| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Database security
Jared,
you could always rename the /bin/su to something else and then create a
script that is called su.sh. in the script check for the name "oracle"
and exit if the name is oracle if not execute the renamed su pgm. You
could even log the transaction with a time stamp for "investigative
reasons". an old trick for capturing the login/password of a user by
modifing the /bin/login pgm.
Of course you need root access to change the /bin/su.
Ron
>>> Jared.Still_at_radisys.com 03/16/2004 5:36:31 PM >>>
List,
Here in the midst of Sarbanes Oxley, I've been pondering methods that might be used to prevent a system administrator from connecting to any databases running on that box.
I know that it is possible to setup Oracle on Windows so that without a password, you cannot logon to the database as sysdba.
eg. sqlplus "/ as sysdba" will require a password.
The caveat to this is that the SA can simply:
That won't get you SYSDBA, but it will get you DBA, which is probably
enough
for any nefarious activities.
On *nix it is a bit different of course. Anyone with root can simply
su
to oracle.
I have been perusing Pete Finnigan's "Oracle Security Step-by-Step" but
have
not yet found information pertaining to this particular topic, other
than
revoking
privs from the DBA account. That action is not applicable here, as the
team of
DBA's consists of me by myself.
And TIA Mladen, but I already know how it works on unix, and that MS is
the
dark side of the force, but is unfortunately what I have to live with.
Jared
-- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------Received on Wed Mar 17 2004 - 06:33:02 CST
 |
 |