I am in the midst of applying, or not, company mandated hardening standards for our Oracle databases. One of the items being pushed on us is the following;
=========================================================
For Unix systems, create unique user accounts for
each Oracle process/service in order to differentiate
accountability and file access controls. The user for the
intelligent agent, the listener, and the database must be
separated.
=========================================================
Our site has all basic database and related components installed, owned and controlled by the UNIX Oracle account. Has anyone out there ever applied the above from scratch/fresh installs or even migrating existing installs like mine? As I don;t want to apply this snippet, I'll take any technical arguments ya'll can give me to avoid said implementation.
Check the installation guides and you will notice that the only difference between the software owner accounts is the group; you can argue that "Oracle" recommends...blah...blah...blah...
Also, for example: for 10g Grid control to work to it's "fullest" (centralized deployments, patches, etc...), all Oracle software on a particular server (node) may need to be owned by the same account. There may be work-arounds, but it would make things harder to configure and manage.
"The person who says it cannot be done should not interrupt the person doing it." --Chinese Proverb
What is normally done is that each person will login with own account (or his/her network account) and sudo to the oracle account, that keeps a record of logins per person.
"The person who says it cannot be done should not interrupt the person doing it." --Chinese Proverb
Reply With Quote
Good and Bad.
Bookmarks