Auditing IT components using CAATs

Auditing Oracle Password Controls using CAATs

As with parameters the company you are auditing should have a policy on password controls.  For Oracle databases these can be seen in the Dba_Profiles view.

A description of the fields in this view can be seen at http://docs.oracle.com/cd/B19306_01/server.102/b14237/statviews_4033.htm#sthref1758

The password controls applied to a given user are controlled via the “profile” column on the Dba_users view (the column links to the profile column on this view).  This allows different controls to be applied to different users or groups of users.  For example, you may want your technical system users to have more failed login attempts than your application users.

An overview of the available password controls can be reviewed at http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_6010.htm

If a password control policy is in place it is possible to compare the values across multiple Oracle databases using CAATs.  In other words, if you have one database that is configured according to your standards you can use your CAATs tool to compare it to it to other databases in your estate.

As before request that a DBA spool the view to a CSV type file.



Next import the views into your CAATs tool.  It is then a matter of clashing your “master” Dba_profiles file against those from other databases.  Those that do not agree should be questioned with the DBA.

You must sign in to rate content.
(1 ratings)

Comments

There are no comments yet for this post.

Leave a Comment

You must be logged in to post a comment.