©2015 -
HOW TO SECURE THE DATABASE OS USER IN SOLARIS
You can extend further the security of your database OS account, in this case the oracle account, by having the user with no login attribute. The same attribute should also be applied with the grid user if these were of separate OS accounts. A no login means that users cannot directly login to the oracle account. But with this no login property, the oracle user can still run whatever processes or nightly cron jobs. So, by providing a "no-
The following is an example of how to accomplish this.
CREATE A NO LOGIN ACCOUNT
Check the password type of user:
UNIX> passwd -
oradb PS
Where: PS = password set
LK = locked account
NL = no login
To set a No-
UNIX> passwd -
passwd: password information changed for oradb
UNIX> passwd -
oradb NL
OPTIONAL: For mostly maintenance purposes, you may need to ensure users cannot login and process anything. A lockout is needed for this scenario.
To Lockout a user:
UNIX> passwd -
passwd: password information changed for jbourne
Note: A lockout completely disallows the user to run any services such as cron in addition to not able to login.
To unlock a user:
UNIX> passwd -
passwd: password information changed for jbourne
CREATE INDIVIDUAL ACCOUNTS FOR ADMINISTRATORS
Since the oracle account has a No Login attribute, it is now a must to create individual accounts for each of the database administrators. Once this is done, a sudo privilege to switch to oracle user will be given to each of the DBA user in order for them to be able to administer the database. This approach helps in mostly auditing purposes and OS user management.
Here's sample DBA user account creation:
UNIX> useradd -
-
UNIX> passwd jbourne
UNIX> useradd -
-
UNIX> passwd jkirk
CREATE SUDO FOR ADMINISTRATORS TO ACCESS NO LOGIN ACCOUNT
Assuming that the sudo package is already installed, edit the sudoers file to add the necessary entries to allow the users belonging to the dba group to use sudo to switch to oracle account. You may optionally add the root script executions to cut down the time to coordinate with a SysAdmin to run the scripts during Oracle software installation and patching.
In the example below, users jkirk and jbourne are DBAs.
vi /usr/local/etc/sudoers
# Add entries below
User_Alias DBAUSERS = jkirk, jbourne
DBAUSERS ALL=NOPASSWD: /usr/bin/su -
Now users can switch to oracle no login account by:
UNIX> sudo su -