I definitely agree withave MJ. %ANY% privileges will be a finding during an
audit.
Rob
Sent from my T-Mobile 4G LTE Device
-------- Original message --------
From: MJ Mody <emjay.mody@xxxxxxxxx>
Date: 12/21/2015 7:32 PM (GMT-05:00)
To: backseatdba@xxxxxxxxx
Cc: oracle-l@xxxxxxxxxxxxx
Subject: Re: grant create any directory to schema
A similar question was asked to me as part of an interview for an IS Auditor
position. My response was to create multiple directories and grant read, write
privileges as needed on a per user basis. This goes inline with least privilege
access model.
You are definitely right about the security and if your firm gets audited, this
would end up as a finding as ANY privileges are recommended to be hardened.
Best
MJ
On Dec 21, 2015, at 6:20 PM, Jeff Chirco <backseatdba@xxxxxxxxx> wrote:--
I have some developers that want to give the CREATE ANY DIRECTORY privilege
to a schema (a locked schema in production). They reason is because they
would like to use the same directory name but change its location based on
the OS user that is logged in. So a file will get read or created in that
users home directory.
To me this seems like a security issue because then in Test/Dev a programmer
could change the code to point at any directory they wanted to read potential
sensitive data.
Has anybody dealt with something like this? Is there a way to restrict them
(by user) to only creating a directory within a certain folder structure?
Jeff
