Home » RDBMS Server » Server Administration » Disabling "SYS" id in 9i
Disabling "SYS" id in 9i [message #167010] Mon, 10 April 2006 18:16 Go to next message
chomug123
Messages: 6
Registered: April 2006
Location: Los Angeles
Junior Member
Hi all,

I was wondering if disabling "SYS" would restrict DBAs from performing daily work at all or would even prevent them from logging into "SYS"?

Also, I was wondering if a DBA could create his/her own individual account with all the SYS privileges for auditing purposes for our auditors to keep tabs on?

Basically ... my management is wanting to use a "firecall" procedure to keep track of exactly who uses the "SYS" account, and to appease the auditors, disable "SYS" unless the account is needed. Is this possible? I've read on some posts that disabling "SYS" would not do anything at all and you could still log in as "SYS".

Any thoughts, suggestions, or comments would be appreciated.

- Arthur Razz

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167012 is a reply to message #167010] Mon, 10 April 2006 18:37 Go to previous messageGo to next message
BlackSwan
Messages: 26766
Registered: January 2009
Location: SoCal
Senior Member
>disable "SYS" unless the account is needed.
Here is a rhetorical question , assuming that you can disable SYS & all other priviledged accounts.
How would re-enable SYS (or any other account) if you don't have the privs to do so?
Next, how do you audit the account that can grant & deny access to SYS?
Good luck in finding the Golden Fleece.

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167014 is a reply to message #167010] Mon, 10 April 2006 18:53 Go to previous messageGo to next message
chomug123
Messages: 6
Registered: April 2006
Location: Los Angeles
Junior Member
Thanks for the response!

Ahh I see ... hmm... how about that Firecall procedure idea? Would changing the SYS password and storing it away somewhere except for emergencies work (and changing the password again after its used) in terms of limiting the use of the SYS account?

Also, is it possible for IT to restrict the use of SYS ID outside of just limiting knowledge of the account and password (meaning, can this account be disabled and individual accounts created in its place - with same level of authority)?

Any thoughts, suggestions, or comments would be appreciated!

Thanks!

- Arthur

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167015 is a reply to message #167010] Mon, 10 April 2006 19:02 Go to previous messageGo to next message
BlackSwan
Messages: 26766
Registered: January 2009
Location: SoCal
Senior Member
>Would changing the SYS password and storing it away somewhere
Then you need to TRUST the person who changed the password to NOT login as SYS & play around in the DB.
Besides on *nix, anyone who has root access to the OS can access the DB with all SYS privs.
Anyone who has physical access to the system can gain root access to the system. At least I can & have done so on numerous occasions.
100% "secure computing" is an oxymoron.

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167017 is a reply to message #167010] Mon, 10 April 2006 19:10 Go to previous messageGo to next message
chomug123
Messages: 6
Registered: April 2006
Location: Los Angeles
Junior Member
Haha yes yes that is very true.

So I guess for my second question on my reply was if it possible for IT to restrict the use of SYS ID outside of just limiting knowledge of the account and password (meaning, can this account be disabled and individual accounts created in its place - with same level of authority)?

Is that possible? In order to appease auditors that we're "restricting" sys access?

Thanks for all the input!

- Arthur

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167121 is a reply to message #167017] Tue, 11 April 2006 07:57 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10707
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
>>use of SYS ID outside of just limiting knowledge of the account

SYS account is like a ROOT account in UNIX.
You should not lock SYS account.
No regular database operations or maitainence should be done logged in as SYS or SYSDBA.
SYS or SYSDBA accounts are for very specific purposes and Ofcourse, should be given to folks who know what they are doing.
>>appease auditors that we're "restricting" sys access?
None except DBA's should have have access to SYS password or have SYSDBA account. Even then, a regular DBA is not suposed to login as SYSDBA for regular day-to-day work.
As Anacedent said, at some point you need to TRUST someone.

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167551 is a reply to message #167010] Thu, 13 April 2006 15:54 Go to previous messageGo to next message
chomug123
Messages: 6
Registered: April 2006
Location: Los Angeles
Junior Member
Would it be possible to have the SYS id not be used at all (even if it was not disabled)? Or do DBAs still have a need to occasionally use the SYS id? And if so, for what reasons? Thanks for all the help guys!

- Arthur

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167554 is a reply to message #167551] Thu, 13 April 2006 17:07 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10707
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
Seems you are twisting the same question again and again. If you are looking for a specific favourable answer, please let us know.

>>Would it be possible to have the SYS id not be used at all
No. Not possible. In real time, you need SYS account. SYS is the SUPERUSER. SYS is the owner of Oracle Dictionary.

>> do DBAs still have a need to occasionally use the SYS id? And if so, for what reasons?
Read the administrators guide / Oracle fundamental concepts guide.
Read atleast the first chapter.
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96524/c05dicti.htm#312
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/dba.htm#9122

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167558 is a reply to message #167010] Thu, 13 April 2006 20:00 Go to previous messageGo to next message
chomug123
Messages: 6
Registered: April 2006
Location: Los Angeles
Junior Member
Interesting ... so SYS should be used for creating tables n' such whenever they are needed. What are some other instances when someone would use the SYS id? Thanks!

- Arthur

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167560 is a reply to message #167558] Thu, 13 April 2006 20:11 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10707
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
>>so SYS should be used for creating tables n' such whenever they are needed

SYS is not used to create regular tables. It is used to create data dictionary ( something like creating/installing a database).

[Updated on: Thu, 13 April 2006 20:13]

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167562 is a reply to message #167010] Thu, 13 April 2006 20:23 Go to previous messageGo to next message
chomug123
Messages: 6
Registered: April 2006
Location: Los Angeles
Junior Member
I see ... so SYS is mainly used when installing a database and creating the data dictionary. I think I mixed up the SYSDBA and SYS ids when reading the guides. What other instances would the SYS account be used? Thanks!

- Arthur

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167563 is a reply to message #167562] Thu, 13 April 2006 20:34 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10707
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
You are still 'mixed up'.
I suggest, please READ the documentation or any book on oracle.
SYSDBA is a role granted to SYS.
So SYS is a SYSDBA ( SYSDBA can be granted to any user. When a user say SCOTT is granted with SYSDBA and logs into a database, he will be logging in as SYS. Just like a SUDO account in UNIX).

Report message to a moderator

Re: Disabling "SYS" id in 9i [message #167564 is a reply to message #167563] Thu, 13 April 2006 20:40 Go to previous message
Mahesh Rajendran
Messages: 10707
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
In simple analogy,
SYS is like the PRESIDENT of a company/organization.
SYS is the absolute owner/big boss for the whole database.
You cannot lock/disable/drop SYS account.
In an organization, will PRESIDENT/CEO do all the managerial stuff in all departments? NO. Not Possible. Right? For ease of administration there might be several MANAGERS doing several ADMINISTRATIVE jobs. You agree? Similarly the database will need DBA'S (a regular user granted with DBA ROLE) to do the regular jobs (backup/tuning/schedule jobs/everything). But SYS is the absolute owner of the database and is the SUPERUSER.

Report message to a moderator

Previous Topic: Need help on resizing log buffer
Next Topic: whats the purpose of REUSE ??
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Sep 20 14:17:34 CDT 2024
.:: Forum Home :: Blogger Home :: Wiki Home :: Contact :: Privacy ::.