Re: Protecting production from "us"

From: raza siddiqui <raza.siddiqui_at_oracle.com>
Date: Thu, 03 Dec 2015 08:53:29 -0800
Message-ID: <56607389.3080702_at_oracle.com>

Hi David

This doesn't answer your question directly..but may have a bearing on how this DL works.

_*Question*_: is there a way to search PRIOR posts / responses on this DL ? (I joined fairly recently, so don't have full knowledge of its workings..)

Raza

On 12/3/2015 8:45 AM, Herring, David wrote:
>
> Folks,
>
> The whole subject of locking down production, limiting access, etc.
> comes up periodically in our list so I apologize if this seems to be a
> repeat but in short I'm looking for anyone who's willing to share, on
> this list or privately, how they "protect" production from those who
> support it.
>
> Here's the situation: as with many others, we're (DBA team) asked to
> support hundreds of environments. In one situation a DBA (let's call
> him Scapebob) had multiple putty sessions open for hosts supporting
> stage and production for the same application. In the heat of the
> moment he typed a "srvctl stop instance..." command in wrong window -
> production instead of stage. Both stage and production are 4-node
> RACs and initially no one noticed, not even the client. Scapebob
> immediately restarted the production instance and all was fine for
> about an hr but then some locking issues came up that caused an outage
> at which point upper-management heard of the accidental instance
> shutdown and our whole team came under fire.
>
> The question/issue/subject I'm researching is how to best avoid this
> kind of thing happening again.
>
> �We already have LDAP/RH directory involved on a number of
> environments but that doesn't differentiate production vs. lower env.
> All require individual accounts and use "sudo -u oracle" to execute
> more dangerous commands.
>
> �Should we look into some kind of additional controls where commands
> like "srvctl stop�" cannot be run under our own accounts using "sudo
> -u oracle" but instead need a different account on production? For
> example, normally our unfortunate DBA would use his "scapebob" Linux
> account but perhaps to perform a production shutdown he'd need to
> connect as "scapebob-rw", a new, special account just for dangerous
> production activities.
>
> �The problem in our situation was over confusion with multiple
> windows. Do people set a Linux TMOUT to something short like 10 or 15
> minutes, to hopefully avoid accidentally leaving production putty
> sessions open?
>
> �Beyond changing the linux prompt and text colors (we set $PS1 with
> escape sequences and various key, env-specific values) do you do
> anything else for protection of production?
>
> Thanks in advance for anything shared.
>
> Regards,
>
> Dave
>

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Dec 03 2015 - 17:53:29 CET

This message: [ Message body ]
Next message: Paul Drake: "Re: unable to put database in archivelog mode"
Previous message: Jeff Smith: "RE: function with multiple returns - Good or Bad idea"
In reply to: Herring, David: "Protecting production from "us""
Next in thread: Herring, David: "RE: Protecting production from "us""
Reply: Herring, David: "RE: Protecting production from "us""

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message