Oracle CIS Hardening Standards for UNIX
DBAsupport.com Forums - Powered by vBulletin
Results 1 to 4 of 4

Thread: Oracle CIS Hardening Standards for UNIX

  1. #1
    Join Date
    Aug 2008
    Posts
    2

    Oracle CIS Hardening Standards for UNIX

    I am in the midst of applying, or not, company mandated hardening standards for our Oracle databases. One of the items being pushed on us is the following;
    =========================================================
    For Unix systems, create unique user accounts for
    each Oracle process/service in order to differentiate
    accountability and file access controls. The user for the
    intelligent agent, the listener, and the database must be
    separated.
    =========================================================
    Our site has all basic database and related components installed, owned and controlled by the UNIX Oracle account. Has anyone out there ever applied the above from scratch/fresh installs or even migrating existing installs like mine? As I don;t want to apply this snippet, I'll take any technical arguments ya'll can give me to avoid said implementation.

    Thanks mucho'.
    rob

  2. #2
    Join Date
    Jul 2002
    Location
    Lake Worth, FL
    Posts
    1,483

    Cool Good and Bad.

    Check the installation guides and you will notice that the only difference between the software owner accounts is the group; you can argue that "Oracle" recommends...blah...blah...blah...

    Also, for example: for 10g Grid control to work to it's "fullest" (centralized deployments, patches, etc...), all Oracle software on a particular server (node) may need to be owned by the same account. There may be work-arounds, but it would make things harder to configure and manage.
    "The person who says it cannot be done should not interrupt the person doing it." --Chinese Proverb

  3. #3
    Join Date
    Aug 2008
    Posts
    2
    thanks !

  4. #4
    Join Date
    Jul 2002
    Location
    Lake Worth, FL
    Posts
    1,483

    Cool sudo

    What is normally done is that each person will login with own account (or his/her network account) and sudo to the oracle account, that keeps a record of logins per person.
    "The person who says it cannot be done should not interrupt the person doing it." --Chinese Proverb

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width