user sys and locking system

Hi all

We have 10.2.0.4 on solaris 10.

Currently we have I.T. audit on our environment, and the auditor commented to lock the user sys and system and use a single user with any name (not the name generic oracle) and grant him the privilege of sys and system and use this user for admin purposes. is this true?... is it recommended?

Please notify

Hello

I think that this is not a good way to lock SYS.

In addition, if you connect as administrator (root for Unix/linux) operating system on the server and use
Authentication of the BONE and then, you can connect to SYS AS SYSDBA anyway.

So, in fact, it is not possible to lock SYS even if you run the following:

ALTER USER SYS ACCOUNT LOCK;

If you want to prevent access on SYS, you must set a password long and complex and
apply the same rule for the admin / root user OS.

These passwords must be known very little and well - to identify the people and written nowhere
(in files or scripts).

Plus more, you should restrict DBA role to SYS and SYSTEM and remove this powerful role
other Oracle users.

Then, you can enable the CHECK in order to control the connection to the session database and,.
create a LOGIN TRIGGER to verify the connection, the workstation, the program end-users
that connect to the database.

In 10g, DBConsole EM shows an alert whenever a user is logged on with SYS.

Please find attached, an interesting paper written by Pete Finigan on this topic:

http://www.insight.co.UK/files/presentations/hacking%20and%20securing%20Oracle.PDF

Hope this helps.
Best regards
Jean Valentine

Tags: Database

Similar Questions

  • Expiry of the password for user SYS and SYSTEM

    My database 11g 2 on Redhat 5 has sys and system user password expired
    SQL> select username,account_status,EXPIRY_DATE
 from dba_users where username like 'SYS%';
  2
USERNAME                       ACCOUNT_STATUS                   EXPIRY_DA
------------------------------ -------------------------------- ---------
SYSMAN                         OPEN
SYSTEM                         OPEN                             15-FEB-11
SYS                            OPEN                             15-FEB-11
    But I can still connect the databsae with expired password t.

    Should I worry about the expiration of the password of the user these? For a normal user, I can not connect with expired password

    Dear user13148231,

    Here's an illustration;

    SQL> alter user sys account lock;

User altered.
SQL> select username, account_status, lock_date, expiry_date from dba_users where USERNAME='SYS';

USERNAME                      ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
------------------------------------------------------
SYS                                      LOCKED                           20-AUG-10      23-FEB-09

SQL> host sqlplus sys/password@opttest as sysdba

SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:25:43 2010

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> alter user sys identified by password password expire;

User altered.

SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS';

USERNAME                      ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
------------------------------------------------------
SYS                                EXPIRED & LOCKED                 20-AUG-10   20-AUG-10

SQL> host sqlplus sys/password@opttest as sysdba

SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:27:02 2010

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> alter user sys identified by password account unlock;

SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS';

USERNAME                       ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
------------------------------ -------------------------------- --------- ---------
SYS                            OPEN

    Even if the State expired and locked it's OK to connect to the database for the user SYS.

    SQL> alter user ogan identified by password account lock password expire;

User altered.

SQL> select username, account_status, lock_date, expiry_date from dba_users where username='OGAN';

USERNAME                       ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
------------------------------ -------------------------------- --------- ---------
OGAN                           EXPIRED & LOCKED                 20-AUG-10 20-AUG-10

SQL> conn ogan/password
ERROR:
ORA-28000: the account is locked

Warning: You are no longer connected to ORACLE.
SQL> conn / as sysdba
Connected.
SQL> alter user ogan account unlock;

User altered.

SQL> conn ogan/password@opttest
ERROR:
ORA-28001: the password has expired

Changing password for ogan
New password:
Retype new password:
Password changed
Connected.
SQL>

    Ogan

  • How can I add items to the Menu of the button lock, I don't, change user, close and lock. I want to add 'restart '.

    How can I add items to the Menu of the button lock, I don't, change user, close and lock. I want to add 'restart '.

    How can I add items to the Menu of the button lock, I don't, change user, close and lock. I want to add 'restart '.

    This tutorial should do what you want. Use method 2.
    http://www.Vistax64.com/tutorials/105003-shutdown-options-start-menu.html

    Please read all notes caefully, not only the parts of the statement.

    t-4-2

  • Locked user SYS and SYSTEM

    DB version: 11.2.0.2
    Operating system: Solaris 10

    In our production of DBs, I noticed that the SYS and SYSTEM users are locked
    $ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.2.0 Production on Thu Jan 19 14:21:34 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning option

SQL> select username, account_status from dba_users where username like 'SYS%';

USERNAME                       ACCOUNT_STATUS
------------------------------ --------------------------------
SYSTEM                         LOCKED
SYS                            LOCKED
    1. How can I connect to the SYS account despite the confinement. Is it because I have connected via external authentication?

    2. don't lock the user SYS standard practice? If so, why?

    1. How can I connect to the SYS account despite the confinement. Is it because I have connected via external authentication?

    you are the owner of the HOUSE of the ORACLE, you need to connect. Yes its because of external authentication.
    Of course you can not connect the user to the system. Have you tried?

    2. don't lock the user SYS standard practice? If so, why?

    Depends on the security, some cases, a user will be created with DBA roles.

  • Question about user SYS and ROLES

    Hello

    When I create a role, such as:
    create role atestrole;
    I see that as soon as the role is created, it is automatically granted to the SYS.

    I thought that, given the fact that SYS has already all the privileges system and object in existence, that the automatic grant was superfluous and unnecessary. To test this, I have revoked the role of 'atestrole' of SYS and then tried to give "atestrole" as user SYS to SCOTT. As expected, SYS has been able to give "atestrole" SCOTT.

    At this point, it seems that the automatic granting of new roles to SYS does not SYS, being able to do something that he would be able to do otherwise.

    Question: SYS automatically grant all newly created roles, cause SYSTEM to have a few abilities that he would or not is superfluous (as seems to be)?

    Thank you for your help,

    John.

    PS: the new roles are automatically awarded to SYS by Oracle itself, it is not something to be done "manually".

    Published by: 440bx - 11 GR 2 on 20 Sep, 2010 08:23 - added PS.

    I don't know if it will clear the cloud or not! but the result is "a user who creates a role is granted also that default role.
    So, if you created the ROLE with SYS is authorized for SYS otherwise DO NOT default. See the example below.

    SQL> conn sys@xe as sysdba
Enter password: ******
Connected.

SQL> CREATE ROLE TEST_ROLE_GRANT1;

Role created.

SQL> set line 1000
SQL> SELECT * FROM dba_role_privs
  2  WHERE GRANTED_ROLE='TEST_ROLE_GRANT1';

GRANTEE                        GRANTED_ROLE                   ADM DEF
------------------------------ ------------------------------ --- ---
SYS                            TEST_ROLE_GRANT1               YES YES

SQL> conn system@xe
Enter password: ******
Connected.
SQL> CREATE ROLE TEST_ROLE_GRANT2;

Role created.

SQL> SELECT * FROM dba_role_privs
  2  WHERE GRANTED_ROLE='TEST_ROLE_GRANT2';

GRANTEE                        GRANTED_ROLE                   ADM DEF
------------------------------ ------------------------------ --- ---
SYSTEM                         TEST_ROLE_GRANT2               YES YES

SQL> conn hr@xe
Enter password: **
Connected.

SQL> CREATE ROLE TEST_ROLE_GRANT3;

Role created.

SQL> SELECT * FROM dba_role_privs
  2  WHERE GRANTED_ROLE='TEST_ROLE_GRANT3';

GRANTEE                        GRANTED_ROLE                   ADM DEF
------------------------------ ------------------------------ --- ---
HR                             TEST_ROLE_GRANT3               YES YES

SQL>

  • Subsidies granted by user SYS and SYSTEM

    Hi all

    Please, help me to understand this problem.

    I have a few schema named maps_ref where I create a view. (table abc discovers abc01).
    Here, I have granted the create view, creates all privs view to maps_ref by linking the SYS as SYSDBA.
    He alllowed me to create the view.

    As a test, I revoked the privileges by connecting as a SYSTEM and he revoked the privileges granted by SYS as SYSDBA.
    Later, of course, I couldn't create the view.

    This means that subsidies granted by SYS as SYSDBA resumable system however SYSDBA is then more powerful SYSTEM?

    I'm a little confused how it worked? Please explain.

    Rgds,
    Aashish

    Hello

    SYS is not normal user and you are not able to connect without clause SYSDBA.

    sqlplus sys@test

    SQL * more: version 11.1.0.7.0 - Production on Wed Apr 8 09:48:37 2009

    Copyright (c) 1982, 2008, Oracle. All rights reserved.

    Enter the password:
    ERROR:
    ORA-28009: connection as SYS must be SYSDBA or SYSOPER

    Enter the user name:

    sqlplus sys@test as sysdba

    SQL * more: version 11.1.0.7.0 - Production on Wed Apr 8 09:48:55 2009

    Copyright (c) 1982, 2008, Oracle. All rights reserved.

