SOX AI6.30 Control Query

[indianyogi]

List,

To meet the deliverable of AI6.30 control of the SOX audit, "Passwords are encrypted", I need to perform some kind of test to prove that passwords are encrypted on the JDE database.

I do not have a clue how to proceed with it.

Any help would be greatly appreciated.

Thanks
Yogi

 

[cmanderson]

HINT: Tell the auditor(s) as little as possible about the application. If someone mentions the server JDE.INI, throw a smoke bomb in front of them and head for the hills.

I would start by searching posts on this site and then reference the appropriate JDE documentation and manuals. They recently changed the encryption algorithm used by the application and this was rolled into the SP2 for 8.9-8.11 and I believe a particular SP22 or SP23 one-off for Xe/8.0.

This is such a huge topic, I'm not going to touch on most of it.

See Red Database Security for some information about Oracle password security:

http://www.red-database-security.com/whitepaper/oracle_passwords.html

Oracle database passwords in cleartext

Cleartext passwords can be typically but not necessarily found at the following places

Server
Shell History files
Unix Scripts
Log Files
Dump Files
Trace Files
Application Server
JDBC-Config-Files
Trace Files
DBA Client PC
Desktop-Shortcut
Batch-Files
Configuration files of Oracle Tools (like connections.ini)
Trace Files

 

[Alex_Pastuhov]

This is an excellent recommendation! I couldn't agree more!

 

[indianyogi]

Hi,

The smoke bomb option just sounded alright. What I did was took a snapshot of browsing the table F98OWSEC through UTB, and recorded that the SCOWPWD field could not be viewed(it was coming as blanks).

Hope they catch it. Problem is that we are being audited by PWC currently and then would be audited by external auditors too.

Hope this smoke bomb is good enough!

Thanks for the recommendations.

Regards
Yogi

 

[cmanderson]

Watch out for those outside auditor types. They wrote some custom security tools in JDE for our (separate) application security group. It really came back to haunt us when we first installed 8.94_I1.