On Aug 26, 1:01 pm, hpuxrac <johnbhur..._at_sbcglobal.net> wrote:
> On Aug 24, 1:31 pm, EdStevens <quetico_..._at_yahoo.com> wrote:
>
> > On advice last week, I have downloaded the "Project Lockdown" document
> > and begun reviewing it. I get a very uneasy feeling about his
> > suggestion to remove the SUID bit from the Oracle executables.
> > Searching through this ng I find a lot of issues stemming from not
> > leaving the file permissions just as they are created when following
> > installation instructions to the letter.
>
> > It seems to me this could cause a lot of nagging problems. It also
> > seems that if your ORACLE_HOME is on a box where issuance of os user
> > accounts is limited to DBAs and SAs the ability to exploit the SUID
> > would be extremely limited.
>
> > Am I missing something?
>
> Never heard of project lockdown.
>
> The SUID bit really mostly comes into play for oracle client type
> installs.
>
> It's not a bad idea at all to have multiple oracle installs on a given
> server and have the oracle server software not to be used at all by
> people needing client functionality.
>
> Talk to your auditors and request an audit of the oracle environment.
> Let them give some guidance and flavor those recommendations with your
> oracle expertise.
>
> Rinse and repeat.
This document (from Oracle , BTW) goes far beyond our written secruity
requirements. I really don't have access to our auditors (they are
very much higher in the organization and only come for a site visit
every few years. I've never met an auditor in any organization who
understood the first thing about Oracle. They all 'manage by magazine
article.'
Received on Mon Aug 27 2007 - 07:41:03 CDT
