audit suggestion

  • From: KATHERINE_KAYLOR@xxxxxxxxxx
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Mon, 24 Jan 2005 10:53:18 -0500

We just completed an external audit and one of the findings from the 
auditors is that DBAs should not have cron rights in Unix.  The finding 
basically stated that a DBA could schedule something to run malicious code 
from cron and therefore is a security threat.  Frankly, I don't see how 
that's much different from just running the script interactively.  Unless 
the DBA is kicked off the Unix server period.....
I'm curious if other sites have restricted DBA's access to such a point 
that they no longer are allowed to develop and promote shell scripts for 
databases.  This is supposed to be a 'segregation' of duties, but it seems 
to me that if you are going to run a script that is in the 'DBA' group 
then what's really happened is that access is now opened up to the UNIX 
administrators (considering they are a separate job).

K Kaylor 
Database Administration 

Notice of Confidentiality 

This transmission (including attachments) contains information that 
may be privileged, confidential and protected from disclosure. Unless 
you are the intended recipient of the message (or authorized to receive 
it for the intended recipient) you may not copy, forward, or otherwise 
use it, or disclose it or its contents to anyone. If you received this 
transmission in error please notify us immediately, permanently delete 
the transmission(including attachments) from your system, and destroy 
all hard copies.  Thank you.

Email: security_usa@xxxxxxxxxx


Other related posts: