We help IT Professionals succeed at work.

orace parameter to use

marrowyung
marrowyung asked
on
41 Views
Last Modified: 2020-04-22
hi,

for the following Oracle command:

(.*)ALTER SYSTEM(.*)AUDIT_SYS_OPERATIONS(.*)
(.*)ALTER SYSTEM(.*)AUDIT_TRAIL(.*)
(.*)ALTER SYSTEM(.*)OS_ROLES(.*)
(.*)ALTER SYSTEM(.*)REMOTE_LISTENER(.*)
(.*)ALTER SYSTEM(.*)REMOTE_LOGIN_PASSWORDFILE(.*)
(.*)ALTER SYSTEM(.*)REMOTE_OS_AUTHENT(.*)
(.*)ALTER SYSTEM(.*)REMOTE_OS_ROLES(.*)
(.*)ALTER SYSTEM(.*)UTIL_FILE_DIR(.*)
(.*)ALTER SYSTEM(.*)SEC_CASE_SENSITIVE_LOGON(.*)
(.*)ALTER SYSTEM(.*)SEC_MAX_FAILED_LOGIN_ATTEMPTS(.*)
(.*)ALTER SYSTEM(.*)SEC_PROTOCOL_ERROR_FURTHER_ACTION(.*)
(.*)ALTER SYSTEM(.*)SEC_PROTOCOL_ERROR_TRACE_ACTION(.*)
(.*)ALTER SYSTEM(.*)SQL92_SECURITY(.*)
(.*)ALTER SYSTEM(.*)_trace_files_public(.*)
(.*)GRANT(.*)TO(.*)PUBLIC(.*)
(.*)GRANT(.*)SELECT_ANY_DICTIONARY(.*)
(.*)GRANT(.*)SELECT ANY TABLE(.*)
(.*)GRANT(.*)AUDIT SYSTEM(.*)
(.*)GRANT(.*)EXEMPT ACCESS POLICY(.*)
(.*)GRANT(.*)BECOME USER(.*)
(.*)GRANT(.*)CREATE PROCEDURE(.*)
(.*)GRANT(.*)ALTER SYSTEM(.*)
(.*)GRANT(.*)CREATE ANY LIBRARY(.*)
(.*)GRANT(.*)CREATE LIBRARY(.*)
(.*)GRANT(.*)GRANT ANY OBJECT PRIVILEGE(.*)
(.*)GRANT(.*)GRANT ANY ROLE(.*)
(.*)GRANT(.*)GRANT ANY PRIVILEGE(.*)
(.*)GRANT(.*)DELETE_CATALOG_ROLE(.*)
(.*)GRANT(.*)SELECT_CATALOG_ROLE(.*)
(.*)GRANT(.*)EXECUTE_CATALOG_ROLE(.*)
(.*)GRANT(.*)DBA(.*)
(.*)GRANT(.*)ALL ON AUD$(.*)
(.*)GRANT(.*)ALL ON USER_HISTORY$(.*)
(.*)GRANT(.*)ALL ON LINK$(.*)
(.*)GRANT(.*)ALL ON SYS.USER$(.*)
(.*)GRANT(.*)ALL ON DBA_(.*)
(.*)GRANT(.*)ALL ON SYS.SCHEDULER$_CREDENTIAL(.*)
(.*)SELECT(.*)SYS.USER$MIG(.*)


is it ok to use , any one MUST not execute and which one is normal to run , which has no risk  ?
Comment
Watch Question

Alex [***Alex140181***]Software Developer
CERTIFIED EXPERT

Commented:
Could you please formalize a proper question?!
Yours seems a bit weird, sorry.
marrowyungSenior Technical architecture (Data)

Author

Commented:
I am sorry for it and what I means, for the above command (this is what I got), which is safe to be execute by operator ?
Alex [***Alex140181***]Software Developer
CERTIFIED EXPERT

Commented:
The most (if not all) commands above should be executed/dealt with by a DBA, not an "ordinary" operator!
What's the purpose of this all in the end?
marrowyungSenior Technical architecture (Data)

Author

Commented:
not an "ordinary" operator!

backup can be done by operator, safe enough ,sth like this !

so the rest is too dangerous for normal operator ?
Software Developer
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
marrowyungSenior Technical architecture (Data)

Author

Commented:
how about this :

SELECT * SYS.USER$MIG

what is it do ?
Alex [***Alex140181***]Software Developer
CERTIFIED EXPERT

Commented:
what is it do ?                                  
IMHO, this doesn't matter at this point!
The question is again: What's the purpose of this all in the end?
marrowyungSenior Technical architecture (Data)

Author

Commented:
this doesn't matter at this point!
it does matter

What's the purpose of this all in the end?

let operator know which command is dangerous and need to monitor if they are executed !
Alex [***Alex140181***]Software Developer
CERTIFIED EXPERT

Commented:
let operator know which command is dangerous and need to monitor if they are executed !                                  
In the end, virtually all commands maybe harmful if done incorrectly ;-)
Sure, a simple select will do less harm, BUT should these operators be able to see certain information?!?!

I guess, this is all more about AUDITING than "what might be dangerous..."

I suggest to be very strict with your grants and permissions, plus activate auditing all the stuff you're interested in ;-)
marrowyungSenior Technical architecture (Data)

Author

Commented:
In the end, virtually all commands maybe harmful if done incorrectly ;-)

yeah, but backup is not !

Sure, a simple select will do less harm, BUT should these operators be able to see certain information?!?!

yeah!

we just want to detect who is running that and see if it is allowed.

plus activate auditing all the stuff you're interested in ;-)

how to audit more  ? more the audit, the slow the DB is.

or we use monitor approach and this is what we are going to monitor, what command MUST we monitor so we can see who do bad thing!

but the more to monitor the busyier is the monitor system.
Alex [***Alex140181***]Software Developer
CERTIFIED EXPERT

Commented:
We cannot define these status for you! You/your IT team has to define the commands and actions which might be "dangerous" or harmful in your aspect to your system and environment.
There is no "these commands are dangerous" in general, sorry!

And yes, the more you're going to audit, the more it has a certain impact upon the overall performance of your database (whereas this should be very little if done correctly)...

Keep in mind: even a "No" can be an/the answer, too ;-)
marrowyungSenior Technical architecture (Data)

Author

Commented:
tks
Alex [***Alex140181***]Software Developer
CERTIFIED EXPERT

Commented:
You're welcome ;-)
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.