Re: How to keep "root" out?

[Arup Nanda]

Walter,   Unfortunately, there is no way. You can prevent root from connecting as sysdba by removing the dba group from root userid; but hey, root can "root" it again; he is root, remember, omnipotent.   Even if that is successful, he can connect to any dba account, such as "oracle" using "su -" and then connect as sysdba. Worse, they can connect to _any_ dba user, not necessarily "oracle", and your audit logs will show as if coming from that user.   Therefore the issue is serious than it sounds like and you should approach at from the manegerial level. Take dba group out if the root userid and establish ground rules that dba group is never allowed to any user without the DBA's request. If they continue to do "su - oracle", make them aware that this operation is imporsonation, and may be deemed illegal. They will listen to that word!   HTH.   Arup     ----- Original Message ----- From: Walter K To: Multiple recipients of list ORACLE-L Sent: Thursday, August 28, 2003 11:34 AM Subject: How to keep "root" out? Just for grins, I'll ask this question... Is there any way to keep the Unix "root" user from logging into the database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.   We have a couple people in our Unix admin group that feel the need to "help" by writing their own DB monitoring scripts. Of course, they don't know what they're talking about. They do not have formal logins for the database, but since they are root users they are connecting via "connect internal". This is not only counterproductive but actually a potential security issue--just because someone has root doesn't necessarily entitle them to see the data in the database. What if it is a payroll database?   So, I'm curious, is there any way to prevent access via "connect internal" or "/ as sysdba"?   Thanks in advance.   W