Re: Security audit of Oracle databases

From: Hemant K Chitale <hkchital@xxxxxxxxxxxxxx>
To: wisernet100@xxxxxxxxx
Date: Mon, 11 Apr 2005 23:34:43 +0800

Rachel,

You need not have revealed this secret to all and sundry.  Who knows, there 
might
even be a few SOX auditors lurking on this list -- auditors who will know 
demand
that both the "root" and the "oracle" passwords be split amongst two people 
each --
requiring 4 SA/DBA persons !

There are auditors who say that the DBA should not login to the server as
"oracle" but should login as "hemant" and then "su" to oracle {after which he
can do as he d* well pleases}.  There are auditors who say that the "root"
account should not be used but that it is OK to have named accounts with
administrative privileges ,  not knowing what "uid 0" means.

Hemant

At 11:15 PM Monday, you wrote:

>I had a sysadmin at a site once tell me that since I was the only DBA,
>for security reasons, I HAD to give him the password to the oracle
>account... in an email. I replied "you don't need it". He said "oh
>wait, you're right, that's not secure -- leave it to me in a
>voicemail"
>
>I replied again "you don't need it". And later, when there wasn't a
>crowd around, gently explained to him that as root, he had access to
>ANY account on the system... and so did not need the password.

Hemant K Chitale
http://web.singnet.com.sg/~hkchital

--
http://www.freelists.org/webpage/oracle-l

References:

Re: Security audit of Oracle databases
From: stephen booth

Re: Security audit of Oracle databases
From: Stephen Evans

Re: Security audit of Oracle databases
From: rachel carmichael

Re: Security audit of Oracle databases

Other related posts: