Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help! Trying to implement some security on our SUN servers....

Status
Not open for further replies.
Taraporter

Taraporter

Technical User
Apr 1, 2002
26
0
0
US
Hello All,


I have been tasked with finding a solution to a common problem. We are running Solaris 8. We have a generic username of 'oracle' that is used for the oracle systems and database administrators. In the past, we have had problems where 2 or 3 adminiistrators are logged in as 'oracle' and someone does something wrong. No one takes the blame for it. We want to force oracle administrators to login as themsleves and be assigned all oracle group permissions WITHOUT having to 'su' to oracle. Ideally, we would like to prevent anyone from su-ing to oracle and allow only the oracle server to login as oracle.

Does anyone have any ideas on how to do this? Any help would be appreciated. I looked into RBAC, hoever, it doesn't prevent the user from su-ing to the oracle username. And once they su to oracle, all personal identity is lost. We want to try and prevent that. Thanks for any help.

Tara
 
Sort by date Sort by votes
I would create a userid for each DBA and make them all members of the 'dba' group, or whatever group is oracle's primariy group.
Although at this point they could su - oracle: but why?
They should have the same privs so no need to 'su' unless they wanted the anonimity, and you could monitor /var/adm/sulog - which logs every time an 'su' occurs, to see who and when.

Hope that gets you pointed in the right direction.....
I think you could make further restrictions (on su, etc) by using SAM...

-maxx
 
Upvote 0 Downvote
Thanks for the feedback. I'm not familiar with SAM. Can you point me in the direction for some information on that topic? Thanks.
Tara
 
Upvote 0 Downvote
Sorry, SAM is in HP-UX.........

The Solaris equiv is the Admintool ....

right click on the open desktop(just anywhere out in the field) of the CDE, this will give you a drill down menu, and just look for Admintool......or you can open a terminal and type 'admintool &'.

Or, you can do all this in the GUI 'Solaris Management Console'. This interface is pretty user friendly and self-explantatory.

Since I was giving you HP-UX info, you might want to check the path /var/adm/sulog also .......I know it's there it just might not be under var/adm

-maxx
 
Upvote 0 Downvote
Tara,

Along with Maxx's idea, you would not even really need the oracle user. Just having the DBA's in a DBA group would do it, but if you needed the oracle user, you could also add *LK* to field 2 in the /etc/shadow file so that the oracle user login is locked out(this also goes along with putting the DBA's in the oracle user's group).

Good Luck :eek:)

soladm
 
Upvote 0 Downvote
Thanks for your help. I believe we will go with the individual accounts using the oracle permissions.

Tara
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

arciua
  • Locked
  • Question
SUN Solaris 7: How to pin Workspace Menu?
Replies
0
Views
130
arciua
arciua
DTGMI
  • Locked
  • Question
Sun X4270 Server Alarm Won't Clear
Replies
0
Views
94
DTGMI
DTGMI
ZahidHaseeb1978
  • Locked
  • Question
Start /SYS on SUN SPARC does not start machine [SUN SPARC ENTERPRISE T-5240]
Replies
0
Views
87
ZahidHaseeb1978
ZahidHaseeb1978
tekmhe
  • Locked
  • Question
Using a PC, how to delete files from a Sunblade 150 IDE drive?
Replies
3
Views
108
SamBones
SamBones
DTGMI
  • Locked
  • Question
Sunblade 150 NVRAM IDPROM Reprogramming Issues
Replies
11
Views
266
frodete
frodete

Part and Inventory Search

Sponsor

Back
Top