| Oracle CIS Hardening Standards for UNIX [message #343301] |
Tue, 26 August 2008 20:15  |
bnienhau
Messages: 4
Registered: June 2008
|
Junior Member |
|
|
I am in the midst of applying, or not, company mandated hardening standards for our Oracle databases. One of the items being pushed on us is the following;
================================================================
For Unix systems, create unique user accounts for
each Oracle process/service in order to differentiate
accountability and file access controls. The user for the
intelligent agent, the listener, and the database must be
separated.
================================================================
Our site has all basic database and related components installed, owned and controlled by the UNIX Oracle account. Has anyone out there ever applied the above from scratch/fresh installs or even migrating existing installs like mine? As I don;t want to apply this snippet, I'll take any technical arguments ya'll can give me to avoid said implementation.
Thanks mucho'.
rob
|
|
|
|
|
|
|
|
| Re: Oracle CIS Hardening Standards for UNIX [message #343693 is a reply to message #343688] |
Wed, 27 August 2008 17:33  |
ThomasG
Messages: 3212
Registered: April 2005
Location: Heilbronn, Germany
|
Senior Member |
|
|
I'll help out with some "against" arguments:
(My gut feeling also tells me that it's not going to work)
There are some basic libraries that EVERY oracle process needs access to, so every "new" oracle user would have access to those and could wreak havoc with them. So by having multiple user any attacker would probably have more angles to attack the server since those files that can now could be set to oracle-user only permissions must then have some group permissions, too.
Do they have similar requirements for the root user by the way? The Oracle user is for Oracle basically what the root user is for the entire box. Maybe You could team up with those admins, to make your case.
Just to be complete:
It definitely makes sense to run any software that uses Oracle, like batch jobs, exports/imports, whatever programs runs on the box that accesses the database under a separate non-privileged user and use the oracle user login only for system maintenance. But I guess it is already set up that way.
|
|
|
|
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
