Re: Prevent Root access from database

From: DA Morgan <damorgan_at_psoug.org>
Date: Fri, 29 Jul 2005 08:44:56 -0700
Message-ID: <1122651867.32332@yasure>

Billy wrote:
> DA Morgan wrote:
>
>

>>I understand your sentiment but it is no longer reasonable in the US and
>>some other countries to take that approach.
>>
>>If root can access the database, without auditing, then you have a clear
>>cut violation of United States Federal law.

>
>
> Daniel, we also have laws about privacy and about lawful intercept and
> so on.
>
> And I agree that a 'sensitive' database should be protected at sysdba
> level via auditing (which means any user and not just root gets audited
> at that level).
>
> But to attempt to change the fundemental o/s and security architecture
> - like denying root su access into an oracle account - that I do have a
> problem with.

A problem you may have but I am aware of at least one auditing firm in this country that will refuse to sign off on a compliance audit if UNIX system administrators can gain access to the database.

And some of what is done to prevent it is contorted ... but effective.

> The issue is putting the horses in front of the cart. Business not only
> stating the problem (root can access Oracle as sysdba), but also the
> solution (hack the o/s to prevent this). Not too mention that the
> problem is too vague to determine the solution. What needs to be
> protected on the database side?

The solution is not to hack the O/S: That's just plain ridiculous as well as dangerous. There are very simple solutions to the problem that don't require writing a single line of code.

> --
> Billy

-- 
Daniel A. Morgan
http://www.psoug.org
damorgan_at_x.washington.edu
(replace x with u to respond)

Received on Fri Jul 29 2005 - 10:44:56 CDT