News

  1. Home
  2. All posts
All posts, Oracle by Team Ajara

FAQs on Local users for Oracle binaries installation

Local users for Oracle binaries installation.

Q1)

Risk Description (What is the actual risk) – Need to cover the security
breach here which is going to be around password vaulting/rotation, a shared/generic account or similar.
  How the account is checked out or used is key as well?

Answer) As this is shared user traceing is difficult .Password rotation can be implemented.

Q2)

Business Impact (What is the impact of not doing it) – This will cover what the accounts do,
 and why the work has to be carried out in a non-compliant way ?

Answer)
oracle : This user is used for installaing Oracle binaries and upgrades on  Unix platform.
grid :This user is for allocating storage for Oracle databases.
Above mentioned activities can not be accomplished using a domain account.

Q3)

Risk mitigation plan (Any process they are following/doing to reduce the risk)
 – For example ensuring only a limited number of people can check the account 

Answer)
Individual domain users can be created in place of these local users for Database support. Or
Jump server can be setup and then implement ssh to actual DB server.

Q4)
Why we need local users and groups for installing Oracle software?

If you have created an Oracle software installation owner account, but it is not a member of the groups you want to designate as the OSDBA, OSOPER, OSDBA for ASM, ASMADMIN, or other system privileges group, then modify the group settings for that user before installation.

Warning:Each Oracle software owner must be a member of the same central inventory group. Do not modify the primary group of an existing Oracle software owner account, or designate different groups as the OINSTALL group. If Oracle software owner accounts have different groups as their primary group, then you can corrupt the central inventory.
During installation, the user who is installing the software should have the OINSTALL group as its primary group, and it must be a member of the operating system groups appropriate for your installation.

 

See also: