Re: Prevent Root access from database

From: DA Morgan <damorgan_at_psoug.org>
Date: Thu, 28 Jul 2005 00:51:25 -0700
Message-ID: <1122537050.882409@yasure>

Billy wrote:
> PhilB wrote:
>

>>Weve got a new security drive underway in our organisation, one of the
>>concerns that was raised was that access to the database on our unix
>>server should be prevented from the root user.  I'm preparing to put
>>the argument that the root user is the system admin and as a result can
>>do anything, e.g "su" to oracle user account and gain access via a
>>"connect / as sysdba" (even if we remove sysdba, surely root can put it
>>back !)  Is this correct , anyone got any experience of preventing root
>>users getting into the database to see the data ?.

>
>
> Yep. You write a daemon process that creates unique and very complex
> random passwords and change the root password every 60 seconds.
>
> That will prevent anyone from using root and getting into Oracle as
> sysdba. Of course, having this security hole now closed is critical,
> and the fact that you are totally fricken screwed wrt Unix sysadmin
> totally irrelevant.
>
> Alternatively, tell management to p*ss off and mind their own
> business.. which is the business side of things and leave their dirty
> and grubby paws of technical issues that they know jack sh*t about.
>
> --
> Billy

I understand your sentiment but it is no longer reasonable in the US and some other countries to take that approach.

If root can access the database, without auditing, then you have a clear cut violation of United States Federal law.

You may not like the law ... but the chance of you changing it are a very small finite number that looks alot like a zero.

-- 
Daniel A. Morgan
http://www.psoug.org
damorgan_at_x.washington.edu
(replace x with u to respond)

Received on Thu Jul 28 2005 - 02:51:25 CDT