Understanding the Benefits of Oracle Operating System Security (OA4OS)
By Mark Wilcox - CTO - Oracle Consulting Security-Oracle on May 06, 2008
Today is a day it catch up on some blogging.
James McGovern posted a few questions on our new operating system security product - aka Oracle Authentication Services for Operating Systems or OA4OS.
First quote - " On one level, this feels like a good story, but on another it feels like a long-term trap."
It's just a good story :). There is no trap. Unlike competing solutions - we don't use any proprietary hooks or changes to the Unix /Linux systems. We are using all standard - based interfaces like PAM, NSS and SUDO.
Thus it would be possible to move to another directory solution.
Second quote - "First, if you are running Solaris, this you can setup NIS domains to aid in this problem."
NIS has been out of favor for a while. It has now been officially deprecated. And for the kicker - it is not SOX compliant.
Thus many customer's we've talked to about OAS4OS are specifically looking for how to replace NIS. This is one of the features we offer.
Third quote - "Consider that if you are a shop running Active Directory, Microsoft
provides Active Directory Services for Unix where by you can have Unix
servers and daemons participate as if they are native to the Windows
domain. This simplifies administration significantly, cheap to rollout
and even cheaper over the lifetime. There are of course some features
missing, which Microsoft will be addressing in upcoming releases."
Yes - Microsoft does offer this. However, it has many limitations that in many organizations will not be solvable. For starters - you must extend AD schema - in many organizations this is not allowed by corporate policy. Second, by storing this data this can add severe impact to your AD replication which affect desktop login (which is why this is not allowed by many corporate policies). Third - it does not auto-generate UID & GUID numbers (we do :)). Fourth - they do not have any system to allow you to address use case of where you have same username but different uid/gid numbers on different hosts (hello OVD)). These are all features that AD lacks and some (such as schema change) will never be avoided.
Final quote- "You can also consider third party software such as Vintela and Centrify
which also provide deeper Unix/Linux integration to Active Directory.
Anyway, I humbly predict that the open source community will realize
that this type of integration should be in the box and not something
add-on and therefore will address within the next six months."
To my knowledge Vintela and Centrify require proprietary components and/or extensions to AD. Also they don't provide any mechanism to manage SUDO policies in your directory. And I would also point out that this if our first release (if he can mention MSFT updating AD as being OK, I can use it hear for us too :)) so we are going to be adding in additional functionality in the future.