    Enter the password:

    Connected to:
    Oracle Database 11 g Enterprise Edition Release 11.1.0.7.0 - 64 bit Production
    With partitioning, OLAP, Data Mining and Real Application Testing options

    SQL >

    Kind regards
    Tom
    http://OracleDBA.cz

  • I have the latest Windows Live Mail 2011, but when standby and locks system, the only way out is to do a complete or end of Windows, restart then go into sleep mode. This never used to happen until Windows 2011 has been upated in my PC.

    I forget always at the end of the lIve session of Windows before you put it in standby mode, the PC appears and then lock properly said, in response to anything, so I have to do a reboot complete, very annoying.

    Also when working within Windows 2011, if you add a lot of attachments to an e-mail, I have often to do and then send it, the list of attachments disappear off the screen, so when you send you do not know really which was transmitted, horrible situation, so you must include send to yourself, then you can check what has been sent. Stupid!.

    How can I get rid of these flaws?

    You will find support for Windows Live Mail in this forum: http://windowslivehelp.com/forums.aspx?forumid=b91657c9-9031-4406-a398-7d0783119bb7

    ~ Robear Dyer (PA Bear) ~ MS MVP (that is to say, mail, security, Windows & Update Services) since 2002 ~ WARNING: MS MVPs represent or work for Microsoft

  • sys and system schema are expired & locked after disaster recovery.

    Hi all

    In one of our development database, I conducted disaster recovery and he succeeded.
    After completing the recovery thre, sys and system schema are expired & locked.
    So, I'm not able to carry out any type of operation that is performed by the user sys and system.

    Database Version: 11g r2
    Operating system: RedHat 5.5

    Please please suggest me how can I solve this problem?

    Thank you
    Pitard.

    It might be

    What is the status of the users in the source database from which you have taken backup? Maybe he has so locked even after performing refresh status remains the same.

    See your profile stats below. All have remained unanswered. You simply test patience? If this isn't the case, close all threads as answered. Clean up the forum.

    User profile for pitard
    Pitard
          
          
    Handle: Pitard
    Status level: Beginner
    Join date: March 4, 2010
    Total messages: 9
    Total Questions: 8 (8 open)
    Viren name

    Published by: CKPT on February 20, 2012 19:47

  • SYS and SYSTEM account status

    By default, the user SYS and SYSTEM are assigned the DEFAULT profile. According to this profile setting (PASSWORD_LIFE_TIME), the password is suppose to be expired every 180 days, but the SYS and system accounts State is OPEN even after 1 year, not EXPIRED. Pls someone clarify this point.

    USER NAME CREATED THE ACCOUNT_STATUS PROFILE

    ------------------------------ --------- -------------------------------- ------------------------------

    SYS 24 AUGUST 13 OPEN BY DEFAULT

    24 AUGUST 13 OPEN BY DEFAULT


    PROFILE RESOURCE_NAME RESOURCE LIMIT

    ------------------------------ -------------------------------- -------- ----------------------------------------

    PASSWORD_LIFE_TIME 180 DEFAULT PASSWORD


    1762432 wrote:

    When was the last time that someone actually tried to connect as SYSTEM?

    --> No not tried until now. This means if try to connect as a SYSTEM, then it gets only EXPIRED remains OPEN even if the PASSWORD_LIFE_TIME stretches limited 180.

    Have you read the link I gave you?  In particular, the discussion on the fig. 5 and fig. 6.

    If you had, you would have the answer to this question.

    I thought the account that EXPIRES based on PASSWORD_LIFE_TIME even gets does not attempt to connect DB via the account.

    Then, you thought wrong.  As I said earlier, the database does not spend time constantly trawling through accounts looking to see if something has passed its expiration date.  If she did that, he would never time to do something else.  He checks in the context of a connection request and responds

    as a result.

  • sys account locked

    In the event of the sys account locked and account system is already deleted no one else having also privilege dba, how to unlock the sys user?

    958668 wrote:
    In the event of the sys account locked and account system is already deleted no one else having also privilege dba, how to unlock the sys user?

    You can lock sys, but it is not important, just go back as long as sysdba

    /hostname/home/oracle > sqlplus / as sysdba

SQL*Plus: Release 11.2.0.2.0 Production on Thu Jun 6 11:18:56 2013

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning option

SQL> alter user sys account lock;

User altered.

SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning option
/hostname/home/oracle > sqlplus / as sysdba

SQL*Plus: Release 11.2.0.2.0 Production on Thu Jun 6 11:19:08 2013

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning option

SQL> alter user sys account unlock;  

User altered.

SQL>

  • issue of pricing user sys

    The user sys and system can be locked? If so, what is the effect on the database?

    My user sys and system database showing has already expired and locke date is null.

