RE: audit suggestion

  • From: "Goulet, Dick" <DGoulet@xxxxxxxx>
  • To: <jkstill@xxxxxxxxx>, <KATHERINE_KAYLOR@xxxxxxxxxx>
  • Date: Mon, 24 Jan 2005 14:08:08 -0500


        Make that an "empty but warm & fuzzy feeling".  One thing I've
learned from the latest SarBox round here is that it stops nothing, just
makes you document the norm.  What happen at Enron/WorldCom was not the
norm, therefore not controllable under SarBox.  In the end the folks who
want to cook the books can, just those under them get to take out the
trash, in prison that is.

Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA
-----Original Message-----
From: Jared Still [mailto:jkstill@xxxxxxxxx]=20
Sent: Monday, January 24, 2005 1:50 PM
Cc: oracle-l@xxxxxxxxxxxxx
Subject: Re: audit suggestion

On Mon, 24 Jan 2005 10:53:18 -0500, KATHERINE_KAYLOR@xxxxxxxxxx
<KATHERINE_KAYLOR@xxxxxxxxxx> wrote:
> We just completed an external audit and one of the findings from the
> auditors is that DBAs should not have cron rights in Unix.  The
> basically stated that a DBA could schedule something to run malicious
> from cron and therefore is a security threat.  Frankly, I don't see
> that's much different from just running the script interactively.

Interesting. =20

As you have already learned, auditors exhibit many of the same
fears as villagers in 'Frankenstein'.  They are afraid of the unknown.

If you don't understand something, kill it.  There are more modern=20
corrolaries as well.  Wolves in the USA comes to mind. ( I have=20
no doubt incurred the wrath of any hobby ranchers on the list.
Too bad )

Auditors often don't understand the low level job responsibilities
of SA's and DBA's, moreso with DBA's IMO.

Shutting off cron will not stop a malicious DBA, just force her to
find another method.  Java in the database in concert (or cahoots)
with DBMS_JOB  comes to mind...

It has become apparent that SarbOx is just a way to give the auditing
firm a comfort factor in signing a letter of accreditation, which in
gives legislators and shareholders a warm fuzzy feeling.

It does have the benefit of forcing procedures on an IT organization
is more accustomed to an ad hoc environment.

The trick is learning to deal with this new paradigm, which sometimes
involves educating auditors.  If education doesn't work, the IT director

should be your ally here is warding off unnecessary restrictions, as it
costs real $$ for you do be doing non-productive work.  ie. extra work
to comply with rediculous regulation.

Warning, pure speculation ahead:  It is very difficult, if not
to prevent a technically competent and wily DBA from wreaking havoc
on a system.  There are always ways to get around restrictions.

If an executive want to carry off and Enron/WorldCom-like schemes,  it
be necessary to enlist the help of technically and data savvy
ie. DBA's. =20

Who will be the first to seek riches and retirement on a desert island
by helping a CFO loot the coffers?   ;)

A bit long winded for a Monday morning, no?    :)

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

Other related posts: