Re: Oracle Auditing Recommendations

From: Rodd Holman <Rodd.Holman_at_gmail.com>
Date: Tue, 08 Aug 2006 12:01:51 -0500
Message-ID: <44D8C37F.7040907@gmail.com>

It was a risk, senior management read it as a problem. I'm sure that's not a surprise to anyone. We had to go through some detailed explanations with the C-level execs about what we did as DBA's and why we needed the password (actually our boss got that fun task). :) We're a group of 5 DBA's and access as SYS or oracle (at the unix level) is recorded. We don't get root that's reserved for SA's. That was another dance our boss had to do also. SA's having root access to the servers was another item on the report. :)

Yes, knowing the password is a risk.
Having access to the server room is a risk. Crossing the street is a risk. Our job is not risk avoidance, but risk management. Assessing the level of risk vs. the cost of mitigating work arounds.

Niall Litchfield wrote:

> my reaction depends on at least 3 things. was it a problem or risk?
> its certainly a risk. how many people know the password?is use of the
> privilege recorded?
> 
> On 8/8/06, Rodd Holman <Rodd.Holman_at_gmail.com> wrote:

>> I'll agree with you for the most part. However,
>> when an auditor comes in and reports a discrepancy in that
>> the DBA's have the SYS password as a problem, I
>> have to say that's "putting a stamp". How else do
>> you create the database if you don't know and give it
>> the sys password.
>>
>> Yes, this was a real life audit example.
>> The auditor who was clueless about what a DBA was
>> or did, had this checklist of items and just lumped
>> DBA's in as users and since we knew how to get
>> at the base level of the DB we were considered an
>> audit risk. We all volunteered to give up the
>> password and go home. Our boss wasn't impressed.
>>
>> Niall Litchfield wrote:
>> > On 8/7/06, Rodd Holman <Rodd.Holman_at_gmail.com> wrote:

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Aug 08 2006 - 12:01:51 CDT