    Please suggest.
    USERNAME                       LOCK_DATE EXPIRY_DA
------------------------------ --------- ---------
ACCOUNT_STATUS
--------------------------------
MGMT_VIEW                                18-FEB-11
OPEN

SYS                                      18-FEB-11
OPEN

SYSTEM                                   01-MAR-11
OPEN

    You need to use or create a profile for which PASSWORD_LIFE_TIME is set to UNLIMITED. It is normally the case for the DEFAULT profile.

    Example to use the DEFAULT profile:

    SQL> alter user sys profile default;

User altered.

    For example, to create a profile:

    SQL> create profile sp limit password_life_time unlimited;

Profile created.

SQL> alter user sys profile sp;

User altered.

    But you must take into account all the resources limits related to the PASSWORD_LIFE_TIME not only profile.

  • IBM think centre @ request for initialization of the system user password and a genius set the bios to lock keyboard can it is bypassed and how?

    Original title: IBM think centre @ start request.

    IBM think centre @ request for initialization of the system user password and a genius set the bios to lock keyboard can it is bypassed and how?

    Hi brandon1980,

    I recommend you contact your computer manufacturer for assistance. The manufacturer would be able to give details about the BIOS (Basic Input Output System) and find out if this feature can be disabled.

    Hope the helps of information.

  • Windows Virtual PC integrated with components lock me out of my WinXP - error of OEM comments - "the system could not log. Make sure that your user name and domain are correct... »

    With my new desktop Windows 7 hardware configuration, I decided (before you consider VMware Player) to retry Windows Virtual PC; but instead of using Windows XP Mode (which is useless because the disk is inaccessible), I decided to use my own Windows XP Pro OEM. [I use it for games that won't play on Win7.  Security issues are also irrelevant, because for these games, I'm not likely to use the Web.  Of course, I always Windows Security Essentials in my OEM customers.]

    The problem here is, whenever I have to Activate my integration, features VPC opens as if the Windows XP Mode have been installed (it is not); and when the screen is turned on, it asks my user name and password.  I tried to use the name and the password that I entered when installing my XP OEM; but I get this message:

    "The system could not log.  Make sure that your user name and domain are correct.  Type your password again.  Letters in passwords must be entered using the proper case. »

    How is it that I can't access my Windows XP OEM guest when the integration features are enabled?  Only when they are disabled can I activate my OS; invited but it's counterproductive, because I won't be able to move items from my host in my comments.  Once more, if I should decide to use VPC as my host VM for Linux Ubuntu/Kubuntu, what chance is there that the activation of the integration features will lock out me my Linux guest?

    Another thing: in the Start Menu under Windows Virtual PC folder I have shortcuts for ' Windows Virtual PC ' or 'Virtual Machines' (according to the Win7 version I use, 32-bit or 64-bit); but I also have "Windows XP Mode", I have not installed.  How is that possible?  I checked the shortcut, and point it to rundll32.exe.  Should I just get rid of the shortcut, or I will incur damage to my VPC if I do?

    Hello Cooky,

    Please provide a detailed description of the issue.

    I understand the inconvenience you encountered. However, I appreciate your efforts.

    To get more information about it, we have a dedicated forum where these issues are dealt with and would be better suited to the TechNet community.

    Please visit the link below to find a community that will provide the best support.

    https://social.technet.Microsoft.com/forums/Windows/en-us/home?category=w7itpro

    I hope this information is useful.

    Please let us know if you need more help, we will be happy to help you.

    Thank you.

  • Why is password for SYS and SYSTEM different

    I use 10g Express
    During the installation I created the password and I use it as a password with SYS, but it does not work with the SYSTEM

    (I'm with Windows 7 on AMD x 64)

    Thank you.

    Hello

    The SYS and SYSTEM password are asked during the database creation process.

    May be that a different password has been set.

    Anyway, as you know the password for SYS, you can change the password for the SYSTEM with the following statement:

    alter user system identified by ;

    Hope this helps.
    Best regards
    Jean Valentine

  • Encrypt the sys and system tables

    How encrypt/limit sys and system tables so that no users can view them.

    On a user database few have access s/n.

    Is it possible to restrict their access to the tables of the dictionary.

    RAC_DBA wrote:
    How encrypt/limit sys and system tables so that no users can view them.

    On a user database few have access s/n.

    Is it possible to restrict their access to the tables of the dictionary.

    If you want to protect the data dictionary, then use 07_DICTIONARY_ACCESSIBILITY parameter to deny users that has 'SELECT ANY TABLE' privilege to select the data belonging to SYS

    And don't forget, if you share the password for user SYS or SYSTEM, it means that you share all the information as data dictionary

Maybe you are looking for