Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Oracle Auditing Recommendations

Re: Oracle Auditing Recommendations

From: Niall Litchfield <>
Date: Tue, 8 Aug 2006 17:28:59 +0100
Message-ID: <>

my reaction depends on at least 3 things. was it a problem or risk? its certainly a risk. how many people know the password?is use of the privilege recorded?

On 8/8/06, Rodd Holman <> wrote:
> I'll agree with you for the most part. However,
> when an auditor comes in and reports a discrepancy in that
> the DBA's have the SYS password as a problem, I
> have to say that's "putting a stamp". How else do
> you create the database if you don't know and give it
> the sys password.
> Yes, this was a real life audit example.
> The auditor who was clueless about what a DBA was
> or did, had this checklist of items and just lumped
> DBA's in as users and since we knew how to get
> at the base level of the DB we were considered an
> audit risk. We all volunteered to give up the
> password and go home. Our boss wasn't impressed.
> Niall Litchfield wrote:
> > On 8/7/06, Rodd Holman <> wrote:
> >>
> >> Also remember, auditors are hired to find things wrong. If everything
> >> they find comes up good, then their supervisors question their diligence
> >> in their jobs. So every auditor needs to find something they can report
> >> just to show that they were doing their job. No auditor wants to be
> >> found eligible for the Enron audit team.
> >
> >
> > Not true. Auditors are hired to verify and evidence that things are as
> > people say they are. This is different from being hired to find things
> > wrong. Or to use another analogy, this statement is equivalent to saying
> > that DBAs are hired to prevent people from accessing data or code from
> > being
> > put into production. If a DBA allows people access or puts code into
> > production without finding it lacking then their supervisors question
> their
> > diligence.
> >
> > For sure Auditors are picky, beauracratic and irritating. This is a good
> > thing given their role. They aren't out to find mistakes though. They are
> > out to verify and evidence.
> >

Niall Litchfield
Oracle DBA
Received on Tue Aug 08 2006 - 11:28:59 CDT

Original text of this message