RE: Any bad experiences with SYSDBA and DBA application users?

RE: Any bad experiences with SYSDBA and DBA application users?

 

  

At a minimum, write a memo that enumerates what you've found and what
the risks are. If management can accept the risks, that's their call--
just make sure you have a paper trail when something bad happens.

Depending on the company you work for and the type of data these
databases hold, this setup may violate something like Sarbanes-Oxley,
which requires officers of publicly traded US companies to ensure that
they have reasonable security controls around anything that could impact
financial statements. If any idiot can figure out how to monkey with
your accounting system, executives could, in theory, wind up in jail.

When executives start to get involved, vendors tend to be a lot more
accommodating.

Justin Cave
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC

-----Original Message-----
From: Netz Randy N
[mailto:oracledba-ezmlmshield-x59890123.[Email address protected]
Sent: Friday, October 29, 2004 5:12 PM
To: LazyDBA Discussion
Subject: RE: Any bad experiences with SYSDBA and DBA application users?

I have read all the responses to this email. I agree with all of it.

However, I have an additional question along this line. What do you do
when a third-party vendor application is brought into your shop and the
vendor insists that the DBA privileges is necessary for the application
to work.

In the shop I now work, I have been going through all the databases and
doing some security checks (easy-to-guess passwords, users with DBA
role, etc.). I have several vendor applications (they were already here
when I started with the company) whose database schemas have the DBA
role. And get this, one of them has a password that is extremely easy
to guess. And the vendor insists that the password has to be what it is
and cannot be changed.

I'm stunned by it all.


Randy Netz
Oracle DBA
816-860-3921 (work)
816-686-1639 (cell)

-----Original Message-----
From: Pete Finnigan
[mailto:oracledba-ezmlmshield-x20131864.[Email address protected]
Sent: Friday, October 29, 2004 8:09 AM
To: LazyDBA Discussion
Subject: Re: Any bad experiences with SYSDBA and DBA application users?

Hi,

with "as sysdba" or with DBA role its possible to get access to the
server using many different possibilities. Do not grant SYSDBA, DBA, ALL
PRIVILEGES or indeed system privileges to application users. The risks
are very high.

There are two good security checklists on my site
http://www.petefinnigan.com/orasec.htm that will give you some good
lists of security issues to check in an Oracle database.

Kind regards

Pete
--
Pete Finnigan (email:[Email address protected]
Web site: http://www.petefinnigan.com - Oracle security audit
specialists
Oracle security blog:
http://www.petefinnigan.com/weblog/entries/index.html
Book:Oracle security step-by-step Guide - see http://store.sans.org for
details.



--------
website: http://www.LazyDBA.com
Please don't reply to RTFM questions
Oracle documentation is here: http://tahiti.oracle.com
To unsubscribe: see http://www.lazydba.com/unsubscribe.html
To subscribe: see http://www.lazydba.com
By using this list you agree to these
terms:http://www.lazydba.com/legal.html



--------
website: http://www.LazyDBA.com
Please don't reply to RTFM questions
Oracle documentation is here: http://tahiti.oracle.com
To unsubscribe: see http://www.lazydba.com/unsubscribe.html
To subscribe: see http://www.lazydba.com
By using this list you agree to these
terms:http://www.lazydba.com/legal.html


Oracle LazyDBA home page