Re: AIX 10g/11 and Oracle DBA logins

From: Mark Brinsmead <>
Date: Tue, 17 Jun 2008 15:42:34 -0400
Message-ID: <>

Why would the SAs be concerned about DBAs knowing the "oracle" password?

It could be a compliance issue -- corporate policy or regulatory environment forbids the use of "anonymous" accounts; all logins must be attributed to a specific individual.

Of course, this requirement can be easily met simply by enabling "C2" security (or whatever on AIX passes as its equivalent) and designating the "oracle" user as an "anonymous" account.

When you do this, logins as "oracle" will behave as Paul Baumgartel described earlier in the thread. Users will first be prompted for the "oracle" password, and then for their own username and password.

When this is done, not only is each *login* recorded for a specific individual, but all OS-level auditing will log all actions performed with the "oracle" account against *both* the "oracle" account and the individual user who logged in. (I.e., events will be recorded with the userid "oracle", and with the "audit_id" of the individual.)

Of course, depending on policies, regulatory statutes, etc., the other methods mentioned (ssh, sudo, su, and even rsh) can all work too.

On 6/17/08, Jared Still <> wrote:
> On Mon, Jun 16, 2008 at 1:49 PM, DIANNA GIBBS <>
> wrote:
>> My AIX administrator tells me this cannot be done without everyone knowing
>> the
>> oracle OS user password.
> Done easily with ssh.
> This can be setup to work with or without passwords.
> That said, I don't understand the admins concern about knowing the Oracle
> user password.
> If you can logon via sudo/ssh/whatever, or logon to the database directly as
> sysdba, it
> doesn't really matter much if the DBA's know the password.
> --
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist

-- Mark Brinsmead
   Senior DBA,
   The Pythian Group
Received on Tue Jun 17 2008 - 14:42:34 CDT

Original text of this message