re re SYSDBA
- From: Hemant K Chitale <hkchital@xxxxxxxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Tue, 13 Jul 2004 22:29:16 +0800
And as we can see you are not using spfile.
--> Yes. I am still using PFILEs [even for 9iRAC]
I suppose, in different organization there are can be different security
requirements.
.
Hemant, I can bet your listener, are listening on deferent port then 1521
--> Most databases, unfortunately, have defaulted to 1521. But the
critical ones -- Financials (ERP)
are NOT on 1521 but on non-standard ports.
and protected by password (many sites haven't this).
--> Yes. All listeners have passwords.
Have you considered to run Oracle software under different Unix account
then oracle (lets say under user with name zona262db) and dba group rename
to cra213 for security propose?
--> The account is "oracle" or "ora817" or "ora920". Only on the 9iRAC
cluster did I set up a non-dba group, though. That was to seperate the
Production
from the Test databases as I have only 1 cluster [ouch !] but want to be
able to run
both databases on it.
There also recommendation to lock Oracle Software owner account and switch
to it from another one.
--> IT Security has been after me for this. The "oracle" account should
have nologin / noshell
and I must login as myself "hemant" and "su" to "oracle". Can't say that I
have done this yet.
.
I just would say, there are different sites as well as different
requirements.
.
If you have height security requirements I would recommend to order
"Oracle Security Step-by-Step" by Pete Finnigan.
http://www.amazon.com/exec/obidos/tg/detail/-/0974372749/qid=1089648916/sr=1-1/ref=sr_1_1/002-7956793-2529636?v=glance&s=books
There are quite interesting ideas how to secure your Oracle env. by
maximum.
Jurijs
9268222
--> I take Security only to a certain level, only till it doesn't become
a burden for me. Patches for vulnerabilities are applied but not all
databases are updated/upgraded just for patches [e.g if the patch is
released on 8.1.7.4 but my DB is still 8.1.7.2, tough-luck !]
============================================
http://otn.oracle.com/ocm/jvelikanovs.html
Hemant K Chitale <hkchital@xxxxxxxxxxxxxx>
Sent by: oracle-l-bounce@xxxxxxxxxxxxx
12.07.2004 18:10
Please respond to oracle-l
To: oracle-l@xxxxxxxxxxxxx
cc:
Subject: re SYSDBA
As a rule, I prefer "REMOTE_LOGIN_PASSWORDFILE=NONE "
Thus, only a local account in the "dba" group can login
as SYSDBA, preventing logins over remote connections.
I even had an auditor point to my Plumtree database
{where Plumtree's init.ora used a REMOTE_LOGIN_PASSWORDFILE=EXCLUSIVE}
and ask me to disable it.
Hemant
Hemant K Chitale
Oracle 9i Database Administrator Certified Professional
http://web.singnet.com.sg/~hkchital
"A man's reputation is what other people think of him; his character is
what he really is."
-- Miner, Jack
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
