Home » Infrastructure » Unix » Oracle CIS Hardening Standards for UNIX (9i, 10g, 11g database-agent-listener for Solaris)
Oracle CIS Hardening Standards for UNIX [message #343301] Tue, 26 August 2008 20:15 Go to next message
bnienhau
Messages: 4
Registered: June 2008
Junior Member
I am in the midst of applying, or not, company mandated hardening standards for our Oracle databases. One of the items being pushed on us is the following;
================================================================
For Unix systems, create unique user accounts for
each Oracle process/service in order to differentiate
accountability and file access controls. The user for the
intelligent agent, the listener, and the database must be
separated.
================================================================
Our site has all basic database and related components installed, owned and controlled by the UNIX Oracle account. Has anyone out there ever applied the above from scratch/fresh installs or even migrating existing installs like mine? As I don;t want to apply this snippet, I'll take any technical arguments ya'll can give me to avoid said implementation.

Thanks mucho'.
rob
Re: Oracle CIS Hardening Standards for UNIX [message #343685 is a reply to message #343301] Wed, 27 August 2008 16:46 Go to previous messageGo to next message
ebrian
Messages: 2794
Registered: April 2006
Senior Member
You could setup sudo for each component.
Re: Oracle CIS Hardening Standards for UNIX [message #343688 is a reply to message #343301] Wed, 27 August 2008 16:59 Go to previous messageGo to next message
BlackSwan
Messages: 26766
Registered: January 2009
Location: SoCal
Senior Member
>I'll take any technical arguments ya'll can give me to avoid said implementation.
I doubt it can be made to work.
Since it is impossible to prove a negative, you may have a challenge for the near term.

Nothing is impossible for the person who does not have to do it.

It appears to me these "requirements" came from a PHB who could not spell S-Q-L with the aid of a cheat sheet.
Re: Oracle CIS Hardening Standards for UNIX [message #343693 is a reply to message #343688] Wed, 27 August 2008 17:33 Go to previous messageGo to next message
ThomasG
Messages: 3211
Registered: April 2005
Location: Heilbronn, Germany
Senior Member
I'll help out with some "against" arguments:

(My gut feeling also tells me that it's not going to work)

There are some basic libraries that EVERY oracle process needs access to, so every "new" oracle user would have access to those and could wreak havoc with them. So by having multiple user any attacker would probably have more angles to attack the server since those files that can now could be set to oracle-user only permissions must then have some group permissions, too.

Do they have similar requirements for the root user by the way? The Oracle user is for Oracle basically what the root user is for the entire box. Maybe You could team up with those admins, to make your case.

Just to be complete:
It definitely makes sense to run any software that uses Oracle, like batch jobs, exports/imports, whatever programs runs on the box that accesses the database under a separate non-privileged user and use the oracle user login only for system maintenance. But I guess it is already set up that way.


Re: Oracle CIS Hardening Standards for UNIX [message #343852 is a reply to message #343301] Thu, 28 August 2008 06:14 Go to previous messageGo to next message
bnienhau
Messages: 4
Registered: June 2008
Junior Member
Thank u all for your responses.

Am proceeding to author a dazzling array of baffling verb/noun combinations supporting the argument against applying said hardening standard to confuse those who need to be.

rob
Re: Oracle CIS Hardening Standards for UNIX [message #344400 is a reply to message #343852] Fri, 29 August 2008 12:49 Go to previous message
andrew again
Messages: 2577
Registered: March 2000
Senior Member
http://www.petefinnigan.com/forum/yabb/YaBB.cgi?board=ora_sec;action=display;num=1150219028

[Updated on: Fri, 29 August 2008 12:50]

Report message to a moderator

Previous Topic: oracle script run in unix shell
Next Topic: Unable to run runInstaller - can't create .Xauthority
Goto Forum:
  


Current Time: Fri Mar 29 07:56:10 CDT 2024