Re: grant create any directory to schema
From: MJ Mody <emjay.mody_at_gmail.com>
Date: Tue, 22 Dec 2015 02:08:43 -0600
Message-Id: <4A94A1BA-77CB-45F1-B001-3E52B056C905_at_gmail.com>
My $0.02, and to echo earlier sentiments, the average auditor does what is called a ‘check the box’ audit. If anyone is curious, the next generation of IT auditors require practitioners to wear the audit hat (no white, grey, red or black hat - audit hat - full-stop).
> The auditors don't have skills to figure out real security problems, here we do fully agree, but they do have checklists, which make them a pain in the neck or lower and supplant their technical skills. My favorite recommendation by the auditors is not to use user SYS for backup but to create another user for that. Of course, before the advent of fairly badly messed up SYSBACKUP role in 12c, that meant creating another SYSDBA user. And having two different SYSDBA users, with two different passwords, is somehow more secure than having just one?
>
> --
> Mladen Gogala
> Oracle DBA
> http://mgogala.freehostia.com
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
Date: Tue, 22 Dec 2015 02:08:43 -0600
Message-Id: <4A94A1BA-77CB-45F1-B001-3E52B056C905_at_gmail.com>
My $0.02, and to echo earlier sentiments, the average auditor does what is called a ‘check the box’ audit. If anyone is curious, the next generation of IT auditors require practitioners to wear the audit hat (no white, grey, red or black hat - audit hat - full-stop).
A tangent to initial question and something I’ve been privy to in DBA travels (don’t bother asking - in the land of the blind, the one eyed human is king) is if directories are used, it is an assumption eternal tables may be used. If so, Oracle ‘canned’ stats does not play nicely with an external table not having a dependent file. What we have learned is to have a stub file (empty text file with the filename) or disable the ‘canned’ stats and actually own the stats collection tasks/operations.
MJ
> On Dec 22, 2015, at 1:46 AM, Mladen Gogala <gogala.mladen_at_gmail.com> wrote:
>
> On 12/21/2015 08:54 PM, Andrew Kerber wrote:
>> Yes it will be. Unfortunately your average auditor doesn't have the skill set to understand whether or not it really is a security problem. >> >> Sent from my iPad
> The auditors don't have skills to figure out real security problems, here we do fully agree, but they do have checklists, which make them a pain in the neck or lower and supplant their technical skills. My favorite recommendation by the auditors is not to use user SYS for backup but to create another user for that. Of course, before the advent of fairly badly messed up SYSBACKUP role in 12c, that meant creating another SYSDBA user. And having two different SYSDBA users, with two different passwords, is somehow more secure than having just one?
>
> --
> Mladen Gogala
> Oracle DBA
> http://mgogala.freehostia.com
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
-- http://www.freelists.org/webpage/oracle-lReceived on Tue Dec 22 2015 - 09:08:43 CET