RE: Database security
- From: "Niall Litchfield" <n-litchfield@xxxxxxxxxxxxxxxxxxxxxxx>
- To: <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 17 Mar 2004 10:01:28 +0000
Hi Jared
In the end I don't think that there are any 'technical' solutions to stopping
SA staff from gaining complete control over a database. On any OS. I think it
has to be policies and procedures. Isn't there also a rather simpler drawback
to the approach you mentioned, just move the password file and use orapwd to
recreate a new one with the password of your choice. :( The fundamental thing
about technology security ISTM is that you don't rely on the technology for
security, it gives a false sense of assurance. Obvioulsy this isn't a
recommendation to leave the system insecure :(
Niall Litchfield
Oracle DBA
Audit Commission
+44 117 975 7805
> -----Original Message-----
> From: Jared.Still@xxxxxxxxxxx
> Sent: 16 March 2004 22:36
> To: Jared.Still@xxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
> Subject: Database security
>
>
> List,
>
> Here in the midst of Sarbanes Oxley, I've been pondering methods
> that might be used to prevent a system administrator from connecting
> to any databases running on that box.
>
> I know that it is possible to setup Oracle on Windows so that without
> a password, you cannot logon to the database as sysdba.
>
> eg. sqlplus "/ as sysdba" will require a password.
>
> The caveat to this is that the SA can simply:
>
> * stop the Oracle service
> * change the init.ora parm remote_login_passwordfile to 'none'
> * start up the database
> * create a dba account
> * shutdown the database
> * re-enable the password file
> * restart the database
>
> That won't get you SYSDBA, but it will get you DBA, which is probably
> enough
> for any nefarious activities.
>
> On *nix it is a bit different of course. Anyone with root
> can simply su
> to oracle.
>
> I have been perusing Pete Finnigan's "Oracle Security
> Step-by-Step" but
> have
> not yet found information pertaining to this particular
> topic, other than
> revoking
> privs from the DBA account. That action is not applicable
> here, as the
> team of
> DBA's consists of me by myself.
>
> And TIA Mladen, but I already know how it works on unix, and
> that MS is
> the
> dark side of the force, but is unfortunately what I have to
> live with.
>
> Jared
>
>
**********************************************************************
This email contains information intended for
the addressee only. It may be confidential
and may be the subject of legal and/or
professional privilege. Any dissemination,
distribution, copyright or use of this
communication without prior permission of
the sender is strictly prohibited.
**********************************************************************
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
