Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: root logging as internal
In article <954871662.23496.0.pluto.d4ee154e_at_news.demon.nl>,
"Sybrand Bakker" <postbus_at_sybrandb.demon.nl> wrote:
> Answers embedded
>
> <aanon_1_at_hotmail.com> wrote in message news:8cd127
$26l$1_at_nnrp1.deja.com...
> > Hello all,
> >
> > Hopefully there is a work around to this "issue". However, so far I
> > have not been able to resolve it.
> >
> > Last week one of our UNIX admins took the liberty to log into Oracle
> > via the internal account and created himself a Oracle ID. In
essence
> > he did this
> >
> > $ su - oracle
> >
> > $ svrmgrl
> >
> > svrmgr > connect internal
> >
> > And he was off to the races. Seeing that this is a gaping hole in
our
> > security I tried a variety of items including using the orapwd
> > utility. I ended up calling Oracle, and they said that since root
is a
> > special account and can su to anything, they can log into Oracle as
> > they see fit.
> >
> > I'm having a tough time believing this. So...
> >
> > 1) Is this true?
>
> Yes!
>
> > 2) If there is a work around could you pls post it.
> >
>
> Fire your admin
> At some point you simply should trust a person and/or log all his
actions on
> a hardcopy terminal.
> If you don't trust him, don't give them job. One of the facts in live
in
> Unix is anyone knowing the root password can do anything.
>
Wishful thinking - the UNIX admin contractor is in a seperate UNIX department. They utlimately report to a seperate department head. Basically you're looking at an act of Congress for a firing to happen - they are short handed. That's OK though - because they are at the front of the blame list if anything breaks (and I'm sure something will break). :-)
Maybe you have a proc that'll do the trick say -
exec loser.lose_your_job ('Bob Bonehead','Adios Amigo');
> > I am aware of the audit files (.aud), but they are only useful after
> > the fact.
> >
> > TIA,
> >
> > anon_1
> >
> >
> > Sent via Deja.com http://www.deja.com/
> > Before you buy.
>
> Hth,
>
> Sybrand Bakker, Oracle DBA
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
Received on Tue Apr 04 2000 - 00:00:00 CDT