RE: audit suggestion

  • From: "Goulet, Dick" <DGoulet@xxxxxxxx>
  • To: <KATHERINE_KAYLOR@xxxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
  • Date: Mon, 24 Jan 2005 11:21:36 -0500


        Seems to me that you got the paranoid and unintelligent
auditors.  I think that instead of restricting your people you need to
evaluate how much you trust the people you've hired to manage, maintain,
and protect your databases.  Could a DBA run malicious code, sure they
could.  The question is not can they, but would they.  If you don't
trust them, then fire them.  Restricting their access to cron will not
provide any better security.=20

Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA
-----Original Message-----
From: KATHERINE_KAYLOR@xxxxxxxxxx [mailto:KATHERINE_KAYLOR@xxxxxxxxxx]=20
Sent: Monday, January 24, 2005 10:53 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: audit suggestion

We just completed an external audit and one of the findings from the=20
auditors is that DBAs should not have cron rights in Unix.  The finding=20
basically stated that a DBA could schedule something to run malicious
from cron and therefore is a security threat.  Frankly, I don't see how=20
that's much different from just running the script interactively.
the DBA is kicked off the Unix server period.....
I'm curious if other sites have restricted DBA's access to such a point=20
that they no longer are allowed to develop and promote shell scripts for

databases.  This is supposed to be a 'segregation' of duties, but it
to me that if you are going to run a script that is in the 'DBA' group=20
then what's really happened is that access is now opened up to the UNIX=20
administrators (considering they are a separate job).

K Kaylor=20
Database Administration=20

Notice of Confidentiality=20

This transmission (including attachments) contains information that=20
may be privileged, confidential and protected from disclosure. Unless=20
you are the intended recipient of the message (or authorized to receive=20
it for the intended recipient) you may not copy, forward, or otherwise=20
use it, or disclose it or its contents to anyone. If you received this=20
transmission in error please notify us immediately, permanently delete=20
the transmission(including attachments) from your system, and destroy=20
all hard copies.  Thank you.

Email: security_usa@xxxxxxxxxx


Other related posts: