Howto force password for sysdba user access

This post is also available in: Português

In many situations, the DBA is faced with the scenario where many company teams end up having access to the root password of the machine where Oracle is installed. These teams are usually the Infrastructure, the Backup, the Deployment, etc..

In this case, it is very easy to root user run a "su - oracle" and then log in the database as "conn / as sysdba" and do any alteration or damage without the consent of the DBA.

To avoid it, it is important to disable "conn / as sysdba" without typing the password. Forcing this security is not always simple, and we will accomplish it in 3 (or 4) steps in order to guarantee the inviolability of the database.

  1. To start, edit your file "$ORACLE_HOME/network/admin/sqlnet.ora" and add the following line in it:
    [oracle@oraserver ~]$ echo "SQLNET.AUTHENTICATION_SERVICES=NONE" >> ORACLE_HOME/network/admin/sqlnet.ora

    With this, we will disable login via the operating system DBA group (to which Oracle belongs). Therefore, it will no longer allow access without password.

    However, is is easy for the user to remove this line from the file to momentarily log in. Monitoring the change in the sqlnet.ora also help alert if someone tried this, but is not a guarantee since monitoring can be disabled by root.

    A more advanced user can also change the location of the variable TNS_ADMIN "export TNS_ADMIN=$ORACLE_HOME/network/admin" and connect the same way.

    This technique works very well against 90% of users.

  2. A second action will be to remove the oracle user group "dba" and "oper".
    [root@oraserver ~]# gpasswd -d oracle dba
    [root@oraserver ~]# gpasswd -d oracle oper

    Thus, even if the sqlnet.ora file is not restricted by item 1, the oracle user will not be able the login without a password. This can help solve your problem, but if the user is root, he could give himself this group momentarily and log in as oracle, do whatever he wanted and then remove the group again. Monitoring the change of the oracle user groups also help to alert if someone tried this technique, but it's still not a guarantee since monitoring may be removed by the root. The technique 1 and 2 together solve your problem in 99% of cases.

  3. A third option would go deeper and change the name of "dba" and "oper" groups in order to mask and confuse anyone trying to access. For this, we should have ALL Oracle processes stopped, without exception. It is recommended to back up the ORACLE_HOME before starting this technique.First save a backup file of config.c (or config.s depends on the target OS).
    [oracle@oraserver ~]$ cp -p $ORACLE_HOME/rdbms/lib/config.c $ORACLE_HOME/rdbms/lib/config.c.bkp

    Then edit the file "$ORACLE_HOME/rdbms/lib/config.c" and change the name of the group, defined by the variables that have value as "dba" and "oper":

    1. If Linux x86_64 (config.c):From: #define SS_DBA_GRP "dba"
      (Option 1) To: #define SS_DBA_GRP "xpto"
      (Option 2) To: #define SS_DBA_GRP ""

      From: #define SS_OPER_GRP "oper"
      (Option 1) To: #define SS_OPER_GRP "xptu"
      (Option 2) To: #define SS_OPER_GRP ""

    2. If Solaris SPARC (config.s):From: .ascii "dba\0"
      (Option 1) To: .ascii "xpto\0"
      (Option 2) To: .ascii "\0"

      From: .ascii "oper\0"
      (Option 1) To: .ascii "xptu\0"
      (Option 2) To: .ascii "\0"

    Save and close the file. Then relink all oracle binaries:

    [oracle@oraserver ~]$ $ORACLE_HOME/bin/relink all

    Finally, make sure the "config.o" was updated by checking the date of the file:

    [oracle@oraserver ~]$ ls -la $ORACLE_HOME/rdbms/lib/config*
    -rw-r--r-- 1 oracle oinstall  472 May 23 14:28 config.c
    -rw-r--r-- 1 oracle oinstall  479 May 17 10:49 config.c.bkp
    -rw-r--r-- 1 oracle oinstall 1360 May 23 14:29 config.o

    Restart the database. This solution is the most effective. However, if the person is determined to access and is an experienced DBA, it can search the config file for the group name you defined (Option 1), create this group and granting himself. But if you leave the group name blank (Option 2), it will not succeed, because the group does not exist. He would need to undo the changes you made by editing the config file, but that would be complicated because it would be necessary to stop the database and it is no longer a case of protection against access sysdba but threatening.

  4. Assuming someone still wants to go inside your database, and he undid everything you did in steps 1, 2 and 3, this topic would not fit because it is not a case to force password for sysdba user, but a case of internal threat and information security. The procedure in this situation is to enable "Transparent Data Encryption" (TDE) in your database tablespaces. Thus, if someone restart your database in step 3, he would need to know the password for your Wallet to be able to mount your tablespace again, which would be impossible.

Remembering again that the goal here is to prevent access without the sysdba password for a user from another team, not to guarantee the security of your data and datafiles. Data security threat will be covered in another topic.

 

Have you enjoyed? Please leave a comment or give a 👍!

15 comments

Skip to comment form

    • Mohammed Aijaz on October 4, 2016 at 11:17
    • Reply

    Great Article.... Keep rocking.

    1. Thanks man!

    • Mohammed Nageeb on November 7, 2016 at 05:12
    • Reply

    it's very good information

    However, I add as you said in point 1
    echo "SQLNET.AUTHENTICATION_SERVICES=NONE" >> ORACLE_HOME/network/admin/sqlnet.ora

    and it works with me on one server and it doesn't work for another , could you tell me why doesn't work

    B.R

    • Atif Malik on November 29, 2016 at 19:33
    • Reply

    Awesome! Thanks.

    • Shehroze on March 14, 2017 at 08:54
    • Reply

    Hi, After setting this parameter "SQLNET.AUTHENTICATION_SERVICES=NONE" or "SQLNET.AUTHENTICATION_SERVICES=NTS" my RAC service ora.orcl.db is not able to start automatically as well as manually using srvctl start database -d orcl. any idea ?

    1. Hi Shehroze,

      Unfortunately in RAC environments you can't block sysdba access because the srvctl, crsctl and other scripts have "sqlplus / as sysdba" coded. The way a node controls another is not via PWD file authentication, but OS dba group authentication after SSH.

      So you need to be flexible to oracle account as it is shared among all nodes.

      Regards,

      RJ

      1. Hi RJ,

        Can you please give me more details what will happend if we prevent sys as sysdba on RAC nodes.
        We are planning to do it , as usual because of security concern by SOX team. But before this I'm looking for more information on
        impact of this action.

        1. Hi Mahen,
          Unfortunately the RAC infrastructure uses dba group authentication to perform the actions via srvctl / crsctl / etc without password. So you may not block it in a RAC environment.
          If you do so, all the iterations that you try to perform via RAC binaries just mentioned won't work, you will receive many exceptions in your RAC alert logs and you will lose some automatic features.
          Thanks,
          RJ

    • Muhammad Tehseen Khan on February 26, 2018 at 06:19
    • Reply

    Hi,

    Rman script not working after adding SQLNET.AUTHENTICATION_SERVICES=NONE in oracle 11g rac. The script shows 'rman target /' codes to connect to the database. any idea..?

    Thanks

    1. You will need to change your script to connect using "rman target sys/password". However, as it's not a good idea to have the password exposed in your scripts, I would sugges to set this password in Oracle Wallet.

        • Muhammad Tehseen Khan on February 26, 2018 at 18:40
        • Reply

        Thanks RJ

    • Deepak on February 3, 2020 at 14:15
    • Reply

    Thanks. It helped

    • Keaton on October 13, 2020 at 03:17
    • Reply

    Hello, How to do step 3 in Windows OS? thanks

Leave a Reply

Your email address will not be published.