| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Security audit of Oracle databases
snipped except for relevant passage to pass the overquoting rule.....
> Another password problem I've seen, especially on single DBA sites, is
> that only the DBA knows the passwords. What if he gets run over,
> arrested on terrorism charges, rendered comatose, murdered or simply
> goes on a 4 week holiday and is incommunicado? All important
> passwords should be recorded and stored somewhere safe (a piece of
> paper in an offsite secure location (e.g. where you keep your
> disaster recovery backups). BTW, of those 5 examples of why a DBA
> might not be available, murdered is that only one that hasn't happened
> to a DBA I know (the arrest was found to be an error and he was
> released).
not necessarily a problem, at least not on Unix/Linux systems -- sysadmin logs in as root and does an "su - oracle" (or the name of the Oracle binaries owner)...... then does
connect / as sysdba
and can reset whatever passwords are needed.
I had a sysadmin at a site once tell me that since I was the only DBA, for security reasons, I HAD to give him the password to the oracle account... in an email. I replied "you don't need it". He said "oh wait, you're right, that's not secure -- leave it to me in a voicemail"
I replied again "you don't need it". And later, when there wasn't a crowd around, gently explained to him that as root, he had access to ANY account on the system... and so did not need the password.
-- http://www.freelists.org/webpage/oracle-lReceived on Mon Apr 11 2005 - 11:19:54 CDT
 |
 |