Return-Path: <oracle-l-bounce@freelists.org>
Delivered-To: 2-oracle-l@orafaq.com
Received: (qmail 20148 invoked from network); 8 Aug 2006 12:02:49 -0500
Received: from freelists-180.iquest.net (HELO turing.freelists.org) (206.53.239.180)
  by 69.64.49.119 with SMTP; 8 Aug 2006 12:02:48 -0500
Received: from localhost (localhost [127.0.0.1])
 by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id D47893BE02E;
 Tue,  8 Aug 2006 13:02:32 -0400 (EDT)
Received: from turing.freelists.org ([127.0.0.1])
 by localhost (turing [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 32506-02; Tue, 8 Aug 2006 13:02:32 -0400 (EDT)
Received: from turing (localhost [127.0.0.1])
 by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 4E7693BDFEC;
 Tue,  8 Aug 2006 13:02:32 -0400 (EDT)
Received: with ECARTIS (v1.0.0; list oracle-l); Tue, 08 Aug 2006 13:01:41 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
 by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id EF73A3BE019
 for <oracle-l@freelists.org>; Tue,  8 Aug 2006 13:01:40 -0400 (EDT)
Received: from turing.freelists.org ([127.0.0.1])
 by localhost (turing [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 32084-06 for <oracle-l@freelists.org>;
 Tue, 8 Aug 2006 13:01:40 -0400 (EDT)
Received: from garbo.lodgenet.com (garbo.lodgenet.com [204.124.122.252])
 by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id C76F83BDFCF
 for <oracle-l@freelists.org>; Tue,  8 Aug 2006 13:01:40 -0400 (EDT)
Received: from [10.16.41.110] (rholman.lodgenet.com [10.16.41.110])
 by garbo.lodgenet.com (8.12.11/8.12.11) with ESMTP id k78H1pAE010005;
 Tue, 8 Aug 2006 12:01:54 -0500
Message-ID: <44D8C37F.7040907@gmail.com>
Date: Tue, 08 Aug 2006 12:01:51 -0500
From: Rodd Holman <Rodd.Holman@gmail.com>
User-Agent: Thunderbird 1.5 (X11/20060317)
MIME-Version: 1.0
To: Niall Litchfield <niall.litchfield@gmail.com>
CC: gorbyx@gmail.com, rjamya@gmail.com, AGUERRA@amfam.com,
        oracle-l@freelists.org
Subject: Re: Oracle Auditing Recommendations
References: <A787F31512A25E4F9782045CFE320C8014B4A41B@NHQ1ACCOEX05VS1.corporate.amfam.com>	 <9177895d0608071038x53173669he5183b47bb346390@mail.gmail.com>	 <c2213f680608071307p5c5351faic1e79239da47182f@mail.gmail.com>	 <44D7A3C1.1080508@gmail.com>	 <7765c8970608080319j2cf939c8v1bfb6370606d49ef@mail.gmail.com>	 <44D8B628.8010703@gmail.com> <7765c8970608080928n19c3468mfa4f6f6512ece9db@mail.gmail.com>
In-Reply-To: <7765c8970608080928n19c3468mfa4f6f6512ece9db@mail.gmail.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
X-archive-position: 37893
X-ecartis-version: Ecartis v1.0.0
Sender: oracle-l-bounce@freelists.org
Errors-to: oracle-l-bounce@freelists.org
X-original-sender: Rodd.Holman@gmail.com
Precedence: normal
Reply-to: Rodd.Holman@gmail.com
X-list: oracle-l
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at avenirtech.net

It was a risk, senior management read it as a problem.
I'm sure that's not a surprise to anyone.  We had to
go through some detailed explanations with the C-level
execs about what we did as DBA's and why we needed
the password (actually our boss got that fun task). :)
We're a group of 5 DBA's and access as SYS or
oracle (at the unix level) is recorded.  We don't
get root that's reserved for SA's.  That was another
dance our boss had to do also.  SA's having
root access to the servers was another item on
the report. :)

Yes, knowing the password is a risk.
Having access to the server room is a risk.
Crossing the street is a risk.  Our job is not
risk avoidance, but risk management.  Assessing the
level of risk vs. the cost of mitigating work arounds.

Niall Litchfield wrote:
> my reaction depends on at least 3 things. was it a problem or risk?
> its certainly a risk. how many people know the password?is use of the
> privilege recorded?
> 
> On 8/8/06, Rodd Holman <Rodd.Holman@gmail.com> wrote:
>> I'll agree with you for the most part.  However,
>> when an auditor comes in and reports a discrepancy in that
>> the DBA's have the SYS password as a problem, I
>> have to say that's "putting a stamp".  How else do
>> you create the database if you don't know and give it
>> the sys password.
>>
>> Yes, this was a real life audit example.
>> The auditor who was clueless about what a DBA was
>> or did, had this checklist of items and just lumped
>> DBA's in as users and since we knew how to get
>> at the base level of the DB we were considered an
>> audit risk.  We all volunteered to give up the
>> password and go home.  Our boss wasn't impressed.
>>
>> Niall Litchfield wrote:
>> > On 8/7/06, Rodd Holman <Rodd.Holman@gmail.com> wrote:

--
http://www.freelists.org/webpage/oracle-l