Re: Oracle Auditing Recommendations

We handle both operations and development. We do a lot of cloning and creating of the db's for dev and testing environments. As far as sys goes, most of the time we go in as the oracle user and just / as sysdba. This has the same security implication as SYS/password as sysdba.

Normally we are only in as SYS during create/clone and startup and shutdown operations. It's actually VERY sparingly used by the DBA group. We're a rather paranoid bunch about going in with that much access ourselves. It's too easy to do something damaging.

Terrian, Tom (Contractor) (J6D) wrote:
> Curious, since we lock and expire the sys account on all of our
> databases, what reason did you give your bosses as to why you needed the
> sys password?
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Rodd Holman
> Sent: Tuesday, August 08, 2006 1:02 PM
> To: Niall Litchfield
> Cc: gorbyx_at_gmail.com; rjamya_at_gmail.com; AGUERRA_at_amfam.com;
> oracle-l_at_freelists.org
> Subject: Re: Oracle Auditing Recommendations
>
> It was a risk, senior management read it as a problem.
> I'm sure that's not a surprise to anyone. We had to
> go through some detailed explanations with the C-level
> execs about what we did as DBA's and why we needed
> the password (actually our boss got that fun task). :)
> We're a group of 5 DBA's and access as SYS or
> oracle (at the unix level) is recorded. We don't
> get root that's reserved for SA's. That was another
> dance our boss had to do also. SA's having
> root access to the servers was another item on
> the report. :)
>
> Yes, knowing the password is a risk.
> Having access to the server room is a risk.
> Crossing the street is a risk. Our job is not
> risk avoidance, but risk management. Assessing the
> level of risk vs. the cost of mitigating work arounds.

>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
>
>

--
http://www.freelists.org/webpage/oracle-l