From oracle-l-bounce@freelists.org Mon Jan 24 13:33:58 2005 Return-Path: Received: from air891.startdedicated.com (root@localhost) by orafaq.com (8.12.10/8.12.10) with ESMTP id j0OJXwOW015821 for ; Mon, 24 Jan 2005 13:33:58 -0600 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air891.startdedicated.com (8.12.10/8.12.10) with ESMTP id j0OJXvem015817 for ; Mon, 24 Jan 2005 13:33:57 -0600 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 936D3630EE; Mon, 24 Jan 2005 13:33:12 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17394-06; Mon, 24 Jan 2005 13:33:12 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 059FB63104; Mon, 24 Jan 2005 13:33:11 -0500 (EST) Message-ID: From: "Mercadante, Thomas F" To: "'mgogala@allegientsystems.com'" , KATHERINE_KAYLOR@rsausa.com Cc: oracle-l@freelists.org Subject: RE: audit suggestion Date: Mon, 24 Jan 2005 13:31:22 -0500 MIME-Version: 1.0 Content-type: text/plain X-OriginalArrivalTime: 24 Jan 2005 18:31:30.0917 (UTC) FILETIME=[EC851950:01C50242] Content-Transfer-Encoding: 8bit X-archive-position: 15160 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: thomas.mercadante@labor.state.ny.us Precedence: normal Reply-To: thomas.mercadante@labor.state.ny.us X-list: oracle-l X-Virus-Scanned: by amavisd-new-20030616-p9 (Debian) at example.com X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on air891.startdedicated.com X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=ham version=2.60 X-Spam-Level: I *hate it* when Mladen hold back!!! -----Original Message----- From: Mladen Gogala [mailto:mgogala@allegientsystems.com] Sent: Monday, January 24, 2005 1:17 PM To: KATHERINE_KAYLOR@rsausa.com Cc: oracle-l@freelists.org Subject: Re: audit suggestion KATHERINE_KAYLOR@rsausa.com wrote: >We just completed an external audit and one of the findings from the >auditors is that DBAs should not have cron rights in Unix. > Let me start with moderate and reserved statement that your auditor is an idiot. Actually he or she is an idiot to the fifth degree, but I am not allowed to say that. > The finding >basically stated that a DBA could schedule something to run malicious code >from cron and therefore is a security threat. > Of course, being able to connect as sysdba does not enable him to do anything dangerous to anything other then to the company data. He neglected to mention the danger coming from the auditors having IQ smaller then the shoe size. Also, there is a package that "it" has apparently never heard of: DBMS_JOB which allows the DBA to do pretty much the same thing without ever running cron. > Frankly, I don't see how >that's much different from just running the script interactively. Unless >the DBA is kicked off the Unix server period..... > > This was a Microsoft sales person in disguise. His recommendation is that you don't need a DBA. Oracle database allegedly has sufficient artificial intelligence to offset the human stupidity. That, I am afraid, is not the case. >I'm curious if other sites have restricted DBA's access to such a point >that they no longer are allowed to develop and promote shell scripts for >databases. This is supposed to be a 'segregation' of duties, but it seems >to me that if you are going to run a script that is in the 'DBA' group >then what's really happened is that access is now opened up to the UNIX >administrators (considering they are a separate job). > > Technical auditors are supposed to be qualified persons. Unfortunately, management frequently hires "well known" auditing companies like DLJ which have so many audits that they cannot event begin to cover them with even moderately technically competent auditors, so they cover some of the "audited" companies with incompetent cheap morons. Management should insist that the DBA auditing the company have OCP and five years of provable experience in the field. So many of those "auditors" are blithering idiots who all behave in the same way: they keep quiet and mysterious, first "documenting" everything and then making "recommendations". I was once able to challenge an auditor that opened his mouth and let me know that he has 6 months of experience with Oracle RDBMS and yet he was doing audits. Your auditor was obviously a bird of the feather. I would advise against following his recommendations. Your company management should create a ruckus at the auditing company HQ and require either a technically competent auditor or their money back. SoX and HIPAA auditing has become a "grab the money and run" type affair. If you want to hear what I really feel, contact me privately, but this should suffice. -- Mladen Gogala Oracle DBA Ext. 121 -- http://www.freelists.org/webpage/oracle-l -- http://www.freelists.org/webpage/oracle-l