©2015 - 2022 Chad’s Technoworks. Disclaimer and Terms of Use

Chad’s TechnoWorks My Journal On Technology

HOW TO SECURE THE DATABASE OS USER IN SOLARIS


You can extend further the security of your database OS account, in this case the oracle account, by having the user with no login attribute. The same attribute should also be applied with the grid user if these were of separate OS accounts. A no login means that users cannot directly login to the oracle account. But with this no login property, the oracle user can still run whatever processes or nightly cron jobs. So, by providing a "no-login" has two benefits - absolute availability to run an application process and a complete lockdown. Only root can access the users marked with NL (No Login) by switching onto it. Because of this, regular user account would need sudo privileges to switch to an NL user. So, in order to administer the applications running under the oracle account, each individual DBA user accounts should have sudo privileges to switch to an oracle user. Sudo has its own log of its usage which can be beneficial also on auditing the users on the use of the oracle account.


The following is an example of how to accomplish this.


CREATE A NO LOGIN ACCOUNT


Check the password type of user:

UNIX> passwd -s oradb

oradb     PS


Where: PS = password set

 LK = locked account

 NL = no login


To set a No-Login to a user:


UNIX> passwd -N oradb

passwd: password information changed for oradb


UNIX> passwd -s oradb

oradb     NL



OPTIONAL: For mostly maintenance purposes, you may need to ensure users cannot login and process anything. A lockout is needed for this scenario.

 

To Lockout a user:


UNIX> passwd -l jbourne

passwd: password information changed for jbourne


Note: A lockout completely disallows the user to run any services such as cron in addition to not able to login.


To unlock a user:


UNIX> passwd -u jbourne

passwd: password information changed for jbourne




CREATE INDIVIDUAL ACCOUNTS FOR ADMINISTRATORS


Since the oracle account has a No Login attribute, it is now a must to create individual accounts for each of the database administrators. Once this is done, a sudo privilege to switch to oracle user will be given to each of the DBA user in order for them to be able to administer the database. This approach helps in mostly auditing purposes and OS user management.


Here's sample DBA user account creation:


UNIX> useradd -g oradba -m -s /bin/ksh  \

    -d /export/home/jbourne -c "DBA Jason Bourne" -u 3001 jbourne


UNIX> passwd jbourne


UNIX> useradd -g oradba -m -s /bin/ksh  \

    -d /export/home/jkirk -c "DBA James T. Kirk" -u 3001 jkirk


UNIX> passwd jkirk




CREATE SUDO FOR ADMINISTRATORS TO ACCESS NO LOGIN ACCOUNT


Assuming that the sudo package is already installed, edit the sudoers file to add the necessary entries to allow the users belonging to the dba group to use sudo to switch to oracle account. You may optionally add the root script executions to cut down the time to coordinate with a SysAdmin to run the scripts during Oracle software installation and patching.


In the example below, users jkirk and jbourne are DBAs.


vi /usr/local/etc/sudoers


# Add entries below

User_Alias DBAUSERS = jkirk, jbourne

DBAUSERS   ALL=NOPASSWD: /usr/bin/su - oradb, /sbin/su - oradb, /usr/bin/su - oragrid, /sbin/su - oragrid


Now users can switch to oracle no login account by:


UNIX> sudo su - oradb





Information Technology