Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: audit suggestion

RE: audit suggestion

From: Goulet, Dick <DGoulet_at_vicr.com>
Date: Mon, 24 Jan 2005 11:21:36 -0500
Message-ID: <4001DEAF7DF9BD498B58B45051FBEA65021B745F@25exch1.vicorpower.vicr.com> 





Katherine,



        Seems to me that you got the paranoid and unintelligent
auditors.  I think that instead of restricting your people you need to
evaluate how much you trust the people you've hired to manage, maintain,
and protect your databases.  Could a DBA run malicious code, sure they
could.  The question is not can they, but would they.  If you don't
trust them, then fire them.  Restricting their access to cron will not
provide any better security.=20




Dick Goulet


Senior Oracle DBA


Oracle Certified 8i DBA


-----Original Message-----



From: KATHERINE_KAYLOR_at_rsausa.com [mailto:KATHERINE_KAYLOR_at_rsausa.com]=20
Sent: Monday, January 24, 2005 10:53 AM


To: oracle-l_at_freelists.org


Subject: audit suggestion



We just completed an external audit and one of the findings from the=20
auditors is that DBAs should not have cron rights in Unix.  The finding=20
basically stated that a DBA could schedule something to run malicious
code=20


from cron and therefore is a security threat.  Frankly, I don't see how=20
that's much different from just running the script interactively.
Unless=20


the DBA is kicked off the Unix server period.....
I'm curious if other sites have restricted DBA's access to such a point=20
that they no longer are allowed to develop and promote shell scripts for



databases.  This is supposed to be a 'segregation' of duties, but it
seems=20


to me that if you are going to run a script that is in the 'DBA' group=20
then what's really happened is that access is now opened up to the UNIX=20
administrators (considering they are a separate job).




K Kaylor=20


Database Administration=20


RSA








Notice of Confidentiality=20



This transmission (including attachments) contains information that=20
may be privileged, confidential and protected from disclosure. Unless=20
you are the intended recipient of the message (or authorized to receive=20

it for the intended recipient) you may not copy, forward, or otherwise=20
use it, or disclose it or its contents to anyone. If you received this=20
transmission in error please notify us immediately, permanently delete=20


the transmission(including attachments) from your system, and destroy=20
all hard copies.  Thank you.




Email: security_usa_at_rsausa.com









--



http://www.freelists.org/webpage/oracle-l


--



http://www.freelists.org/webpage/oracle-l
Received on Mon Jan 24 2005 - 11:27:39 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US