Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security for administators of Oracle databases

Re: Security for administators of Oracle databases

From: adrian_ang <adrian_ang_at_abv.bg>
Date: Tue, 07 Aug 2007 06:18:34 -0700
Message-ID: <1186492714.070386.143220@19g2000hsx.googlegroups.com>


On Jul 6, 12:08 am, sybra..._at_hccnet.nl wrote:
> On Thu, 5 Jul 2007 15:54:06 -0400, "Scott" <toomuchs..._at_noemail.com>
> wrote:
>
>
>
> >Group,
>
> >I was wondering how other people have their servers configured when there is
> >more than one DBA working on the server/database.
>
> >For example things could be a lax as all DBAs can use the oracle unix
> >account and login with a generic DBA account. Another option would be each
> >admin has their own OS user id and is a member of the DBA group, but also
> >has a Database account with DBA privs. ( which seems redudant because if
> >you are a member of the DBA group you can always connect / as sysdba.
>
> >Is one method really better than the other?
>
> >Scott.
>
> Whether *Nix or Windows you can easily disable OS authentication as
> sysdba by
> sqlnet.authentication_services=(none)
> in your sqlnet.ora
> If you also enable audit_sys_operations on your database, at least you
> will be able to see who is executing certain commands.
> I admit they are stored in Ascii files in $ORACLE_HOME/rdbms/audit,
> but it is better than nothing.
> IMO, you would need to take it one step further and disable / as
> sysdba.
> Actually this is in Arup Nanda's whitepaper 'Project Lockdown' onhttp://otn.oracle.com
>
> 0.02
>
> --
>
> Sybrand Bakker
> Senior Oracle DBA

I have a question about your
proposition(sqlnet.authentication_services=(none)). How to secure sqlnet.ora file since every DBA can set TNS_ADMIN environment variable to another location where she/he has created a custom sqlnet.ora file and uses it to connect as sysdba without password.

Adrian Angelov Received on Tue Aug 07 2007 - 08:18:34 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US