Database Reference
In-Depth Information
•
Start and Stop DB needs SYS (or SYSOPER)
•
DBMS_LOCK.SLEEP
execute requires SYS to grant
SELECT X$
fixed views for performance data requires SYS to grant
So SYS is needed but is supplied in an insecurable state. It is interesting to consider how this position can be
maintained by an otherwise competent organization within their flagship database engine. I have talked about this
with Oracle since 2007, and my topics and papers on the subject have been widely published, even into Japanese,
as shown at this URL:
•
What I find most interesting is that whilst the most sensitive account has the least controls, Oracle has
simultaneously been busy producing expensive add-on security products that have the effect of taking DBAs' minds
away from this core problem of the SYS account. Most DBA managers are not aware that SYS is completely immune
to profiles in 11g, and that it is a source of great risk that should be feasible for Oracle to fix. 12c does not implement
profiles on SYS either.
■
Lack of control of administrative privilege has facilitated the prISM leaks by CIa whistleblower edward
Snowden and will be receiving budgetary consideration in many organizations. You can read about it at the following
Note
The following PoC code can act as a defense against remote brute force attack of the SYS account. Error handling
and development testing should be added before moving this code to production, but the PoC code given next clearly
documents the simple principle of connection throttling for the SYS login.
Create user sys_throttler identified by lowsec12;
Grant execute on dbms_lock to sys_throttler;
create or replace trigger sys_throttler.tra_servererror_ora1017
after servererror on database
declare
l_db_usr varchar2 (32);
begin
if (ora_is_servererror(1017)) then
l_db_usr := upper (trim (sys_context ('userenv', 'authenticated_identity')));
if l_db_usr ='SYS' then
dbms_lock.sleep (1);
else
NULL;
end if;
end if;
end tra_servererror_ora1017;
/
