Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
Showing results for 
Search instead for 
Did you mean: 

disabling su -oracle

Go to solution
Mynor Aguilar
Valued Contributor

disabling su -oracle

Hi, Due to some problems, i need to restrict the su -oracle command for the root, i know this sounds silly but i need a way to block system administrator to log into the oracle (or make su -oracle to ask him for a password).
The main problem is that the System administrator uses this command, logs into de DB and make changes, we are unable to see who make these changes since the logs said it was oracle user. is it any way to do this??
Steven E. Protter
Exalted Contributor

Re: disabling su -oracle


Be aware that disabling su - oracle will prevent root from starting Oracle automatically when the system is started.

An operator will then be required to log on as oracle and execute the startup scripts manually.

You can modify pam.d to force password on the oracle user with the above effects.

This issue appears to be a personnel issue and solving it with the system is likely to have bad side effects. The /etc/pam.d directory is reasonably well documented if you wish to proceed. I believe you can comment out one line and you will acheive what you wish.

Steven E Protter
Owner of ISN Corporation
Mynor Aguilar
Valued Contributor

Re: disabling su -oracle

You're right, that would solve my problem but it might have really negative impacts. Is there any way to audit who and when somedoby uses the "su -oracle" command? it would be at least a little bit easier to determine if the system administrator is modifying something on the DB.

Thanks for your help.
James R. Ferguson
Acclaimed Contributor

Re: disabling su -oracle

Hi Mynor:

The use of 'su' is audited in the '/var/adm/sulog' file. Both successful and unsuccessful transitions are recorded.

SU 07/09 10:59 + ttyp1 root-jrf
SU 07/09 11:00 - ttyp3 jrf-root
SU 07/09 11:01 + ttyp3 jrf-root

...The "+" denotes success; the "-" indicates failure. In the first line, a sucessful switch was made from 'root' to 'jrf'. In the last line, a sucessful switch occured from 'jrf' to 'root'.

There are also a few controls available with the '/etc/default/security' file.