Avatar of marrowyung
marrowyung asked on

orace parameter to use

hi,

for the following Oracle command:

(.*)ALTER SYSTEM(.*)AUDIT_SYS_OPERATIONS(.*)
(.*)ALTER SYSTEM(.*)AUDIT_TRAIL(.*)
(.*)ALTER SYSTEM(.*)OS_ROLES(.*)
(.*)ALTER SYSTEM(.*)REMOTE_LISTENER(.*)
(.*)ALTER SYSTEM(.*)REMOTE_LOGIN_PASSWORDFILE(.*)
(.*)ALTER SYSTEM(.*)REMOTE_OS_AUTHENT(.*)
(.*)ALTER SYSTEM(.*)REMOTE_OS_ROLES(.*)
(.*)ALTER SYSTEM(.*)UTIL_FILE_DIR(.*)
(.*)ALTER SYSTEM(.*)SEC_CASE_SENSITIVE_LOGON(.*)
(.*)ALTER SYSTEM(.*)SEC_MAX_FAILED_LOGIN_ATTEMPTS(.*)
(.*)ALTER SYSTEM(.*)SEC_PROTOCOL_ERROR_FURTHER_ACTION(.*)
(.*)ALTER SYSTEM(.*)SEC_PROTOCOL_ERROR_TRACE_ACTION(.*)
(.*)ALTER SYSTEM(.*)SQL92_SECURITY(.*)
(.*)ALTER SYSTEM(.*)_trace_files_public(.*)
(.*)GRANT(.*)TO(.*)PUBLIC(.*)
(.*)GRANT(.*)SELECT_ANY_DICTIONARY(.*)
(.*)GRANT(.*)SELECT ANY TABLE(.*)
(.*)GRANT(.*)AUDIT SYSTEM(.*)
(.*)GRANT(.*)EXEMPT ACCESS POLICY(.*)
(.*)GRANT(.*)BECOME USER(.*)
(.*)GRANT(.*)CREATE PROCEDURE(.*)
(.*)GRANT(.*)ALTER SYSTEM(.*)
(.*)GRANT(.*)CREATE ANY LIBRARY(.*)
(.*)GRANT(.*)CREATE LIBRARY(.*)
(.*)GRANT(.*)GRANT ANY OBJECT PRIVILEGE(.*)
(.*)GRANT(.*)GRANT ANY ROLE(.*)
(.*)GRANT(.*)GRANT ANY PRIVILEGE(.*)
(.*)GRANT(.*)DELETE_CATALOG_ROLE(.*)
(.*)GRANT(.*)SELECT_CATALOG_ROLE(.*)
(.*)GRANT(.*)EXECUTE_CATALOG_ROLE(.*)
(.*)GRANT(.*)DBA(.*)
(.*)GRANT(.*)ALL ON AUD$(.*)
(.*)GRANT(.*)ALL ON USER_HISTORY$(.*)
(.*)GRANT(.*)ALL ON LINK$(.*)
(.*)GRANT(.*)ALL ON SYS.USER$(.*)
(.*)GRANT(.*)ALL ON DBA_(.*)
(.*)GRANT(.*)ALL ON SYS.SCHEDULER$_CREDENTIAL(.*)
(.*)SELECT(.*)SYS.USER$MIG(.*)


is it ok to use , any one MUST not execute and which one is normal to run , which has no risk  ?
Oracle Database

Avatar of undefined
Last Comment
Alex [***Alex140181***]

8/22/2022 - Mon
Alex [***Alex140181***]

Could you please formalize a proper question?!
Yours seems a bit weird, sorry.
ASKER
marrowyung

I am sorry for it and what I means, for the above command (this is what I got), which is safe to be execute by operator ?
Alex [***Alex140181***]

The most (if not all) commands above should be executed/dealt with by a DBA, not an "ordinary" operator!
What's the purpose of this all in the end?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
marrowyung

not an "ordinary" operator!

backup can be done by operator, safe enough ,sth like this !

so the rest is too dangerous for normal operator ?
ASKER CERTIFIED SOLUTION
Alex [***Alex140181***]

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
marrowyung

how about this :

SELECT * SYS.USER$MIG

what is it do ?
Alex [***Alex140181***]

what is it do ?                                  
IMHO, this doesn't matter at this point!
The question is again: What's the purpose of this all in the end?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
marrowyung

this doesn't matter at this point!
it does matter

What's the purpose of this all in the end?

let operator know which command is dangerous and need to monitor if they are executed !
Alex [***Alex140181***]

let operator know which command is dangerous and need to monitor if they are executed !                                  
In the end, virtually all commands maybe harmful if done incorrectly ;-)
Sure, a simple select will do less harm, BUT should these operators be able to see certain information?!?!

I guess, this is all more about AUDITING than "what might be dangerous..."

I suggest to be very strict with your grants and permissions, plus activate auditing all the stuff you're interested in ;-)
ASKER
marrowyung

In the end, virtually all commands maybe harmful if done incorrectly ;-)

yeah, but backup is not !

Sure, a simple select will do less harm, BUT should these operators be able to see certain information?!?!

yeah!

we just want to detect who is running that and see if it is allowed.

plus activate auditing all the stuff you're interested in ;-)

how to audit more  ? more the audit, the slow the DB is.

or we use monitor approach and this is what we are going to monitor, what command MUST we monitor so we can see who do bad thing!

but the more to monitor the busyier is the monitor system.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Alex [***Alex140181***]

We cannot define these status for you! You/your IT team has to define the commands and actions which might be "dangerous" or harmful in your aspect to your system and environment.
There is no "these commands are dangerous" in general, sorry!

And yes, the more you're going to audit, the more it has a certain impact upon the overall performance of your database (whereas this should be very little if done correctly)...

Keep in mind: even a "No" can be an/the answer, too ;-)
ASKER
marrowyung

tks
Alex [***Alex140181***]

You're welcome ;-)
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.