audit suggestion
- From: KATHERINE_KAYLOR@xxxxxxxxxx
- To: oracle-l@xxxxxxxxxxxxx
- Date: Mon, 24 Jan 2005 10:53:18 -0500
We just completed an external audit and one of the findings from the
auditors is that DBAs should not have cron rights in Unix. The finding
basically stated that a DBA could schedule something to run malicious code
from cron and therefore is a security threat. Frankly, I don't see how
that's much different from just running the script interactively. Unless
the DBA is kicked off the Unix server period.....
I'm curious if other sites have restricted DBA's access to such a point
that they no longer are allowed to develop and promote shell scripts for
databases. This is supposed to be a 'segregation' of duties, but it seems
to me that if you are going to run a script that is in the 'DBA' group
then what's really happened is that access is now opened up to the UNIX
administrators (considering they are a separate job).
K Kaylor
Database Administration
RSA
***********************************************************************************
Notice of Confidentiality
This transmission (including attachments) contains information that
may be privileged, confidential and protected from disclosure. Unless
you are the intended recipient of the message (or authorized to receive
it for the intended recipient) you may not copy, forward, or otherwise
use it, or disclose it or its contents to anyone. If you received this
transmission in error please notify us immediately, permanently delete
the transmission(including attachments) from your system, and destroy
all hard copies. Thank you.
Email: security_usa@xxxxxxxxxx
***********************************************************************************
--
//www.freelists.org/webpage/oracle-l
Other related posts:
