Helena Marková, November 28, 2005 - 4:48 am UTC
OS authentication
A reader, November 29, 2005 - 4:40 am UTC
Tom,
We need to suppress the OS authentication and enforce database authentication. A boundary line between network/system administrator (a guy) and database administrator (another guy) is required. So that connection to database having sysdba privilege without password must be barred. One should only connect to database with database authentication.
Thanks
November 29, 2005 - 10:06 am UTC
one will need to use the network then
remove them from the DBA group (the ability to connect / as sysdba goes away)
grant them sysdba (this will put them into the password file - you need to have remote login password file set up - you might have to use orapwd to create an empty one if you don't have one yet)
Then, they can
connect user/pass@db as sysdba
only.
best to not let them even log onto the server then as well.
alt, November 30, 2005 - 5:25 am UTC
Hi
What is oradba group?
Can you plese let me know what do you mean by
"remove them from the DBA group (the ability to connect / as sysdba goes away)"
November 30, 2005 - 11:51 am UTC
people in the "special group YOU set up upon install" have the ability to connect / as sysdba - if you don't want that you must remove them from the group YOU created upon installation of the software.
database/data security
A reader, November 30, 2005 - 5:33 am UTC
Tom,
I feel I was unable to explain the scenario! -- Sorry for that.
We do need a network :)
Oracle 91 EE is running over Windows Server 2003.
Actually the network/system administrator cannot be barred from the server pc, as he is responsible for the OS, network etc. how can this person be removed from ora_dba group!
While the database administrator do manage the Oracle Server software installed on server machine remotely from his desktop pc. Occasionally he needs to work on server pc, as he is responsible for the Oracle Server software installed and the 'data' on that server pc.
This security breach may lead us to a 'blame game' in case of any disaster.
We need to protect the 'metadata and data' from intruders -- most likely they could be internal ones. Thats why I was asking about the suppression of OS authentication. We don't need it at all rather we need database authentication around the network i.e. at the server pc and all connected machines.
Thanks again.
November 30, 2005 - 11:52 am UTC
You have to answer that - this is a "windows operating system question", not one that I can answer.
I know on unix we can separate these capabilities (you can limit root privs, compartmentalize things). You'd have to ask a windows OS person "how can we do this"
for 'alt from India'
A reader, November 30, 2005 - 5:46 am UTC
When Oracle is installed on a Windows OS it creates a local group named 'ora_dba -- Oracle DBA Group' and the local user 'Administrator' with its member by default.
The membership of this local group grants its members the privilege to connect as sysdba without password -- as they are authenticated at OS level.
Tom, am I right?
November 30, 2005 - 11:52 am UTC
yes
You're unlikely to get round this
Tom, November 30, 2005 - 7:55 am UTC
To be honest, the ability to prevent your server administrator from logging onto the database probably isn't going to happen.
If you remove the system administrator from the ora_dba group then he's a system administrator and can just add himself back in again [its only a windows user group after all].
It might be a better idea to simply enable auditing to track who did what....
Its clear now
A reader, December 01, 2005 - 2:31 am UTC
Tom,
Thanks once again for your great efforts for all of us.
I understand that as long as we are using 'Windows' as OS we'll have to face it 'boldly'. :)
As you told that one can draw a solid-line between the OS-Admin and the dba in UNIX.
What you say about Linux and Solaris?
We are planning for the OS migration. No doubt Linux is a strong candidate, but the Solaris 10 is getting more attention because it has become free and open-source. ;)
We need your thoughts upon Linux and Solaris both.
Thanks.
December 01, 2005 - 12:28 pm UTC
there are 3rd party tools that allow you to create your own "root like" accounts that don't have all of the capabilities of a "real root" so you can very finely manage what people can and cannot do.
One more problem..
Navin, January 24, 2006 - 5:44 am UTC
hi Dear Tom,
My Scenario is:
Previously to my database windows user admin was able to login to
the database without giving password : conn / as sysdba.
Then I changed the parameter REMOTE_LOGIN_PASSWORDFILE to 'NONE'
which was previously 'EXCLUSIVE'.
And Now with the same user admin i am unable to login
to my database : conn sys/sys as sysdba
or even by : conn / as sysdba.
Could you please help me out for this?
With Regards,
Navin
January 24, 2006 - 8:14 am UTC
connect / as sysdba
won't use the password file, it uses OS authentication.
So, are you sure you are logged into the OS as someone that is allowed to connect / as sysdba? (in the right group)
Classic
Frank, January 24, 2006 - 8:25 am UTC
This sounds so much like the classic 'I do not want my dba to see my data' issue.
Must be wonderful to work in an organization where you cannot even trust your system administrator...
Was asked this too, Frank! Really!
Jan van Mourik, January 28, 2006 - 7:06 pm UTC
Well Frank, I think you're right, but...
I was asked yesterday to make it more difficult for the SysAdmin (on UNIX) to get into the database! Because root can do a "su - oracle", then do "sqlplus / as sysdba" and they are in. Ths is found to be insecure by the auditors (SOX, yes).
Tom, you said "I know on unix we can separate these capabilities (you can limit root privs, compartmentalize things)".
Is there any way on unix to prevent from su-ing to oracle?
I'm wondering what the easiest way to prevent all this is. Don't really feel like going down the orapwd road, but...
Regards, jan
January 29, 2006 - 8:17 am UTC
orapwd - the password file used for remote authentication - won't help you here at all, it would be used over the network, but not for local connections.
yes, there are third party tools (varies by your OS - best to talk to the people that sell and support your OS) that can segment responsibilities and make it so that root cannot su to just anyone.
Reviewing myself...
Jan van Mourik, January 28, 2006 - 7:21 pm UTC
"Don't really feel like going down the orapwd road, but..."
Wouldn't work anyway I think, now I'm playing around with it...
jan
January 29, 2006 - 8:18 am UTC
correct - it wont.
cannot log is as connect / as sysdba from root OS user
Girish, March 07, 2006 - 7:35 am UTC
I am not able to login as connect / as sysdba when I am logged in as root OS user .Is there a way to log in in this way
March 08, 2006 - 4:28 pm UTC
root would need to be in the proper OS group that is allow to connect as sysdba, is it?
The Database Vault
A reader, May 09, 2006 - 4:18 am UTC
Actually Frank was never right and even Tom knew that very well too!
I was not distressed by this guy's remarks about a major security issue faced inside organizations to protect their data rather I was amazed that Tom didn't even bother to acknowledge the problem in its spirits and so was unable to present the solution too. Tom keeps on pouring the evil on Operating System rather than the Database. Its crystal clear that Database possesses the Data not Operating System. One who holds should also be liable too.
So many thanks go to the Oracle Database Development Team, who not only felt the depth of this security issue and also presented a logical, nice and powerful solution named 'Database Vault'.
Mr. Tom, now what you say about it?
Hmmmmmm
May 09, 2006 - 8:08 am UTC
I pretty much stand by what I wrote above.
with or without audit vault - what happens when you GRANT SOMEONE THE ABILITY TO DO SOMETHING???
Well, they can do it. Think about it.
"I grant you oradba"
"But I don't want you to do what oradba's are supposed to do"
That is what we call "a conundrum"
Hmmmmm, mr. "a reader" now what say you - I granted you permission to come to this site, but I don't want you to come to this site - same sort of thing?
Hmmm indeed??
I guess when people ask a question "how do I do something" - I try to tell them "how to do it"
If you don't want oradba users to do with oradba users do - DO NOT GRANT TO THEM ORADBA AT THE OS LEVEL.
I utterly fail to see where I demonized the operating system here. I sort of pointed out "you have to know what you are doing, and what ramifications arise as a natural course of events when you DO STUFF"
And Data Vault - still allows DBA's that are AUTHORIZED (keyword here, AUTHORIZED) to do what DBA's do.
What do you say about that?
Oracle Database Vault
A reader, May 10, 2006 - 4:41 am UTC
Mr. Tom as per your thoughts, if Database Vault cant solve the data security breaches being faced by the organizations then why Oracle Database Development Team has done such an effort?
What this Database Vault thing is about then?
May 10, 2006 - 8:13 am UTC
It is about giving you more things to authorize.
Look the bottom line here is, has been, will be:
IF YOU GRANT SOMEONE THE PRIVILEGE TO DO "X", THEN THEY CAN DO "X".
I do not believe you read this thread - or if you did, you did not understand the fundemental problem.
If you give me a privilege - then I can use it.
