Re: Security audit of Oracle databases
- From: Hemant K Chitale <hkchital@xxxxxxxxxxxxxx>
- To: wisernet100@xxxxxxxxx
- Date: Mon, 11 Apr 2005 23:34:43 +0800
Rachel,
You need not have revealed this secret to all and sundry. Who knows, there
might
even be a few SOX auditors lurking on this list -- auditors who will know
demand
that both the "root" and the "oracle" passwords be split amongst two people
each --
requiring 4 SA/DBA persons !
There are auditors who say that the DBA should not login to the server as
"oracle" but should login as "hemant" and then "su" to oracle {after which he
can do as he d* well pleases}. There are auditors who say that the "root"
account should not be used but that it is OK to have named accounts with
administrative privileges , not knowing what "uid 0" means.
Hemant
At 11:15 PM Monday, you wrote:
>I had a sysadmin at a site once tell me that since I was the only DBA,
>for security reasons, I HAD to give him the password to the oracle
>account... in an email. I replied "you don't need it". He said "oh
>wait, you're right, that's not secure -- leave it to me in a
>voicemail"
>
>I replied again "you don't need it". And later, when there wasn't a
>crowd around, gently explained to him that as root, he had access to
>ANY account on the system... and so did not need the password.
Hemant K Chitale
http://web.singnet.com.sg/~hkchital
--
//www.freelists.org/webpage/oracle-l
Other related posts:
