| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Security for administators of Oracle databases
On Jul 6, 12:08 am, sybra..._at_hccnet.nl wrote:
> On Thu, 5 Jul 2007 15:54:06 -0400, "Scott" <toomuchs..._at_noemail.com>
> wrote:
>
>
>
> >Group,
>
> >I was wondering how other people have their servers configured when there is
> >more than one DBA working on the server/database.
>
> >For example things could be a lax as all DBAs can use the oracle unix
> >account and login with a generic DBA account. Another option would be each
> >admin has their own OS user id and is a member of the DBA group, but also
> >has a Database account with DBA privs. ( which seems redudant because if
> >you are a member of the DBA group you can always connect / as sysdba.
>
> >Is one method really better than the other?
>
> >Scott.
>
> Whether *Nix or Windows you can easily disable OS authentication as
> sysdba by
> sqlnet.authentication_services=(none)
> in your sqlnet.ora
> If you also enable audit_sys_operations on your database, at least you
> will be able to see who is executing certain commands.
> I admit they are stored in Ascii files in $ORACLE_HOME/rdbms/audit,
> but it is better than nothing.
> IMO, you would need to take it one step further and disable / as
> sysdba.
> Actually this is in Arup Nanda's whitepaper 'Project Lockdown' onhttp://otn.oracle.com
>
> ¤0.02
>
> --
>
> Sybrand Bakker
> Senior Oracle DBA
I have a question about your
proposition(sqlnet.authentication_services=(none)).
How to secure sqlnet.ora file since every DBA can set TNS_ADMIN
environment variable to another location where she/he has created a
custom sqlnet.ora file and uses it to connect as sysdba without
password.
Adrian Angelov Received on Tue Aug 07 2007 - 08:18:34 CDT
 |
 |