We have added the ability to be more selective in what a DBA can see in some cases, but - big BUT - if you grant them something, guess what? They got it.
sysdba - grant that to me and guess what? I'm more powerful than a DBA, able to leap tall buildings in a single bound.
This entire discussion was centered around:
Hey, I've given someone access to the oradba group. Now, I know that by being in this oradba group they have the ability to use OS authentication. I don't want them to use OS authentication - what can I do.
The only answers to that are:
o remove them from the oradba group, this will remove their ability to do what you don't want them to do.
o let them stay in the oradba group but change your expectations and realize that by giving them this PRIVILEGE, they have the ability to do what this PRIVILEGE CONVEYS.
OS/Database Authentication
A reader, May 11, 2006 - 3:57 am UTC
//
Look the bottom line here is, has been, will be:
IF YOU GRANT SOMEONE THE PRIVILEGE TO DO "X", THEN THEY CAN DO "X".
I do not believe you read this thread - or if you did, you did not understand
the fundemental problem.
If you give me a privilege - then I can use it.
//
Yes sure, one can comprehend this veracity!
But, one can't afford a matchstick in monkey's hand either -- The suspects must not be privileged in any case.
A basic necessity -- The DBA is expected to do the "conn / as sysdba" thing but the OS-Guy should not exercise it in any way.
We can remove the OS-Guy's (the irrelevant one's) from the oradba group. They can add them back in the group again, after all they are OS Admin's -- a fruitless move.
//
This entire discussion was centered around:
Hey, I've given someone access to the oradba group. Now, I know that by being
in this oradba group they have the ability to use OS authentication. I don't
want them to use OS authentication - what can I do.
//
Yes indeed, this is what being asked in the thread repeatedly!
OS authentication -- a compulsion and hence a stone of contention.
It might be a useful feature for those who need it, but a pit for the others.
There should be a way to enable or disable it, according to the needs.
We need all users to be authenticated inside the database -- database authentication.
Sure indeed, this is what being asked in the thread repeatedly!
May 11, 2006 - 7:21 pm UTC
the DBA is expected to "connect / as sydba" - WHO SAYS? WHY? WHERE IS THAT stated??
how can you remove the OS authentication bit? think about it - an INSTANCE is not a DATABASE.
an INSTANCE is a set of processes and memory, it, well, sort of has to use the OS to authenticate.
As stated - many robust OS's allow for true separate of privileges - not all - but the good ones do. Maybe *windows* needs *data vault* like features.
OS authentication
Cody, January 30, 2008 - 10:42 am UTC
Just a comment on using "/ as sysdba". In the past, our DBAs were used to using "/ as sysdba" by habit for daily activities. The approach I implemented was establishing individual OS authenticated (NOT Remote OS authenticated) database accounts. I then created and assigned the necessary roles to those accounts. Our DBAs have the DBA role. That gives them all the power they need to perform daily functions as well as capture what they do in auditing. Could I stop them from using "/ as sysdba" since they are in the oradba group? No, this is essentially a policy which requires me to review the audit files for activities using "/ as sysdba", etc. As I see people logging in with "/ as sysdba", I question and make them justify using it versus their own account. I even have a script that captures anyone sudoing to the oracle account so I can question them on that as well. After awhile, the people break the old habit and use their own accounts. It's simply training/coaching DBAs on a different way to perform their work.
Note: There are times when the only way to get into the database is as "/ as sysdba". Do not block this completely even if you figure out a way. An easy example is filling up the auditing. Regular connections will not be allowed but "/ as sysdba" could still connect to fix the problem.
Please please be sure to disable remote OS authentication! That is very very risky to have open.
Also use audit trail to keep auditors happy
Tom Robbins, October 12, 2016 - 9:00 pm UTC
Given that you can't create an absolutely foolproof PREVENTIVE control (i.e. Sysadmins on UNIX su-ing to oracle or Windows admins granting themselves oradba).
If you add a layer of DETECTIVE controls, you should be able to keep SOX auditors happy.
In the Oracle audit trail, turn on:
1. uses of administrative privilege ( e.g. SELECT ANY TABLE, CREATE ANY TABLE, etc.)
2. user administration (e.g. CREATE USER FRED, GRANT XXX TO FRED)
October 13, 2016 - 9:09 am UTC
Audit Vault is a means of controlling/monitor even sysdba level access...but thats a reasonably sized undertaking