Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: same dba password for all instances : is it secure ?

Re: same dba password for all instances : is it secure ?

From: Billy Verreynne <vslabs_at_onwe.co.za>
Date: Thu, 31 Oct 2002 10:17:51 +0200
Message-ID: <apqp1e$8ic$1@ctb-nnrp2.saix.net> 





Fleury Marcel wrote:



> SYS have his password for exemple syspwd, and SYSTEM also his password

> for exemple systempwd.

> But we use the same on all Oracle Instances.

> 

> So if an someone knows a password, he can use it for all Instances.




If someone manages to break into a single instance, you are already 
compromised IMO.



Using the same password for the others, will make is much easier to access 
them... but seeing that he was able to crack the first one, he will also be 
able to crack the others.



The real issue is not using the same password IMO. It is preventing him from 
getting access to hack the password in the first place. Assuming of course 
you properly protect the password. 



I had developers writing their userid & password on stick-ons and pasting it 
to their terminals less they forget...



> But it is difficult to ask the DBA to use a distinct password for each

> Instance.




Especially with 60 instances.



> Suggestions to perform this security are welcome.

> Or advices to remember each password




A DBA I knew used to modify the password with something unique to that 
instance. E.g. if the password is ruby123 then it will be rubyorcl123 for 
instance orcl.



But this is little different from using the exact same password for all 
instances IMO.



In the far distant past, I used to sysadmin mainframes as part of my 
development job. I wrote a batch JCL that checked dialog (interactive) 
sessions in the sysadmin userid - any dialog job that was not from a 
certain hardware path (FEP, line, terminal, etc), was killed.



Worked pretty well as no "hacker" (fellow developers ;-) had time to find 
and kill this JCL before is struck and killed their sysadmin session.



You can consider something similar with Oracle. Using IP addresses, module 
names and even client session info. Have this running every few seconds via 
DBMS_JOB or cron. A brute force method. 



The proper method would be to do an analysis of what the security and access 
requirements and problems are - and then solve them. Something as simple as 
a router reconfig can sometimes do the trick. Or you may need a firewall. 
IMO you won't know until you have a serious look at the whole network - 
Oracle security is just one part of it.


--
Billy


Received on Thu Oct 31 2002 - 02:17:51 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US