RE: Database security

• From: DENNIS WILLIAMS <DWILLIAMS@xxxxxxxxxxxxx>
• To: "'oracle-l@xxxxxxxxxxxxx'" <oracle-l@xxxxxxxxxxxxx>
• Date: Tue, 16 Mar 2004 16:42:08 -0600

Jared - I have doubts about denying anything to an administrator that is
really determined. How about the DBAs being the only administrators on the
box? When a sys admin task needed to be done that you can't do, then you
could let them do it under your supervision. Just a thought.



Dennis Williams
DBA
Lifetouch, Inc.
dwilliams@xxxxxxxxxxxxx 

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]On
Behalf Of Jared.Still@xxxxxxxxxxx
Sent: Tuesday, March 16, 2004 4:37 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: Database security



List, 

Here in the midst of Sarbanes Oxley, I've been pondering methods 
that might be used to prevent a system administrator from connecting 
to any databases running on that box. 

I know that it is possible to setup Oracle on Windows so that without 
a password, you cannot logon to the database as sysdba. 

eg.  sqlplus "/ as sysdba" will require a password. 

The caveat to this is that the SA can simply: 

*  stop the Oracle service 
*  change the init.ora parm remote_login_passwordfile to 'none' 
*  start up the database 
* create a dba account 
* shutdown the database 
* re-enable the password file 
* restart the database 

That won't get you SYSDBA, but it will get you DBA, which is probably enough

for any nefarious activities. 

On *nix it is a bit different of course.  Anyone with root can simply su to
oracle. 

I have been perusing Pete Finnigan's "Oracle Security Step-by-Step" but have

not yet found information pertaining to this particular topic, other than
revoking 
privs from the DBA account.  That action is not applicable here, as the team
of 
DBA's consists of me by myself. 

And TIA Mladen, but I already know how it works on unix, and that MS is the 
dark side of the force, but is unfortunately what I have to live with.   

Jared 



----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------

• Follow-Ups:
  • RE: Database security
    • From: mkb

Other related posts:

• » Database security
• » RE: Database security
• » Re: Database security
• » Re: Database security
• » Re: Database security
• » RE: Database security
• » RE: Database security
• » RE: Database security
• » Re: Database security
• » RE: Database security
• » RE: Database security
• » RE: Database security
• » RE: Database security
• » RE: Database security
• » RE: Database security
• » Re: Database security
• » Re: Database security

1. Home
2. oracle-l
3. Archive
4. 03-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---