Re: Oracle Auditing Recommendations

  • From: Rodd Holman <Rodd.Holman@xxxxxxxxx>
  • To: Niall Litchfield <niall.litchfield@xxxxxxxxx>
  • Date: Tue, 08 Aug 2006 12:01:51 -0500

It was a risk, senior management read it as a problem.
I'm sure that's not a surprise to anyone.  We had to
go through some detailed explanations with the C-level
execs about what we did as DBA's and why we needed
the password (actually our boss got that fun task). :)
We're a group of 5 DBA's and access as SYS or
oracle (at the unix level) is recorded.  We don't
get root that's reserved for SA's.  That was another
dance our boss had to do also.  SA's having
root access to the servers was another item on
the report. :)

Yes, knowing the password is a risk.
Having access to the server room is a risk.
Crossing the street is a risk.  Our job is not
risk avoidance, but risk management.  Assessing the
level of risk vs. the cost of mitigating work arounds.

Niall Litchfield wrote:
> my reaction depends on at least 3 things. was it a problem or risk?
> its certainly a risk. how many people know the password?is use of the
> privilege recorded?
> On 8/8/06, Rodd Holman <Rodd.Holman@xxxxxxxxx> wrote:
>> I'll agree with you for the most part.  However,
>> when an auditor comes in and reports a discrepancy in that
>> the DBA's have the SYS password as a problem, I
>> have to say that's "putting a stamp".  How else do
>> you create the database if you don't know and give it
>> the sys password.
>> Yes, this was a real life audit example.
>> The auditor who was clueless about what a DBA was
>> or did, had this checklist of items and just lumped
>> DBA's in as users and since we knew how to get
>> at the base level of the DB we were considered an
>> audit risk.  We all volunteered to give up the
>> password and go home.  Our boss wasn't impressed.
>> Niall Litchfield wrote:
>> > On 8/7/06, Rodd Holman <Rodd.Holman@xxxxxxxxx> wrote:


Other related posts: