Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
![]() |
![]() |
Home -> Community -> Usenet -> c.d.o.server -> Re: Security for administators of Oracle databases
On Thu, 5 Jul 2007 15:54:06 -0400, "Scott" <toomuchspam_at_noemail.com>
wrote:
>Group,
>
>I was wondering how other people have their servers configured when there is
>more than one DBA working on the server/database.
>
>For example things could be a lax as all DBAs can use the oracle unix
>account and login with a generic DBA account. Another option would be each
>admin has their own OS user id and is a member of the DBA group, but also
>has a Database account with DBA privs. ( which seems redudant because if
>you are a member of the DBA group you can always connect / as sysdba.
>
>Is one method really better than the other?
>
>
>Scott.
>
Whether *Nix or Windows you can easily disable OS authentication as
sysdba by
sqlnet.authentication_services=(none)
in your sqlnet.ora
If you also enable audit_sys_operations on your database, at least you
will be able to see who is executing certain commands.
I admit they are stored in Ascii files in $ORACLE_HOME/rdbms/audit,
but it is better than nothing.
IMO, you would need to take it one step further and disable / as
sysdba.
Actually this is in Arup Nanda's whitepaper 'Project Lockdown' on
http://otn.oracle.com
¤0.02
-- Sybrand Bakker Senior Oracle DBAReceived on Thu Jul 05 2007 - 16:08:49 CDT
![]() |
![]() |