Notes:
We have numerous scripts, web applications and programs that access Oracle databases. This includes scripts/programs written in Java,C++,Python,perl,ASP and probably others. We use 3 glast specific oracle databases (and for historic reasons also still use some general SLAC oracle instances). Many of these programs are or will be under change control, so cannot be modified easily. Many of these programs deal with ongoing data processing, where the tolerance for downtime is very small. In some cases passwords may be in programs which for science processing reasons will need to be used for years, even if more recent versions of the programs subsequently become available.
In addition to programs the passwords are stored in web app configuration files, IDE configuration files and database access tools.
Many programs run as long lived deamons with no kerberos tokens. These scripts are stored in Unix (AFS and NFS), windows, CVS. Probably OsX as well in future.
Password are mostly not encrypted. There is little point in encrypting the passwords, since our programs would need to be able to decrypt the password before using it (at least as we do things now), and since anyone can read and modify our programs anyone could use them to decrypt the passwords.
There is logging of web access and in some cases more detailed logging in the applications
If we are to adopt a policy of changing these passwords every six months we need a way to do it cost effectively, and with no downtime of our essential programs. We do not currently know of a technical solution to this problem, nor have we budgeted time or manpower to find and adopt one. If the password policy for Oracle passwords is changed we will need extensive help from the database and security groups to implement a plan for handling these passwords.
All these issues apply not only to Oracle accounts but also to MYSQL and any other service accounts e.g. email access.
In developing solutions we should find a solutions for all these areas simultaneously.
ACCOUNT |
INSTANCE |
OWNER |
USE |
LOCATION |
APPLICATION |
MITIGATION PRIVILEGES |
ACCESS TO PII |
PASSWORD ENCRYPTION |
LOGGING |
OTHER MITIGATIONS |
|---|---|---|---|---|---|---|---|---|---|---|
GLASTDEV |
SLAC_TCP |
K.HEIDENREICH |
defunct* |
|
|
|
|
|
|
|
GLASTGEN |
SLAC_TCP |
K.HEIDENREICH |
defunct* |
|
|
|
|
|
|
|
GLASTGEN |
GLASTDEV |
K.HEIDENREICH |
develop & test envrionment |
|
data access control;various data information systems |
full privileges |
no |
no |
none |
none |
GLASTGEN |
GLASTP |
K.HEIDENREICH |
production version |
|
data access control;various data information system |
full privileges |
no |
No |
none |
none |
GLASTSYS |
GLASTDEV |
K.HEIDENREICH |
read access to Oracle Grid Control for oracle-glast02 |
SCCS DB Group control |
view db instance statistice |
read only |
no |
no |
none |
none |
GLASTSYS |
GLASTP |
K.HEIDENREICH |
read access to Oracle Grid Control for oracle-glast01 |
SCCS DB Group control |
view db instance statistice |
read only |
no |
no |
none |
none |
GLASTSYSADMIN |
GLASTDEV |
K.HEIDENREICH |
read access to all db tables in GLASTDEV instance |
|
set up to view all db tables automatically when tables created |
read only |
no |
no |
none |
none |
GLASTSYSADMIN |
GLASTP |
K.HEIDENREICH |
read access to all db tables in GLASTP instance |
|
set up to view all db tables automatically when tables created |
read only |
no |
no |
none |
none |
GLASTUSER |
SLAC_TCP |
K.HEIDENREICH |
read access to various GLAST @SLAC_TCP data tables |
glast iis web server/ asp files |
view data in glast slac_tcp instances |
read only |
no |
no |
none |
none |
GLAST_CAL |
GLASTDEV |
K.HEIDENREICH |
I&T Web Elogbook |
|
|
|
no |
no |
