David,
I do feel your pain. Sometimes the auditors just go overboard looking over
some set checklist and some items in their checklist just plain contradict
each other. Take example I just went through recently.
I am making the databases of a few healthcare companies HIPAA compliant. A
recent audit made this point: "The software owner account should be locked
and be opened after a written memo to the sys admin. The fact that oracle
account is not locked is a huge security hole". All right, that meant my
oracle account is now locked. Jeez! Well, how do I start and stop the
database? Auditor: "the starting and stopping of the database has to be done
from Oracle Enterprise Manager console, connected as SYSDBA". And, that is
supposed to be more secure??!!!!!
The point is, don't just assume that the auditors know the best. Some of the
points could be good independently, for instance, in the above case, they
are. But taken together they may not be practical. Of course, pick you
battles. If they want to get rid of OPS$ accounts, let the developers fight
over it; they will be most affected - passing user ids and passwords, etc.
But in their zeal to seal the deal, make sure they are not hardcoding
passwords in the applications, a common problem.
HTH.
Arup Nanda
www.proligence.com
----- Original Message -----
To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]>
Sent: Friday, June 20, 2003 9:44 AM
> This is an interesting one. I am currently going through (tortured)
another
> system audit. One of the many questions the auditors (I am being attacked
> from all sides) had about the Oracle configuration was "Can remote
> authenticated network users connect to the database?".
>
> If auditors know this is a weakness, maybe it would be a good idea to
avoid
> its use.
>
> btw I do use O/S authenticated userids but remote authentication has been
> disabled (deliberately). We are running Oracle on Unix so our batch jobs
use
> O/S authenticated ids.
>
>
> >From: "Gogala, Mladen" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
> >Subject: RE: oracle authentication from windows
> >Date: Thu, 19 Jun 2003 12:19:59 -0800
> >
> >That, of course, will render your database totally insecure and open to
> >anybody
> >who can bring in a WinXP laptop, change the windoze username and log in
as
> >he pleases.
> >DBA that sets his production parameters the way Arup described deserves
to
> >be
> >publicly tortured by Bill O'Reilly in the "no spin zone".
> >
> >
> >Mladen Gogala
> >Oracle DBA
> >Phone:(203) 459-6855
> >Email:[EMAIL PROTECTED]
> >
> >-----Original Message-----
> >Sent: Thursday, June 19, 2003 3:46 PM
> >To: Multiple recipients of list ORACLE-L
> >
> >
> >Sure.
> >
> >Just declare these in your init.ora
> >
> >os_authent_prefix=OPS$
> >remote_os_authent=TRUE
> >
> >bounce the database, add a user called OPS$<the Windows username>, e.g.
> >OPS$AK if your Windows login id is AK as
> >
> >create user ops$ak identified externally
> >
> >From windows connect as "/@servicename", e.g. sqlplus /@service1
> >
> >If it doesn't work, the OS user may be different. Use this query while
> >connected to the database from Windows cleint.
> >
> >SQL> select sys_context('USERENV','OS_USER') from dual;
> >
> >See what OS username comes up; use that instead.
> >
> >HTH.
> >
> >Arup Nanda
> >www.proligence.com
> >
> >
> >
> >----- Original Message -----
> >To: Multiple <mailto:[EMAIL PROTECTED]> recipients of list ORACLE-L
> >Sent: Thursday, June 19, 2003 1:10 PM
> >
> >We want our client users ( forms user ) to just enter windows password
and
> >then automatically able to get in to oracle .Is there a way oracle can
> >authenticate from windows ( or active directory ) . enbadding password in
> >runform.exe not an option .
> >
> >thanks,
> >-ak
> >
>
> _________________________________________________________________
> Help STOP SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: david davis
> INET: [EMAIL PROTECTED]
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Arup Nanda
INET: [EMAIL PROTECTED]
Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
