Re: DBAs running root.sh

  • From: Paresh Yadav <yparesh@xxxxxxxxx>
  • To: oracle@xxxxxxxxxxxxxxx
  • Date: Mon, 3 Feb 2014 16:02:12 -0500

Of all the methods of dealing with running root.sh (DBA using "su -", SAs
running it or as Norman has mentioned above "execute a "special" command
set up by the security team which allowed us to login as root "), I found
last method (which I have encountered only at one client)  to be most
effective, lets us DBAs do our work while leaving an audit trail of root
access.

What I still don't understand is why the need for a special command to be
executed to audit root access, can't command "su -" can itself be audited?

Thanks
Paresh
416-688-1003



On Mon, Feb 3, 2014 at 3:31 PM, Norman Dunbar <oracle@xxxxxxxxxxxxxxx>wrote:

> Evening Austin,
>
>
> On 03/02/14 17:08, Austin Hackett wrote:
>
>> Hi List
>>
>> If you work in a security conscious environment, I'd be keen to hear how
>> your site handles the root.sh script.
>>
> Some places I've worked allowed root access directly (logging in with the
> password), others had a secure shell type setup where we had to execute a
> "special" command set up by the security team which allowed us to login as
> root (using our own password) and which logged who we were and everything
> we did while running as root. Other places used sudo, with a limited set of
> allowed calls.
>
> I much prefer the latter, it's more secure and limits the processes that
> can be run.
>
> HTH
>
> Cheers,
> Norm.
>
> --
> Norman Dunbar
> Dunbar IT Consultants Ltd
>
> Registered address:
> 27a Lidget Hill
> Pudsey
> West Yorkshire
> United Kingdom
> LS28 7LG
>
> Company Number: 05132767
> --
> //www.freelists.org/webpage/oracle-l
>
>
>

Other related posts: