cancel
Showing results for 
Search instead for 
Did you mean: 

disabling su -oracle

SOLVED
Go to solution
Mynor Aguilar
Valued Contributor

disabling su -oracle

Hi, Due to some problems, i need to restrict the su -oracle command for the root, i know this sounds silly but i need a way to block system administrator to log into the oracle (or make su -oracle to ask him for a password).
The main problem is that the System administrator uses this command, logs into de DB and make changes, we are unable to see who make these changes since the logs said it was oracle user. is it any way to do this??
thanks.
3 REPLIES
Steven E. Protter
Exalted Contributor
Solution

Re: disabling su -oracle

Shalom,

Be aware that disabling su - oracle will prevent root from starting Oracle automatically when the system is started.

An operator will then be required to log on as oracle and execute the startup scripts manually.

You can modify pam.d to force password on the oracle user with the above effects.

This issue appears to be a personnel issue and solving it with the system is likely to have bad side effects. The /etc/pam.d directory is reasonably well documented if you wish to proceed. I believe you can comment out one line and you will acheive what you wish.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Mynor Aguilar
Valued Contributor

Re: disabling su -oracle

Thanks,
You're right, that would solve my problem but it might have really negative impacts. Is there any way to audit who and when somedoby uses the "su -oracle" command? it would be at least a little bit easier to determine if the system administrator is modifying something on the DB.


Thanks for your help.
James R. Ferguson
Acclaimed Contributor

Re: disabling su -oracle

Hi Mynor:

The use of 'su' is audited in the '/var/adm/sulog' file. Both successful and unsuccessful transitions are recorded.

SU 07/09 10:59 + ttyp1 root-jrf
SU 07/09 11:00 - ttyp3 jrf-root
SU 07/09 11:01 + ttyp3 jrf-root

...The "+" denotes success; the "-" indicates failure. In the first line, a sucessful switch was made from 'root' to 'jrf'. In the last line, a sucessful switch occured from 'jrf' to 'root'.

There are also a few controls available with the '/etc/default/security' file.

http://www.docs.hp.com/en/B2355-60127/su.1.html

http://www.docs.hp.com/en/B2355-60127/security.4.html

Regards!

...JRF...