[Intrusions] Requested opinions on Access.

[Bill Royds]

One thing to do is to remind the DBAs of their responsibility if a problem
occurs due to root access. Without root access, they can be exonerated of
culpability if something happens to the network. With it, they become under
immediate suspicion.
 It is the whole idea of least privilege. By minimizing privilege, one can then
troubleshoot much more easily since there are a fewer number of possible sources
of problems. Ask them if they would also expect that all Sysadmins should have
access to the database administration account by the same logic. 

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Wilson, Mark
Sent: Wednesday, November 10, 2004 10:42 AM
To: intrusions at lists.sans.org
Subject: [Intrusions] Requested opinions on Access.

Ladies and Gentlemen;

I have an issue with our Data Base Admins (DBA's) wanting the root passwords for
their workstations.  We had just recently a DBA run a crack against a shadow
file and move the shadow file from one of the Unix machines to a PC.

We staff separate Systems Administrators that normally admin these workstations,
and I have a "symbiotic" relation on security issues with our SA's and trust
them to perform necessary updates.

Obvious issues aside, I would really like to hear about policies and issues that
others have in relation to DBA's having root access.
These DBA's support our Oracle Financials. (ehhh shiver up my spine) that hold
all our customer financial information.

I would really appreciate responses to this since it has become a very touchy
issue and I'm getting stuck in the middle being the Security person.

Thanks.



Mark Wilson
Communications Analyst / IT Security
Eastern Municipal Water District
2270 Trumble Rd.
Perris Ca.  92572
951.928.3777.4544
www.emwd.org

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions