Re: Any ideas for running CRON jobs under Security Requirements

• From: Hemant K Chitale <hkchital@xxxxxxxxxxxxxx>
• To: Mohammad Rafiq <rafiq9857@xxxxxxxxx>, oracle-l@xxxxxxxxxxxxx
• Date: Sun, 15 May 2005 00:09:48 +0800

Actually, I see the problem as stemming from two different requirements

a)  As part of IT Security Policies not scripts should store username/password
combinations unless the password is encrypted using standard protocols.

b)  As part of our SOX Controls [ie, in the SOPs]  "root" and Super-User 
{ie "oracle"}
accounts are not to be used.  Only Named Administrative User accounts
are to be used.
[The Unix Admin team has agreed not to use "root" but I will be pushing for
permission to use "oracle" and SYSDBA.
{obviously,  remote_login as SYSDBA is not to be allowed}.]
All usage of Administrative accounts must be logged.



The first prevents me from using simple script files {unless I am able
to use hide.c, but I am not sure I want to use hide.c for Hot Backup etc
scripts which I would want to setup with a SYSDBA acount.  Other
monitoring scripts also require DBA/CATALOG privileges}.
The second prevents me from using SYSDBA, and, furthermore,
CRON jobs as SYSDBA would cause many entries in the OS audit trail
files {eg $ORACLE_HOME/rdbms/audit}, each of which I'd have to
explain.
I am hoping that I meet auditors who understand when and where and why
I use SYSDBA.

Hemant



At 10:22 PM Saturday, Mohammad Rafiq wrote:
>Hemant,
>Where did you find this requirement?
>We are having more then 20 SOX compliant databases and running our
>jobs as either SYSDBA on Windows and *nix as well but not seen any
>objection from our internal or external auditors so far...
>
>Regards
>Rafiq
>
>On 5/13/05, Hemant K Chitale <hkchital@xxxxxxxxxxxxxx> wrote:
> >
> > How do you run CRON jobs  {Online Backups, DB Monitoring} on Database 
> Servers
> > when IT Security / SOX requirements state that
> >   a) No userid-password pairs are to be kept in plain-text in any files
> >   b) connect / as sysdba is not to be used
> >
> > I can handle a) with CRON jobs running under the "oracle" account with
> > "connect / as sysdba"
> > at the beginning of SQL scripts.  I can handle b) if I hard code a
> > userid/password with the
> > appropriate privileges.  How do I handle both requirements ?
> >
> > Hemant K Chitale


Hemant K Chitale
http://web.singnet.com.sg/~hkchital


--
//www.freelists.org/webpage/oracle-l

• References:
  • Any ideas for running CRON jobs under Security Requirements
    • From: Hemant K Chitale
  • Re: Any ideas for running CRON jobs under Security Requirements
    • From: Mohammad Rafiq

Other related posts:

• » Any ideas for running CRON jobs under Security Requirements
• » RE: Any ideas for running CRON jobs under Security Requirements
• » Re: Any ideas for running CRON jobs under Security Requirements
• » Re: Any ideas for running CRON jobs under Security Requirements
• » Re: Any ideas for running CRON jobs under Security Requirements
• » Re: Any ideas for running CRON jobs under Security Requirements
• » Re: Any ideas for running CRON jobs under Security Requirements

1. Home
2. oracle-l
3. Archive
4. 05-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---