PCI compliance and shared Linux accounts
- From: "Henry Poras" <henry@xxxxxxxxxxxxxxx>
- To: <oracle-l@xxxxxxxxxxxxx>
- Date: Mon, 24 Oct 2005 14:44:51 -0400
I am wondering how other companies deal with this issue. We are currently
enmeshed in the PCI (payment card industry) compliance process. One of the
requirements is "do not permit group, shared, or generic
accounts/passwords." This means that when we need to access the database
server, we will connect as ourselves, and then sudo to the 'oracle' account.
For a single node database (non-RAC) this doesn't seem like a big deal. The
only limitation is the necessity of a direct connect for X-windows
implementation. If we want to avoid a silent install we will need a direct
login as 'oracle', but OUI isn't used too frequently.
I was wondering more about the problems we will have with RAC. An 'oracle'
password will again be necessary for X, as well as to configure scp in the
installation process. There are also some other tasks that will be more
difficult. For example, running the monitoring tool RACDDT (it will destroy
your environment as it removes the bugs???) uses ssh. I guess I could run it
from my personal account if I am careful to set all permissions, but ...
I guess I am wondering how important having direct access to a shared
'oracle' account will be in a RAC environment. Are there any emergencies or
administrative tasks that will become noticably more difficult with this
limitation in place?
Thanks.
Henry
Other related posts:
