Re: Prevent Root access from database

Billy wrote: 
DA Morgan wrote:


I understand your sentiment but it is no longer reasonable in the US and
some other countries to take that approach.

If root can access the database, without auditing, then you have a clear
cut violation of United States Federal law.



Daniel, we also have laws about privacy and about lawful intercept and
so on.

And I agree that a 'sensitive' database should be protected at sysdba
level via auditing (which means any user and not just root gets audited
at that level).

But to attempt to change the fundemental o/s and security architecture
- like denying root su access into an oracle account - that I do have a
problem with.


A problem you may have but I am aware of at least one auditing firm in
this country that will refuse to sign off on a compliance audit if UNIX
system administrators can gain access to the database.

And some of what is done to prevent it is contorted ... but effective.

The issue is putting the horses in front of the cart. Business not only
stating the problem (root can access Oracle as sysdba), but also the
solution (hack the o/s to prevent this). Not too mention that the
problem is too vague to determine the solution. What needs to be
protected on the database side?


The solution is not to hack the O/S: That's just plain ridiculous as
well as dangerous. There are very simple solutions to the problem that
don't require writing a single line of code.

--
Billy


--
Daniel A. Morgan
http://www.psoug.org
damorgan@xxxxxxxxxxxxxxxx
(replace x with u to respond)
.

Relevant Pages

  • Re: Creating n-tier solution
    ... create of a single record in the in the database. ... Collection.vb - Custom Strong Type Collection used in the DataAccess to ... Dim oRole as New [Root Name Space].Role ...
    (microsoft.public.dotnet.framework.aspnet)
  • [Full-disclosure] Appfluent Batabase IDS Local Root
    ... Appfluent provide a Database IDS system that monitors all SQL ... There is a stack based buffer overflow in all binaries that allow ... The problem is specific to the watcher process, ... run as root due to the fact that it ...
    (Full-Disclosure)
  • Re: deleted root user and pw in MySql
    ... recreation of root, ... it by creating a test database and then dropping it, ... successful. ... running FreeBSD 6.1 and MySql 5.1 ...
    (comp.unix.bsd.freebsd.misc)
  • Re: How should I partition 2 80 gig drives?
    ... a web site or include some database stuff or name service. ... But, with that much disk, as long as you don't plan to serve a large ... The typical book and handbook examples of very tiny root and swap ... that last is true of all the file systems. ...
    (freebsd-questions)
  • Re: Basic application design
    ... simultaneously by users in all four countries. ... Database is in one country where the internet is excellent. ... If we go for an ASP net based solution, then the server hosting the ...
    (microsoft.public.dotnet.languages.vb)