Message started by: Pete Finnigan on Feb 1st, 2006, 3:56pm)

Title: DBA using SYS and SYSTEM
Post by Pete Finnigan on Feb 1st, 2006, 3:56pm
This is my first post, please be gentle.
Where I work, rather than the DBAs being given unique logins with the necessary privileges to do their job, they log on using SYS or SYSTEM.
I am sure this can't be good practice, but other than the lack of accountability and clear audit trail, I can't come up with an argument that will convince management that changing this is worthwhile.
I would like to perform a simple cost / benefit analysis on changing the process, but without a better idea of the risks intrinsic in the existing practice, I am finding it difficult.
What do you feel are the problems with using this practice?
How much effort would be involved in ensuring each user had a unique login that gave enough rights for them to do their daily tasks?
I understand that the answers would depend on the number of databases being administered and how much the DBAs actually do on a daily basis, but any help would be welcome.
Thank you in advance.

Title: Re: DBA using SYS and SYSTEM
Post by Pete Finnigan on Feb 1st, 2006, 8:33pm
Hi Martin,

The two comments I have for now. The first is as you pointed out, using SYS and SYSTEM, especially if multiple users use these accounts is that there is no accountability for actions. Most government organisations require this to be done anyway.

The second issue depends on the role of the DBA and what they need to do daily. In most cases they do not need the DBA role or SYSDBA, some DBA's do of course. You need, in my opinion to establish the exact job requirements and then design a database role to suit.

cheers

Pete

Title: Re: DBA using SYS and SYSTEM
Post by Pete Finnigan on Feb 2nd, 2006, 10:46am
Hi Martin.

I agree totally wth Pete's point of accountability.

One of the best methods I have found is to use that on the DBA's.

If there was a problem either from an audit or from a technical point of view, could the DBA's prove it wasn't them that did it?

This is not the big brother approach, but does ensure that the technical staff have protection if something goes wrong.

The argument from most DBA's has always been that to correct problems quickly, they need access to SYS or SYSTEM. This is ok, if access to those accounts is controlled. Something as simple as the password being held by security in an envolope, and security/user admin having the ability to reset that password once it has been used can be put in place. The DBA then signs out that they have the SYS password.

Day to day functions such as monitoring space, and jobs etc can be carried out via none DBA accounts given the correct level of access.

Even if the DBA's own accounts have full DBA rights, it at least provides a better method of accountability than them all sharing a high level password.

Kevin Else
NoFools

Title: Re: DBA using SYS and SYSTEM
Post by Pete Finnigan on Feb 3rd, 2006, 9:54am
Thank you Pete and Kevin for your responses.

I have an issue with relying on the accountability argument alone at the moment. Users with DBA privileges, can currently alter the audit log should they want to.
When I have tried the line of 'can you prove it wasn't you?' I received the response of 'no, but you can't prove it was me!' - Not very helpful, I am afraid.
This is the one of the main reason for me looking for additional reasons to limit the access the DBAs are using on a daily basis.
As an alternative, how easy would it be to move the audit logs to somewhere that DBAs couldn't access?

Cheers,

Martin

Title: Re: DBA using SYS and SYSTEM
Post by Pete Finnigan on Feb 3rd, 2006, 4:55pm
Martin,

I don't know which Oracle version you are using but
in 9i and 10g (and probably in 8i aswell) you can set your audit trail to a syslog-file
(parameter audit_trail=os). The syslog (on a Unix system) will log the audit to a log-file. Syslog kan even log to another machine way out the reach of your "dba's"

Ivan


on 02/03/06 at 09:54:56, Martin wrote:
As an alternative, how easy would it be to move the audit logs to somewhere that DBAs couldn't access?

Cheers,

Martin


Title: Re: DBA using SYS and SYSTEM
Post by Pete Finnigan on Feb 3rd, 2006, 7:15pm

on 02/03/06 at 09:54:56, Martin wrote:
When I have tried the line of 'can you prove it wasn't you?' I received the response of 'no, but you can't prove it was me!' - Not very helpful, I am afraid.
Martin


Hi Martin,

I dont want to seem arrogant but I suspect if I looked aftr they had played around trying to cover their tracks I probably could prove it was them, at least when it was done and from which terminal. I have seen a lot of attempts to delete and alter records in the audit trail and almost all times its done badly and leaves such a trail of evidence you would be surprised.

I think Ivans suggestion is the better one though to write the audit trail to the OS and to use syslog to save it to a safe location.

The only issue with OS based audit is that there are no standard tools to review the trail.

cheers

Pete

Title: Re: DBA using SYS and SYSTEM
Post by Pete Finnigan on Feb 3rd, 2006, 8:16pm
Pete, Martin,

There is no way you can 'legally' prove someone did something to your database based only on ip-addresses in a audit log. People can allways deny they did it. And just having an ip-addres an try to match it to a person is not a very solid legal prove.
I'm convinced that strong authentication (a PKI) is the only way to go if you want/need non-repudation and accountability.


Ivan

Title: Re: DBA using SYS and SYSTEM
Post by Pete Finnigan on Feb 7th, 2006, 1:33pm
One of the issues I sometimes come across with using external audit trails is that the Unix admins are sometimes DBA's as well!

Or DBA's have ready access to a Admin account on the host.

As to the "you can't prove it was me" line, my normal response is, "but how much time and effort is it going to take you to prove it wasn't".

It is part of an adminsitrators job to maintain the security and integrity of the data they are manageing, and any lapse in that can cause reprecussions.

Just because they can't prove who left the door open, doesn't mean the owners of a house will not suffer a lose!

Kevin

Nofools



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board