Database security
- From: Jared.Still@xxxxxxxxxxx
- To: oracle-l@xxxxxxxxxxxxx
- Date: Tue, 16 Mar 2004 14:36:31 -0800
List,
Here in the midst of Sarbanes Oxley, I've been pondering methods
that might be used to prevent a system administrator from connecting
to any databases running on that box.
I know that it is possible to setup Oracle on Windows so that without
a password, you cannot logon to the database as sysdba.
eg. sqlplus "/ as sysdba" will require a password.
The caveat to this is that the SA can simply:
* stop the Oracle service
* change the init.ora parm remote_login_passwordfile to 'none'
* start up the database
* create a dba account
* shutdown the database
* re-enable the password file
* restart the database
That won't get you SYSDBA, but it will get you DBA, which is probably
enough
for any nefarious activities.
On *nix it is a bit different of course. Anyone with root can simply su
to oracle.
I have been perusing Pete Finnigan's "Oracle Security Step-by-Step" but
have
not yet found information pertaining to this particular topic, other than
revoking
privs from the DBA account. That action is not applicable here, as the
team of
DBA's consists of me by myself.
And TIA Mladen, but I already know how it works on unix, and that MS is
the
dark side of the force, but is unfortunately what I have to live with.
Jared
Other related posts:
