Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Database security

Re: Database security

From: Adam Donahue <adonahue_at_opsware.com>
Date: Tue, 16 Mar 2004 14:47:53 -0800
Message-ID: <40578419.5020401@opsware.com> 





Jared,



I thought the oracle user was allow password-less access to Oracle as a 
result of being a member of the OSDBA group.  Perhaps you can restrict 
or even remove that group.



(Of course, a user with root could simply erase the Oracle datafiles or 
perform other dangerous activities, but maybe that's beside the point.)



Adam



Jared.Still_at_radisys.com wrote:



>

> List,

>

> Here in the midst of Sarbanes Oxley, I've been pondering methods

> that might be used to prevent a system administrator from connecting

> to any databases running on that box.

>

> I know that it is possible to setup Oracle on Windows so that without

> a password, you cannot logon to the database as sysdba.

>

> eg.  sqlplus "/ as sysdba" will require a password.

>

> The caveat to this is that the SA can simply:

>

> *  stop the Oracle service

> *  change the init.ora parm remote_login_passwordfile to 'none'

> *  start up the database

> * create a dba account

> * shutdown the database

> * re-enable the password file

> * restart the database

>

> That won't get you SYSDBA, but it will get you DBA, which is probably 

> enough

> for any nefarious activities.

>

> On *nix it is a bit different of course.  Anyone with root can simply 

> su to oracle.

>

> I have been perusing Pete Finnigan's "Oracle Security Step-by-Step" 

> but have

> not yet found information pertaining to this particular topic, other 

> than revoking

> privs from the DBA account.  That action is not applicable here, as 

> the team of

> DBA's consists of me by myself.

>

> And TIA Mladen, but I already know how it works on unix, and that MS 

> is the

> dark side of the force, but is unfortunately what I have to live with.  

>

> Jared

>






Please see the official ORACLE-L FAQ: http://www.orafaq.com




To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.

--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------


Received on Tue Mar 16 2004 - 16:44:18 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US