none |
none |
GLAST_CAL |
GLASTP |
K.HEIDENREICH |
I&T Web Elogbook |
|
|
|
no |
no |
none |
none |
GLAST_CAL_RO |
GLASTDEV |
K.HEIDENREICH |
read access to data in ISOC/Trending databases |
|
|
read only |
no |
no |
none |
none |
GLAST_CAL_RO |
GLASTP |
K.HEIDENREICH |
read access to data in ISOC/Trending databases |
|
|
read only |
no |
no |
none |
none |
GLAST_DATA |
SLAC_TCP |
K.HEIDENREICH |
inital GLAST data tracking database |
|
|
|
no |
no |
none |
none |
GLAST_DOC |
SLACDEV |
K.HEIDENREICH |
GLAST-LAT document management database |
SCCS DB Group control |
------- |
------- |
------- |
------- |
------- |
------- |
GLAST_DOC |
SLAC_TCP |
K.HEIDENREICH |
GLAST-LAT document management database |
SCCS DB Group control |
------- |
------- |
------- |
------- |
------- |
------- |
GLAST_DP |
GLASTDEV |
K.HEIDENREICH |
GLAST data processing pipeline |
tomcat server |
|
|
no |
no |
none |
none |
GLAST_DP |
GLASTP |
K.HEIDENREICH |
GLAST data processing pipeline |
tomcat server |
|
|
no |
no |
none |
none |
GLAST_DP |
SLACDEV |
K.HEIDENREICH |
defunct * (original GLAST data processing pipeline |
tomcat server |
|
|
no |
no |
none |
none |
GLAST_MASTER |
SLAC_TCP |
K.HEIDENREICH |
GLAST tracking databases risk,assembly,people |
glast iis web server/ asp files |
|
|
no |
no |
none |
none |
GLAST_SYSTEST |
SLAC_TCP |
K.HEIDENREICH |
GLAST system test records |
glast iis web server/ asp files/..? |
|
|
no |
no |
none |
none |
LAT |
GLASTDEV |
K.HEIDENREICH |
read data tables |
|
|
read only |
no |
no |
none |
none |
LAT |
GLASTP |
K.HEIDENREICH |
read data tables |
|
|
read only |
no |
no |
none |
none |
LAT |
SLACDEV |
K.HEIDENREICH |
defunct * |
|
|
|
|
|
|
|
LAT |
SLACPROD |
K.HEIDENREICH |
defunct * |
|
|
|
|
|
|
|
LAT |
SLAC_TCP |
K.HEIDENREICH |
defunct * |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
GLAST_ISOC |
SLAC_TCP |
B. LEE |
defunct * |
|
|
|
|
|
|
|
GLAST_ISOC |
SLACPROD |
B. LEE |
defunct * |
|
|
|
|
|
|
|
GLAST_ISOC |
GLASTDEV |
B. LEE |
used for experimenting, testing schemae, etc. |
|
Telemetry Trending |
|
no |
no |
none |
none |
GLAST_ISOC |
GLASTP |
B. LEE |
stores I&T trending data & operates the I&T FASTCopy automation. |
|
Telemetry Trending |
|
no |
no |
none |
none |
GLAST_ISOC |
SLACDEV |
B. LEE |
stores MOC-delivered data from e.g. GRT's, ETE's, FASTCopy, etc. |
|
Telemetry Trending |
|
no |
no |
none |
none |
GLAST_BT |
GLASTDEV |
C.CHEE |
shift informaton |
|
GLAST and GLAST Beamtest Log BooK |
|
no |
no |
none |
none |
GLAST_BT |
GLASTP |
C.CHEE |
shift informaton |
|
GLAST and GLAST Beamtest Log Book |
|
|
|
|
|
GLAST_BT |
SLACDEV |
C.CHEE |
|
|
|
|
|
|
|
|
GLAST_BT_RO |
GLASTDEV |
C.CHEE |
|
|
|
read only |
|
|
|
|
GLAST_BT_RO |
GLASTP |
C.CHEE |
|
|
|
read only |
|
|
|
|
GLASTTREND |
GLASTDEV |
C.CHEE |
|
|
|
|
|
|
|
|
GLASTTREND |
GLASTP |
C.CHEE |
|
|
|
|
|
|
|
|
GLAST_J2EE |
GLASTDEV |
R.WONG |
? |
|
|
|
|
|
|
|
GLAST_J2EE |
GLASTP |
R.WONG |
? |
|
|
|
|
|
|
|
GLAST_ST |
GLASTDEV |
R.WONG |
? |
|
|
|
|
|
|
|
GLAST_ST |
GLASTP |
R.WONG |
? |
|
|
|
|
|
|
|
GLASTRO |
GLASTDEV |
none |
provides read access to all tables created on GLASTDEV |
|
|
read only |
no |
|
|
|
GLASTRO |
GLASTP |
none |
provides read access to all tables created on GLASTP |
|
|
read only |
no |
|
|
|
GLAST_DP_TEST |
GLASTSTG |
R.WONG |
PIPELINE II |
|
|
|
no |
|
|
|
GLAST_DP_TEST |
GLASTP |
R.WONG |
PIPELINE II |
|
|
|
no |
|
|
|
GLAST_DP_TEST |
GLASTDEV |
R.WONG |
PIPELINE II |
|
|
|
no |
|
|
|
GLAST_DP_TEST |
SLACDEV |
R.WONG |
defunct * |
|
|
|
no |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* defunct database accounts should be locked - if no problems occur remove database from instance SLAC_TCP /SLACDEV instances only