Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help! Trying to implement some security on our SUN servers....

Status
Not open for further replies.

Taraporter

Technical User
Apr 1, 2002
26
US
Hello All,


I have been tasked with finding a solution to a common problem. We are running Solaris 8. We have a generic username of 'oracle' that is used for the oracle systems and database administrators. In the past, we have had problems where 2 or 3 adminiistrators are logged in as 'oracle' and someone does something wrong. No one takes the blame for it. We want to force oracle administrators to login as themsleves and be assigned all oracle group permissions WITHOUT having to 'su' to oracle. Ideally, we would like to prevent anyone from su-ing to oracle and allow only the oracle server to login as oracle.

Does anyone have any ideas on how to do this? Any help would be appreciated. I looked into RBAC, hoever, it doesn't prevent the user from su-ing to the oracle username. And once they su to oracle, all personal identity is lost. We want to try and prevent that. Thanks for any help.

Tara
 
I would create a userid for each DBA and make them all members of the 'dba' group, or whatever group is oracle's primariy group.
Although at this point they could su - oracle: but why?
They should have the same privs so no need to 'su' unless they wanted the anonimity, and you could monitor /var/adm/sulog - which logs every time an 'su' occurs, to see who and when.

Hope that gets you pointed in the right direction.....
I think you could make further restrictions (on su, etc) by using SAM...

-maxx
 
Thanks for the feedback. I'm not familiar with SAM. Can you point me in the direction for some information on that topic? Thanks.
Tara
 
Sorry, SAM is in HP-UX.........

The Solaris equiv is the Admintool ....

right click on the open desktop(just anywhere out in the field) of the CDE, this will give you a drill down menu, and just look for Admintool......or you can open a terminal and type 'admintool &'.

Or, you can do all this in the GUI 'Solaris Management Console'. This interface is pretty user friendly and self-explantatory.

Since I was giving you HP-UX info, you might want to check the path /var/adm/sulog also .......I know it's there it just might not be under var/adm

-maxx
 
Tara,

Along with Maxx's idea, you would not even really need the oracle user. Just having the DBA's in a DBA group would do it, but if you needed the oracle user, you could also add *LK* to field 2 in the /etc/shadow file so that the oracle user login is locked out(this also goes along with putting the DBA's in the oracle user's group).

Good Luck :eek:)

soladm
 
Thanks for your help. I believe we will go with the individual accounts using the oracle permissions.

Tara
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top