Re: Security audit of Oracle databases
- From: rachel carmichael <wisernet100@xxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Mon, 11 Apr 2005 11:15:56 -0400
snipped except for relevant passage to pass the overquoting rule.....
> Another password problem I've seen, especially on single DBA sites, is
> that only the DBA knows the passwords. What if he gets run over,
> arrested on terrorism charges, rendered comatose, murdered or simply
> goes on a 4 week holiday and is incommunicado? All important
> passwords should be recorded and stored somewhere safe (a piece of
> paper in an offsite secure location (e.g. where you keep your
> disaster recovery backups). BTW, of those 5 examples of why a DBA
> might not be available, murdered is that only one that hasn't happened
> to a DBA I know (the arrest was found to be an error and he was
> released).
not necessarily a problem, at least not on Unix/Linux systems --
sysadmin logs in as root and does an "su - oracle" (or the name of the
Oracle binaries owner)...... then does
connect / as sysdba
and can reset whatever passwords are needed.
I had a sysadmin at a site once tell me that since I was the only DBA,
for security reasons, I HAD to give him the password to the oracle
account... in an email. I replied "you don't need it". He said "oh
wait, you're right, that's not secure -- leave it to me in a
voicemail"
I replied again "you don't need it". And later, when there wasn't a
crowd around, gently explained to him that as root, he had access to
ANY account on the system... and so did not need the password.
--
//www.freelists.org/webpage/oracle-l
Other related posts:
