Home » RDBMS Server » Security » Audit DROP user by SYS (Unix)
Audit DROP user by SYS [message #674411] Sat, 26 January 2019 05:03 Go to next message
Akmmhto
Messages: 38
Registered: September 2018
Member
Hello team,

When audit_sys_operations is set to true then the every
Query by SYS is being captured , that is ok.
But my concern is that, I just want to capture
Drop user operations by SYS.

Is it possible...and if yes then pls suggest

DB version- 11.2.0.4 EE

[Updated on: Sat, 26 January 2019 05:04]

Report message to a moderator

Re: Audit DROP user by SYS [message #674412 is a reply to message #674411] Sat, 26 January 2019 05:39 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

No, either you audit everything, either you audit nothing from SYS.
I advise you audit everything. Is there any reason you don't want to do it?

In addition, SYS should NOT be used to drop a user, SYS should be used ONLY to manage the instance, and database for backup and recovery.
Fire the one that use SYS to drop a user.

And fire the one who gives quota on SYSTEM tablespace to users (see one of your previous topics).

Re: Audit DROP user by SYS [message #674413 is a reply to message #674412] Sat, 26 January 2019 08:01 Go to previous messageGo to next message
Akmmhto
Messages: 38
Registered: September 2018
Member
Actually the concern is , It will catch every single query execution by SYS.

And if I use audit_trail for drop user then SYS activities will be missed out.

Here we create and manage users with SYS , so you are suggesting not to use SYS for such operation.
Please suggest why?
Re: Audit DROP user by SYS [message #674414 is a reply to message #674413] Sat, 26 January 2019 09:38 Go to previous messageGo to next message
EdStevens
Messages: 1376
Registered: September 2013
Senior Member
Akmmhto wrote on Sat, 26 January 2019 08:01
Actually the concern is , It will catch every single query execution by SYS.
And that's what you should want. As stated, SYS should be used so sparingly, that you should want to audit everything done with that account.


Quote:

Here we create and manage users with SYS , so you are suggesting not to use SYS for such operation.
That's exactly what is being suggested.

Quote:

Please suggest why?
Because SYS is such a powerful and easily abused account. Using SYS is like walking a tightrope without a net .. while juggling chainsaws. In shops that actually care about security and integrity, use of SYS (just like use of root on *nix systems) is limited to only those tasks that cannot be accomplished with another 'admin' account.

The fact that your shop uses it as a more general admin account is clear evidence that no one there actually understands or cares about security and integrity of your system.
Re: Audit DROP user by SYS [message #674416 is a reply to message #674413] Sat, 26 January 2019 10:55 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Also read SYS is special.

Re: Audit DROP user by SYS [message #674418 is a reply to message #674414] Sat, 26 January 2019 12:10 Go to previous message
Akmmhto
Messages: 38
Registered: September 2018
Member
Extremely helpful information for me ..thank you
Previous Topic: date when a role or privileges was granted and/or revoke
Next Topic: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017
Goto Forum:
  


Current Time: Thu Mar 28 07:44:37 CDT 2024