Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: audit suggestion

Re: audit suggestion

From: Jared Still <>
Date: Mon, 24 Jan 2005 18:50:02 +0000
Message-ID: <>

On Mon, 24 Jan 2005 10:53:18 -0500, <> wrote:
> We just completed an external audit and one of the findings from the
> auditors is that DBAs should not have cron rights in Unix. The finding
> basically stated that a DBA could schedule something to run malicious code
> from cron and therefore is a security threat. Frankly, I don't see how
> that's much different from just running the script interactively. Unless


As you have already learned, auditors exhibit many of the same fears as villagers in 'Frankenstein'. They are afraid of the unknown.

If you don't understand something, kill it. There are more modern corrolaries as well. Wolves in the USA comes to mind. ( I have no doubt incurred the wrath of any hobby ranchers on the list. Too bad )

Auditors often don't understand the low level job responsibilities of SA's and DBA's, moreso with DBA's IMO.

Shutting off cron will not stop a malicious DBA, just force her to find another method. Java in the database in concert (or cahoots) with DBMS_JOB comes to mind...

It has become apparent that SarbOx is just a way to give the auditing firm a comfort factor in signing a letter of accreditation, which in turn gives legislators and shareholders a warm fuzzy feeling.

It does have the benefit of forcing procedures on an IT organization that is more accustomed to an ad hoc environment.

The trick is learning to deal with this new paradigm, which sometimes involves educating auditors. If education doesn't work, the IT director should be your ally here is warding off unnecessary restrictions, as it costs real $$ for you do be doing non-productive work. ie. extra work to comply with rediculous regulation.

Warning, pure speculation ahead: It is very difficult, if not impossible, to prevent a technically competent and wily DBA from wreaking havoc on a system. There are always ways to get around restrictions.

If an executive want to carry off and Enron/WorldCom-like schemes, it will be necessary to enlist the help of technically and data savvy accomplices, ie. DBA's.

Who will be the first to seek riches and retirement on a desert island by helping a CFO loot the coffers? ;)

A bit long winded for a Monday morning, no? :)

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
Received on Mon Jan 24 2005 - 13:52:28 CST

Original text of this message