Re: audit suggestion

  • From: Jared Still <jkstill@xxxxxxxxx>
  • To: KATHERINE_KAYLOR@xxxxxxxxxx
  • Date: Mon, 24 Jan 2005 18:50:02 +0000

On Mon, 24 Jan 2005 10:53:18 -0500, KATHERINE_KAYLOR@xxxxxxxxxx
<KATHERINE_KAYLOR@xxxxxxxxxx> wrote:
> We just completed an external audit and one of the findings from the
> auditors is that DBAs should not have cron rights in Unix.  The finding
> basically stated that a DBA could schedule something to run malicious code
> from cron and therefore is a security threat.  Frankly, I don't see how
> that's much different from just running the script interactively.  Unless


As you have already learned, auditors exhibit many of the same
fears as villagers in 'Frankenstein'.  They are afraid of the unknown.

If you don't understand something, kill it.  There are more modern 
corrolaries as well.  Wolves in the USA comes to mind. ( I have 
no doubt incurred the wrath of any hobby ranchers on the list.
Too bad )

Auditors often don't understand the low level job responsibilities
of SA's and DBA's, moreso with DBA's IMO.

Shutting off cron will not stop a malicious DBA, just force her to
find another method.  Java in the database in concert (or cahoots)
with DBMS_JOB  comes to mind...

It has become apparent that SarbOx is just a way to give the auditing
firm a comfort factor in signing a letter of accreditation, which in turn
gives legislators and shareholders a warm fuzzy feeling.

It does have the benefit of forcing procedures on an IT organization that
is more accustomed to an ad hoc environment.

The trick is learning to deal with this new paradigm, which sometimes
involves educating auditors.  If education doesn't work, the IT director 
should be your ally here is warding off unnecessary restrictions, as it
costs real $$ for you do be doing non-productive work.  ie. extra work
to comply with rediculous regulation.

Warning, pure speculation ahead:  It is very difficult, if not impossible, 
to prevent a technically competent and wily DBA from wreaking havoc
on a system.  There are always ways to get around restrictions.

If an executive want to carry off and Enron/WorldCom-like schemes,  it will
be necessary to enlist the help of technically and data savvy accomplices,
ie. DBA's.  

Who will be the first to seek riches and retirement on a desert island
by helping a CFO loot the coffers?   ;)

A bit long winded for a Monday morning, no?    :)

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

Other related posts: