Re: AIX 10g/11 and Oracle DBA logins

• From: "Mark Brinsmead" <pythianbrinsmead@xxxxxxxxx>
• To: jkstill@xxxxxxxxx
• Date: Tue, 17 Jun 2008 15:42:34 -0400

Why would the SAs be concerned about DBAs knowing the "oracle" password?

It could be a compliance issue -- corporate policy or regulatory
environment forbids the use of "anonymous" accounts; all logins must
be attributed to a specific individual.

Of course, this requirement can be easily met simply by enabling "C2"
security (or whatever on AIX passes as its equivalent) and designating
the "oracle" user as an "anonymous" account.

When you do this, logins as "oracle" will behave as Paul Baumgartel
described earlier in the thread.  Users will first be prompted for the
"oracle" password, and then for their own username and password.

When this is done, not only is each *login* recorded for a specific
individual, but all OS-level auditing will log all actions performed
with the "oracle" account against *both* the "oracle" account and the
individual user who logged in.  (I.e., events will be recorded with
the userid "oracle", and with the "audit_id" of the individual.)

Of course, depending on policies, regulatory statutes, etc., the other
methods mentioned (ssh, sudo, su, and even rsh) can all work too.

On 6/17/08, Jared Still <jkstill@xxxxxxxxx> wrote:
> On Mon, Jun 16, 2008 at 1:49 PM, DIANNA GIBBS <DIANNA.GIBBS@xxxxxxxxxxxxx>
> wrote:
>
>>
>> My AIX administrator tells me this cannot be done without everyone knowing
>> the
>> oracle OS user password.
>>
>>
> Done easily with ssh.
>
> This can be setup to work with or without passwords.
>
> That said, I don't understand the admins concern about knowing the Oracle
> user password.
>
> If you can logon via sudo/ssh/whatever, or logon to the database directly as
> sysdba, it
> doesn't really matter much if the DBA's know the password.
>
> --
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist
>


-- 
Cheers,
-- Mark Brinsmead
   Senior DBA,
   The Pythian Group
   http://www.pythian.com/blogs
--
//www.freelists.org/webpage/oracle-l

• References:
  • AIX 10g/11 and Oracle DBA logins
    • From: DIANNA GIBBS
  • Re: AIX 10g/11 and Oracle DBA logins
    • From: Jared Still

Other related posts:

• » AIX 10g/11 and Oracle DBA logins
• » RE: AIX 10g/11 and Oracle DBA logins
• » Re: AIX 10g/11 and Oracle DBA logins
• » Re: AIX 10g/11 and Oracle DBA logins
• » Re: AIX 10g/11 and Oracle DBA logins
• » Re: AIX 10g/11 and Oracle DBA logins
• » RE: AIX 10g/11 and Oracle DBA logins
• » Re: AIX 10g/11 and Oracle DBA logins
• » Re: AIX 10g/11 and Oracle DBA logins
• » Re: AIX 10g/11 and Oracle DBA logins
• » Re: AIX 10g/11 and Oracle DBA logins

1. Home
2. oracle-l
3. Archive
4. 06-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---