This discussion is archived
8 Replies Latest reply: Sep 9, 2011 7:42 AM by EdStevens RSS

connect / as sysdba - Security concerns!

Abhishek_H Explorer
Currently Being Moderated
Hi,

Why is it that we can login with "/ as sysdba" without a password.
Is it not a security concern?
Also I have read that by default there is no audit trail maintained for sysdba users.
So, anyone can login as sysdba and carry out dba operations.
How is this managed?

Thanks,
Abhishek.
  • 1. Re: connect / as sysdba - Security concerns!
    PavanKumar Guru
    Currently Being Moderated
    Hi,

    Try to refer to Oracle Documentation and check the OS Authencation takes place. If security is concern, try not to provide access database server except dba and System Administrator.

    Audit can be enable for sys users also.
    Refer to : "Auditing SYS Administrative Users" in the below link
    http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#BCGEHHCA

    - Pavan Kumar N
  • 2. Re: connect / as sysdba - Security concerns!
    vk82 Explorer
    Currently Being Moderated
    Hi pavan can you please explain why this happens
  • 3. Re: connect / as sysdba - Security concerns!
    Kamran Agayev A. Oracle ACE Director
    Currently Being Moderated
    Abhishek_H wrote:
    Hi,

    Why is it that we can login with "/ as sysdba" without a password.
    It only can be done when you logged in to the OS with the owner of Oracle Software.
    Is it not a security concern?
    Not at all, because no one can connect to the database remotely without knowing the password that is written in the password file
    Also I have read that by default there is no audit trail maintained for sysdba users.
    So, anyone can login as sysdba and carry out dba operations.
    SYS user can be audited by specifying audit_sys_operations parameter. Check my article:
    http://www.rampant-books.com/art_tracking_auditing_changes_initialization_parameters.htm
    How is this managed?

    Thanks,
    Abhishek.
    Kamran Agayev A.
    Oracle ACE
    - - - - - - - - - - - - - - - - - - - - -
    My Oracle Video Tutorials - http://kamranagayev.wordpress.com/oracle-video-tutorials/
  • 4. Re: connect / as sysdba - Security concerns!
    839439 Pro
    Currently Being Moderated
    First of all we should know the very basic funda:

    We can login in database as 1.) OS authentication and 2.) Database Authentication

    when we login as "sqlplus / as sysdba" means we are logging as OS authentication .If you want to restrict means not allow to Os authenticate, then change the parameter sql.authentication=(NONE) .

    when you connect as "sqlplus sys/xxxx@orcl as sysdba" means you login as database authentication.


    Cheers


    (If we find the answer mark it as "correct" or "Helpful")
  • 5. Re: connect / as sysdba - Security concerns!
    vk82 Explorer
    Currently Being Moderated
    Vishen is right


    For such kind of security we need to set SQL.AUTENTCIATION =NONE in sqlnet files


    By doing this we cannot login even as sqlplus "/as sysdba"

    We need to mention password everytime.
  • 6. Re: connect / as sysdba - Security concerns!
    rajeysh Guru
    Currently Being Moderated
    yes any can login as sysdba with any password

    you can protect, by doing this below.

    change or add the parameter in the sqlnet.ora file to none

    sqlnet.authentication_services = (NONE)

    expect correct password no one can access;

    try this

    then Check;

    SQL> SELECT * FROM V$PWFILE_USERS;

    try this:-
    conn sys/any_password(or)word as sysdba
    eg:
    conn sys/oracle as sysdba;
    connected

    conn any_normal_User/pwd as sysdba;
    show user;

    after changing the sqlnet.ora parameter to none try.

    conn any_normal_user/pwd as sysdba;

    conn sys/any_pwd as sysdba;

    conn sys/correct_pwd as sysdba;

    also refer the link for auditing and login trigger:-
    http://download.oracle.com/docs/cd/B10500_01/server.920/a96521/audit.htm#13622
    http://www.dba-oracle.com/art_builder_sec_audit.htm
  • 7. Re: connect / as sysdba - Security concerns!
    Rizwan Explorer
    Currently Being Moderated
    If you are looking to stop access using "/ as sysdba", please check the following:

    http://rizwan-dba.blogspot.com/2011/09/stop-access-by-as-sysdba.html

    SYS is not auditted in AUD$ table within the database. It's auditted externally in the location audit_file_dest. audit_sys_operations should be set to TRUE.

    Let me know if this helped !

    Regards,
    Rizwan
  • 8. Re: connect / as sysdba - Security concerns!
    EdStevens Guru
    Currently Being Moderated
    Abhishek_H wrote:
    Hi,

    Why is it that we can login with "/ as sysdba" without a password.
    Is it not a security concern?
    Not at all. There are TWO things that allow that type of logon, and they BOTH have to be true
    1) sqlnet.authentication_services=(NTS)

    AND

    2) the person doing so is logged on to the db server OS with an account that is a member of the OS group DBA.

    You don't want someone to log on that way?
    1) Don't give them an OS account that is a member of the DBA group.

    OR

    2) set sqlnet.authentication_services=(NONE)
    Also I have read that by default there is no audit trail maintained for sysdba users.
    So, anyone can login as sysdba and carry out dba operations.
    How is this managed?

    Thanks,
    Abhishek.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points