| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Prevent Root access from database
Billy wrote:
>
> Fine, a hack gets implemented that deny root access to su into oracle
> and do a sqlplus "/ as sysdba". (which begs the question just how the
> hell are you going to start the database instance at boot time if root
> cannot su into oracle?)
I have seen installations that simply require the DBA to be physically present. A real PITA, but lucrative. This was pre-SOX, so I interpreted it as a management my-staff-is-bigger-than-yours exercise.
>
> But seeing as the sensitive data is not encrypted, nothing prevents
> root from running tcpdump and reading all the clear text data being
> delivered to the clients. Nothing prevents root from hacking into
> Oracle processes and memory. Or just simply dumping data directly from
> the physical Oracle datafiles.
Or just waiting for the tapes to fall off the back of the truck. http://catless.ncl.ac.uk/Risks/23.86.html#subj2
>
> The problem solution is not "prevent Root access from database" as it
> is totally meaningless solution that does not even address the
> perceived problem.
Agreed. IMO the solution is to audit to something that root for a particular machine cannot easily write to. An even better solution would be to have smart management and reasonable auditing law, but oh well...
jg
-- @home.com is bogus. http://www.signonsandiego.com/uniontrib/20050802/news_1b2titan.htmlReceived on Tue Aug 02 2005 - 17:27:01 CDT
 |
 |