Oracle SYS auditing
From: Freeman, Donald G. CTR (ABL) <"Freeman,>
Date: Fri, 1 Aug 2014 15:41:07 +0000
Message-ID: <85D44D05C4C24C40AFDED6C1FC0E1BDF307E3F68_at_SNSLCVWEXCH02.abl.cda.navy.mil>
Good practice in Oracle is for all privileged users to have their own accounts. I'm having an argument over whether or not you can determine who takes an action on the database using a shared account logging in to the Oracle OS account on a server and then logging in as / as SYSDBA. If a sudo'ers group is not used then privileged users share the Oracle account password.
Date: Fri, 1 Aug 2014 15:41:07 +0000
Message-ID: <85D44D05C4C24C40AFDED6C1FC0E1BDF307E3F68_at_SNSLCVWEXCH02.abl.cda.navy.mil>
Good practice in Oracle is for all privileged users to have their own accounts. I'm having an argument over whether or not you can determine who takes an action on the database using a shared account logging in to the Oracle OS account on a server and then logging in as / as SYSDBA. If a sudo'ers group is not used then privileged users share the Oracle account password.
I think the proper way to do it is through individual OS accounts, membership in the DBA group, inclusion in a sudo'ers group to protect the Oracle password, and granting of sysdba privilege to somebody who has an individual dba account on the database. I would think this would create complete, unambiguous audit records.
Am I missing something? Shared accounts may make things 'easier' for privileged users but cause a problem when it comes to auditing. Can shared account usage be audited at all, or is it just hard?
Thanks,
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Aug 01 2014 - 17:41:07 CEST
- application/pkcs7-signature attachment: smime.p7s