Of all the methods of dealing with running root.sh (DBA using "su -", SAs running it or as Norman has mentioned above "execute a "special" command set up by the security team which allowed us to login as root "), I found last method (which I have encountered only at one client) to be most effective, lets us DBAs do our work while leaving an audit trail of root access. What I still don't understand is why the need for a special command to be executed to audit root access, can't command "su -" can itself be audited? Thanks Paresh 416-688-1003 On Mon, Feb 3, 2014 at 3:31 PM, Norman Dunbar <oracle@xxxxxxxxxxxxxxx>wrote: > Evening Austin, > > > On 03/02/14 17:08, Austin Hackett wrote: > >> Hi List >> >> If you work in a security conscious environment, I'd be keen to hear how >> your site handles the root.sh script. >> > Some places I've worked allowed root access directly (logging in with the > password), others had a secure shell type setup where we had to execute a > "special" command set up by the security team which allowed us to login as > root (using our own password) and which logged who we were and everything > we did while running as root. Other places used sudo, with a limited set of > allowed calls. > > I much prefer the latter, it's more secure and limits the processes that > can be run. > > HTH > > Cheers, > Norm. > > -- > Norman Dunbar > Dunbar IT Consultants Ltd > > Registered address: > 27a Lidget Hill > Pudsey > West Yorkshire > United Kingdom > LS28 7LG > > Company Number: 05132767 > -- > //www.freelists.org/webpage/oracle-l > > >