8 Replies Latest reply: Sep 9, 2011 9:42 AM by EdStevens RSS

    connect / as sysdba - Security concerns!

    Abhishek_H
      Hi,

      Why is it that we can login with "/ as sysdba" without a password.
      Is it not a security concern?
      Also I have read that by default there is no audit trail maintained for sysdba users.
      So, anyone can login as sysdba and carry out dba operations.
      How is this managed?

      Thanks,
      Abhishek.
        • 1. Re: connect / as sysdba - Security concerns!
          Pavan Kumar
          Hi,

          Try to refer to Oracle Documentation and check the OS Authencation takes place. If security is concern, try not to provide access database server except dba and System Administrator.

          Audit can be enable for sys users also.
          Refer to : "Auditing SYS Administrative Users" in the below link
          http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#BCGEHHCA

          - Pavan Kumar N
          • 2. Re: connect / as sysdba - Security concerns!
            vk82
            Hi pavan can you please explain why this happens
            • 3. Re: connect / as sysdba - Security concerns!
              Kamran Agayev A.
              Abhishek_H wrote:
              Hi,

              Why is it that we can login with "/ as sysdba" without a password.
              It only can be done when you logged in to the OS with the owner of Oracle Software.
              Is it not a security concern?
              Not at all, because no one can connect to the database remotely without knowing the password that is written in the password file
              Also I have read that by default there is no audit trail maintained for sysdba users.
              So, anyone can login as sysdba and carry out dba operations.
              SYS user can be audited by specifying audit_sys_operations parameter. Check my article:
              http://www.rampant-books.com/art_tracking_auditing_changes_initialization_parameters.htm
              How is this managed?

              Thanks,
              Abhishek.
              Kamran Agayev A.
              Oracle ACE
              - - - - - - - - - - - - - - - - - - - - -
              My Oracle Video Tutorials - http://kamranagayev.wordpress.com/oracle-video-tutorials/
              • 4. Re: connect / as sysdba - Security concerns!
                839439
                First of all we should know the very basic funda:

                We can login in database as 1.) OS authentication and 2.) Database Authentication

                when we login as "sqlplus / as sysdba" means we are logging as OS authentication .If you want to restrict means not allow to Os authenticate, then change the parameter sql.authentication=(NONE) .

                when you connect as "sqlplus sys/xxxx@orcl as sysdba" means you login as database authentication.


                Cheers


                (If we find the answer mark it as "correct" or "Helpful")
                • 5. Re: connect / as sysdba - Security concerns!
                  vk82
                  Vishen is right


                  For such kind of security we need to set SQL.AUTENTCIATION =NONE in sqlnet files


                  By doing this we cannot login even as sqlplus "/as sysdba"

                  We need to mention password everytime.
                  • 6. Re: connect / as sysdba - Security concerns!
                    rajeysh
                    yes any can login as sysdba with any password

                    you can protect, by doing this below.

                    change or add the parameter in the sqlnet.ora file to none

                    sqlnet.authentication_services = (NONE)

                    expect correct password no one can access;

                    try this

                    then Check;

                    SQL> SELECT * FROM V$PWFILE_USERS;

                    try this:-
                    conn sys/any_password(or)word as sysdba
                    eg:
                    conn sys/oracle as sysdba;
                    connected

                    conn any_normal_User/pwd as sysdba;
                    show user;

                    after changing the sqlnet.ora parameter to none try.

                    conn any_normal_user/pwd as sysdba;

                    conn sys/any_pwd as sysdba;

                    conn sys/correct_pwd as sysdba;

                    also refer the link for auditing and login trigger:-
                    http://download.oracle.com/docs/cd/B10500_01/server.920/a96521/audit.htm#13622
                    http://www.dba-oracle.com/art_builder_sec_audit.htm
                    • 7. Re: connect / as sysdba - Security concerns!
                      Rizwan
                      If you are looking to stop access using "/ as sysdba", please check the following:

                      http://rizwan-dba.blogspot.com/2011/09/stop-access-by-as-sysdba.html

                      SYS is not auditted in AUD$ table within the database. It's auditted externally in the location audit_file_dest. audit_sys_operations should be set to TRUE.

                      Let me know if this helped !

                      Regards,
                      Rizwan
                      • 8. Re: connect / as sysdba - Security concerns!
                        EdStevens
                        Abhishek_H wrote:
                        Hi,

                        Why is it that we can login with "/ as sysdba" without a password.
                        Is it not a security concern?
                        Not at all. There are TWO things that allow that type of logon, and they BOTH have to be true
                        1) sqlnet.authentication_services=(NTS)

                        AND

                        2) the person doing so is logged on to the db server OS with an account that is a member of the OS group DBA.

                        You don't want someone to log on that way?
                        1) Don't give them an OS account that is a member of the DBA group.

                        OR

                        2) set sqlnet.authentication_services=(NONE)
                        Also I have read that by default there is no audit trail maintained for sysdba users.
                        So, anyone can login as sysdba and carry out dba operations.
                        How is this managed?

                        Thanks,
                        Abhishek.