HPE Community
Operating System - HP-UX
1836841 Members
2766 Online
110110 Solutions
New Discussion

Re: How to Prevent Login to Oracle acct

 
SOLVED
Go to solution
Charlie Hoffman
Occasional Advisor

‎05-24-2006 01:47 AM

‎05-24-2006 01:47 AM

How to Prevent Login to Oracle acct

I have a Oracle DBA that refuses to login using his personal account, as per our standards. He continues to login directly to the oracle account. This prevents tracking user actions as required by SOX.
I am running HPUX 11i. I know I can add a test to the login script but there must be a way to restrict normal logins using somthing similar to what is done with root login.

We want the user to log into the system as themselves then su to oracle.

Is there a way to prevent this user from logging directly into oracle through security or pam?
0 Kudos
7 REPLIES 7
Patrick Wallek
Honored Contributor

‎05-24-2006 01:52 AM

‎05-24-2006 01:52 AM

Re: How to Prevent Login to Oracle acct

Change the password and don't tell them what it is.

Then install sudo and write a little script that does:

# cat sudo_oracle
#!/usr/bin/sh
sudo su - oracle

Add the users to the sudo configuration and force them to use the above script.
0 Kudos
Ivan Ferreira
Honored Contributor

‎05-24-2006 02:14 AM

‎05-24-2006 02:14 AM

Re: How to Prevent Login to Oracle acct

If you don't wan to use sudo, you can add something like this to the /etc/profile:

whoisit="$(who -m | awk '{print $1}')"
if [ "${whoisit}" = "oracle" ]
then
echo "Direct login not possible, logon as your account and use su - oracle"
exit 1
fi
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
MANOJ SRIVASTAVA
Honored Contributor

‎05-24-2006 02:20 AM

‎05-24-2006 02:20 AM

Solution

Re: How to Prevent Login to Oracle acct

You can do like this

this is how we do it for root and oracle :


loginid=`who am i | awk '{print $1}'`
echo $loginid
if [ $loginid = oracle ]
then
exit
fi

echo $loginid
if [ $loginid = root ]
then
exit
fi
These lines are to be added in /etc/profile
You can change the id to whatever you want to restrict , then the suer will ahve to su to the the id .


or
look at this thread
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=960227

Manoj Srivastava
0 Kudos
Rick Garland
Honored Contributor

‎05-24-2006 02:29 AM

‎05-24-2006 02:29 AM

Re: How to Prevent Login to Oracle acct

On 11.23 the RBAC is available.
Role Based Access Control

0 Kudos
JASH_2
Trusted Contributor

‎05-24-2006 08:17 PM

‎05-24-2006 08:17 PM

Re: How to Prevent Login to Oracle acct

Charlie,

The trouble with adding anything into the .profile of a user, even oracle and root, is that once the user has finally su - to the "super user" then they can just change the .profile back to how it was. You may never notice!

May well be worth thinking about sudo.

Just a thought.

JASH
If I can, I will!
0 Kudos
Charlie Hoffman
Occasional Advisor

‎05-24-2006 09:40 PM

‎05-24-2006 09:40 PM

Re: How to Prevent Login to Oracle acct

I thought the same thing. I hope that someone can explain how PAM can be used in this situation.
0 Kudos
Charlie Hoffman
Occasional Advisor

‎05-29-2006 10:57 PM

‎05-29-2006 10:57 PM

Re: How to Prevent Login to Oracle acct

There does not seem to be a good solution for this issue other than use of a third party program. Thanks for the help.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.