I am looking to implement some policies within my team wherein the RDBMS SYS and SYSTEM accounts will be completely locked down, in compliance with policies.
Searching Google I found many different comments about this, but the most succinct one was this from "Ask Tom:"
sys and system are "real schemas", there is a user SYS and a user SYSTEM.
In general, unless the documentation tells you, you will NEVER LOG IN as sys or system, they are our internal data dictionary accounts and not for your use. You will be best served by forgetting they exist.
sysdba and sysoper are ROLES - they are not users, not schemas. The SYSDBA role is like "root" on unix or "Administrator" on Windows. It sees all, can do all. Internally, if you connect as sysdba, your schema name will appear to be SYS.
In real life, you hardly EVER need sysdba - typically only during an upgrade or patch.
sysoper is another role, if you connect as sysoper, you'll be in a schema "public" and will only be able to do things granted to public AND start/stop the database. sysoper is something you should use to startup and shutdown. You'll use sysoper much more often than sysdba.
do not grant sysdba to anyone unless and until you have absolutely verified they have the NEED for sysdba - the same with sysoper.
My question is whether or not it is possible to locked down SYS/SYSTEM completely, and perform an upgrade or patch with a regular local privileged DB account.