Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security for administators of Oracle databases

Re: Security for administators of Oracle databases

From: <sybrandb_at_hccnet.nl>
Date: Thu, 05 Jul 2007 23:08:49 +0200
Message-ID: <37nq83lh93p1627s1ulr5g7hpo1bf63i9e@4ax.com>


On Thu, 5 Jul 2007 15:54:06 -0400, "Scott" <toomuchspam_at_noemail.com> wrote:

>Group,
>
>I was wondering how other people have their servers configured when there is
>more than one DBA working on the server/database.
>
>For example things could be a lax as all DBAs can use the oracle unix
>account and login with a generic DBA account. Another option would be each
>admin has their own OS user id and is a member of the DBA group, but also
>has a Database account with DBA privs. ( which seems redudant because if
>you are a member of the DBA group you can always connect / as sysdba.
>
>Is one method really better than the other?
>
>
>Scott.
>

Whether *Nix or Windows you can easily disable OS authentication as sysdba by
sqlnet.authentication_services=(none)
in your sqlnet.ora
If you also enable audit_sys_operations on your database, at least you will be able to see who is executing certain commands. I admit they are stored in Ascii files in $ORACLE_HOME/rdbms/audit, but it is better than nothing.
IMO, you would need to take it one step further and disable / as sysdba.
Actually this is in Arup Nanda's whitepaper 'Project Lockdown' on http://otn.oracle.com

0.02

-- 

Sybrand Bakker
Senior Oracle DBA
Received on Thu Jul 05 2007 - 16:08:49 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US