RE: audit suggestion

Jared,

        Make that an "empty but warm & fuzzy feeling". One thing I've learned from the latest SarBox round here is that it stops nothing, just makes you document the norm. What happen at Enron/WorldCom was not the norm, therefore not controllable under SarBox. In the end the folks who want to cook the books can, just those under them get to take out the trash, in prison that is.

Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA
-----Original Message-----
From: Jared Still [mailto:jkstill_at_gmail.com]=20 Sent: Monday, January 24, 2005 1:50 PM
To: KATHERINE_KAYLOR_at_rsausa.com
Cc: oracle-l_at_freelists.org
Subject: Re: audit suggestion

On Mon, 24 Jan 2005 10:53:18 -0500, KATHERINE_KAYLOR_at_rsausa.com <KATHERINE_KAYLOR_at_rsausa.com> wrote:
> We just completed an external audit and one of the findings from the
> auditors is that DBAs should not have cron rights in Unix. The
finding
> basically stated that a DBA could schedule something to run malicious
code
> from cron and therefore is a security threat. Frankly, I don't see
how
> that's much different from just running the script interactively.
Unless

Interesting. =20

As you have already learned, auditors exhibit many of the same fears as villagers in 'Frankenstein'. They are afraid of the unknown.

If you don't understand something, kill it. There are more modern=20 corrolaries as well. Wolves in the USA comes to mind. ( I have=20 no doubt incurred the wrath of any hobby ranchers on the list. Too bad )

Auditors often don't understand the low level job responsibilities of SA's and DBA's, moreso with DBA's IMO.

Shutting off cron will not stop a malicious DBA, just force her to find another method. Java in the database in concert (or cahoots) with DBMS_JOB comes to mind...

It has become apparent that SarbOx is just a way to give the auditing firm a comfort factor in signing a letter of accreditation, which in turn
gives legislators and shareholders a warm fuzzy feeling.

It does have the benefit of forcing procedures on an IT organization that
is more accustomed to an ad hoc environment.

The trick is learning to deal with this new paradigm, which sometimes involves educating auditors. If education doesn't work, the IT director

should be your ally here is warding off unnecessary restrictions, as it costs real $$ for you do be doing non-productive work. ie. extra work to comply with rediculous regulation.

Warning, pure speculation ahead: It is very difficult, if not impossible,=20
to prevent a technically competent and wily DBA from wreaking havoc on a system. There are always ways to get around restrictions.

If an executive want to carry off and Enron/WorldCom-like schemes, it will
be necessary to enlist the help of technically and data savvy accomplices,
ie. DBA's. =20

Who will be the first to seek riches and retirement on a desert island by helping a CFO loot the coffers? ;)

A bit long winded for a Monday morning, no? :)

--=20
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l