Re: DBAs running root.sh
- From: Austin Hackett <hacketta_57@xxxxxx>
- To: Matthew Zito <matt@xxxxxxxxxxxxxxxxx>
- Date: Mon, 03 Feb 2014 18:26:12 +0000
Many thanks to everyone who has taken the time to reply - lot's of useful info
for me to bring to future discussions. Very much appreciated...
On 3 Feb 2014, at 18:01, Matthew Zito <matt@xxxxxxxxxxxxxxxxx> wrote:
>
> Wait - I forgot about one option that I alluded to in the first paragraph of
> my email - commercial sudo replacements that offer more advanced capabilities
> where they actually intercept systems calls to try to anticipate what users
> are (negatively) trying to do. They're expensive, complicated to run well,
> and usually people can figure out how to get around them. But they get used
> from time to time, especially at really big companies.
>
> One or two big companies I deal with have an intermediary solution, where
> they can "break glass" to get access to root for things like root.sh, but
> they have to go to a website, open a ticket with what they're doing, it gets
> approved, adn they get the root password, which is actually automatically
> generated. Tehy then log in with that password once, run root.sh, and then
> the password is changed automatically until the next person requests root
> access.
>
> Again, complicated and expensive.
>
> Matt
--
//www.freelists.org/webpage/oracle-l
Other related posts:
