7.3.14.4 Implementing the Principle of Least Privilege to Improve Security

Security best practices require that each process run with the lowest privileges needed to perform the task. The following processes now run as non-privileged users:

• Smart Scan processes

  The processes that perform a smart scan on the Oracle Exadata Storage Server used to run with the root user privilege. Performing predicate evaluation does not require root privileges. Starting with Oracle Exadata System Software release 19.1.0, these smart scan processes are owned by a new operating system user called cellofl. The user cellofl and group celltrace are automatically created when you perform a Software Update to Oracle Exadata System Software release 19.1.0.

• Select ExaWatcher processes

  The ExaWatcher infrastructure is responsible for collecting and archiving system statistics on both the Oracle Exadata Database Servers and Oracle Exadata Storage Servers. Some of the commands that collect iostat, netstat, ps, top, and other information have been modified to run without requiring root user privilege. The new operating system user exawatch and group exawatch are automatically created when you perform a Software Update on the Oracle Exadata Storage Server, Oracle Exadata Database Server, and within a virtual machine running on the Oracle Exadata Database Server.

As a result of these changes, the number of processes running as the root user is significantly reduced which improves security on Oracle Exadata servers.

This feature is automatically enabled by performing a software update to Oracle Exadata System Software release 19.1.0. No additional configuration is required.

See the following topics for more information:

• Understanding User Accounts
• Offloading of Data Search and Retrieval Processing
• ExaWatcher Charts