HPE Community
Operating System - HP-UX
1752815 Members
5811 Online
108789 Solutions
New Discussion юеВ

disabling su -oracle

 
SOLVED
Go to solution
Mynor Aguilar
Valued Contributor

тАО07-08-2006 06:29 PM

тАО07-08-2006 06:29 PM

disabling su -oracle

Hi, Due to some problems, i need to restrict the su -oracle command for the root, i know this sounds silly but i need a way to block system administrator to log into the oracle (or make su -oracle to ask him for a password).
The main problem is that the System administrator uses this command, logs into de DB and make changes, we are unable to see who make these changes since the logs said it was oracle user. is it any way to do this??
thanks.
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

тАО07-08-2006 07:32 PM

тАО07-08-2006 07:32 PM

Solution

Re: disabling su -oracle

Shalom,

Be aware that disabling su - oracle will prevent root from starting Oracle automatically when the system is started.

An operator will then be required to log on as oracle and execute the startup scripts manually.

You can modify pam.d to force password on the oracle user with the above effects.

This issue appears to be a personnel issue and solving it with the system is likely to have bad side effects. The /etc/pam.d directory is reasonably well documented if you wish to proceed. I believe you can comment out one line and you will acheive what you wish.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Mynor Aguilar
Valued Contributor

тАО07-09-2006 02:56 AM

тАО07-09-2006 02:56 AM

Re: disabling su -oracle

Thanks,
You're right, that would solve my problem but it might have really negative impacts. Is there any way to audit who and when somedoby uses the "su -oracle" command? it would be at least a little bit easier to determine if the system administrator is modifying something on the DB.


Thanks for your help.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО07-09-2006 03:05 AM

тАО07-09-2006 03:05 AM

Re: disabling su -oracle

Hi Mynor:

The use of 'su' is audited in the '/var/adm/sulog' file. Both successful and unsuccessful transitions are recorded.

SU 07/09 10:59 + ttyp1 root-jrf
SU 07/09 11:00 - ttyp3 jrf-root
SU 07/09 11:01 + ttyp3 jrf-root

...The "+" denotes success; the "-" indicates failure. In the first line, a sucessful switch was made from 'root' to 'jrf'. In the last line, a sucessful switch occured from 'jrf' to 'root'.

There are also a few controls available with the '/etc/default/security' file.

http://www.docs.hp.com/en/B2355-60127/su.1.html

http://www.docs.hp.com/en/B2355-60127/security.4.html

Regards!

...JRF...
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.