Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Access privilege to DBAs
        
(Message started by: Pete Finnigan on Nov 20th, 2008, 9:34pm)
Title: Access privilege to DBAs
Post by Pete Finnigan on Nov 20th, 2008, 9:34pm
Hello

From Security perspective, how reasonable it is to say that -

1.DBAs will use their “personal” accounts for all DBA activities that do not absolutely require the use of the “oracle” account.  
2.Personal accounts will be used for creating exports
3.oracle account and members of the DBA group can look at the *dump contents (or equivalent in 11g)

Is there any concern in having such kind of policy. Please advice.

Thanks,
Roopesh
Title: Re: Access privilege to DBAs
Post by Pete Finnigan on Nov 22nd, 2008, 4:49pm
Sometimes it is best to know which side of the fence the question starts from.

If the origination comes from a pure security perspective (CISSP, for example), then they are looking for accountability.  They want to know exactly who did something.  This is difficult when there are multiple ways to disguise the originating person, and this by accident, not deliberately.  Any request done when connecting as SYSDBA, as the oracle account, as DBSNMP or SYS or SYSTEM, etc. has this masking problem.  

That is why security folks want Administrative Procedures such as: use the oracle account only when you have to, use the SYS account only when you have to, etc., and, in general, use your own personal account when it has enough juice to get the work done.

When DBAs hear about this type of request, they get unhappy.  The argument which turns them around is: what happens when there is an outage, a long outage, due to a procedural error issued by one of these group accounts?  Wouldn't it be faster/better/easier to know who issued the mistake?  Wouldn't you get more sleep?  Do you really want to get blamed for mistakes made by the idiot in the next cubby who has access to the oracle account?

It then becomes a long analysis and design session to determine all the group accounts, their uses, and appropriate procedures.  Good luck.
Title: Re: Access privilege to DBAs
Post by Pete Finnigan on Nov 22nd, 2008, 10:12pm
Thanks for the reply maaiwuji.

My question was not related to Oracle account in the Database like SYS, SYSTEM or SYSDBA. BUT it was related to UNIX account.

Actually in this organization, all the DBAs are connecting as SYSDBA but for some of the DBA tasks they are supposed to use their own unix account. For example, roopuni will be able to shutdown or startup the listener, if "roopuni" is the UNIX user for the person by the name ROOPUNI.

Hope I am clear more this time.


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board