Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Any ideas for running CRON jobs under Security Requirements

Re: Any ideas for running CRON jobs under Security Requirements

From: Hemant K Chitale <>
Date: Sun, 15 May 2005 00:09:48 +0800
Message-Id: <>

Actually, I see the problem as stemming from two different requirements

  1. As part of IT Security Policies not scripts should store username/password combinations unless the password is encrypted using standard protocols.
  2. As part of our SOX Controls [ie, in the SOPs] "root" and Super-User {ie "oracle"} accounts are not to be used. Only Named Administrative User accounts are to be used. [The Unix Admin team has agreed not to use "root" but I will be pushing for permission to use "oracle" and SYSDBA. {obviously, remote_login as SYSDBA is not to be allowed}.] All usage of Administrative accounts must be logged.

The first prevents me from using simple script files {unless I am able to use hide.c, but I am not sure I want to use hide.c for Hot Backup etc scripts which I would want to setup with a SYSDBA acount. Other monitoring scripts also require DBA/CATALOG privileges}. The second prevents me from using SYSDBA, and, furthermore, CRON jobs as SYSDBA would cause many entries in the OS audit trail files {eg $ORACLE_HOME/rdbms/audit}, each of which I'd have to explain.
I am hoping that I meet auditors who understand when and where and why I use SYSDBA.


At 10:22 PM Saturday, Mohammad Rafiq wrote:
>Where did you find this requirement?
>We are having more then 20 SOX compliant databases and running our
>jobs as either SYSDBA on Windows and *nix as well but not seen any
>objection from our internal or external auditors so far...
>On 5/13/05, Hemant K Chitale <> wrote:
> >
> > How do you run CRON jobs {Online Backups, DB Monitoring} on Database
> Servers
> > when IT Security / SOX requirements state that
> > a) No userid-password pairs are to be kept in plain-text in any files
> > b) connect / as sysdba is not to be used
> >
> > I can handle a) with CRON jobs running under the "oracle" account with
> > "connect / as sysdba"
> > at the beginning of SQL scripts. I can handle b) if I hard code a
> > userid/password with the
> > appropriate privileges. How do I handle both requirements ?
> >
> > Hemant K Chitale

Hemant K Chitale

Received on Sat May 14 2005 - 12:14:35 CDT

Original text of this message