RE: Database security
- From: mkb <mkb125@xxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Wed, 17 Mar 2004 05:36:51 -0800 (PST)
Yep, Dennis makes a good point.
What's really need here is a trusted OS like Argus
Systems Pit Bull. I'm sure something similar is
available for MS, but trying to hack a way round
something that wasn't designed to stop admins is going
to be very difficult if not impossible or impractical.
Don't know much about these but I do know that even if
one gains root access, what one can do with root (or
admin privs) can be limited so for example, even root
or admins can be denied from executing certain code or
modifying/removing files.
These systems are not cheap but probably the only real
secure solution.
mohammed
--- DENNIS WILLIAMS <DWILLIAMS@xxxxxxxxxxxxx> wrote:
> Jared - I have doubts about denying anything to an
> administrator that is
> really determined. How about the DBAs being the only
> administrators on the
> box? When a sys admin task needed to be done that
> you can't do, then you
> could let them do it under your supervision. Just a
> thought.
>
>
>
> Dennis Williams
> DBA
> Lifetouch, Inc.
> dwilliams@xxxxxxxxxxxxx
>
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx
> [mailto:oracle-l-bounce@xxxxxxxxxxxxx]On
> Behalf Of Jared.Still@xxxxxxxxxxx
> Sent: Tuesday, March 16, 2004 4:37 PM
> To: oracle-l@xxxxxxxxxxxxx
> Subject: Database security
>
>
>
> List,
>
> Here in the midst of Sarbanes Oxley, I've been
> pondering methods
> that might be used to prevent a system administrator
> from connecting
> to any databases running on that box.
>
> I know that it is possible to setup Oracle on
> Windows so that without
> a password, you cannot logon to the database as
> sysdba.
>
> eg. sqlplus "/ as sysdba" will require a password.
>
> The caveat to this is that the SA can simply:
>
> * stop the Oracle service
> * change the init.ora parm
> remote_login_passwordfile to 'none'
> * start up the database
> * create a dba account
> * shutdown the database
> * re-enable the password file
> * restart the database
>
> That won't get you SYSDBA, but it will get you DBA,
> which is probably enough
>
> for any nefarious activities.
>
> On *nix it is a bit different of course. Anyone
> with root can simply su to
> oracle.
>
> I have been perusing Pete Finnigan's "Oracle
> Security Step-by-Step" but have
>
> not yet found information pertaining to this
> particular topic, other than
> revoking
> privs from the DBA account. That action is not
> applicable here, as the team
> of
> DBA's consists of me by myself.
>
> And TIA Mladen, but I already know how it works on
> unix, and that MS is the
> dark side of the force, but is unfortunately what I
> have to live with.
>
> Jared
>
>
>
>
----------------------------------------------------------------
> Please see the official ORACLE-L FAQ:
> http://www.orafaq.com
>
----------------------------------------------------------------
> To unsubscribe send email to:
> oracle-l-request@xxxxxxxxxxxxx
> put 'unsubscribe' in the subject line.
> --
> Archives are at
> //www.freelists.org/archives/oracle-l/
> FAQ is at
> //www.freelists.org/help/fom-serve/cache/1.html
>
-----------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
