SOX compliance for DataStage environments

[dnsjain]

I am sure that some of you have gone through SOX compliance for DataStage and have designed the policies and controls to achieve SOX compliance.

At my site also, we are going thorugh putting the controls in DEV, QA and PROD environments. There are few points where security team is not happy with the way DataStage works for example:

1. It does not have auditing capability during development.
2. It uses UNIX authentication but allows users to login into DataStage even if their UNIX password has expired.

I will appreciate your inputs, suggestions of best practices around SOX compliance in DataSatge.

Thanks,
Dinesh

[kduke]

There is an audit table only it is hidden. Version Control will track versions of jobs if used. Automated exports can also satisfy the tracking of changes.

I have never tried logging in with an expired password. I am sure there could be an admin solution to satisfy this need. Maybe a shell script to disable these accounts or force a password change.

[ray.wurlod]

2. It uses UNIX authentication but allows users to login into DataStage even if their UNIX password has expired.

I would be very surprised if that were true.

[DSguru2B]

Logging in with an expired unix id huh, wow, harry potter is real

[dnsjain]

Logging in with an expired unix id huh, wow, harry potter is real

I knew that it is hard to believe but it is true(Not Harry Potter!!! The DataStage bug!!!). The password get exppired at the UNIX level, if a user login at the UNIX they will be validated and prompetd for the new password but DataStage uses background process to connect which just validates the user but does not go to extra level.

I have DataStage running on Solaris and there are few developes whose password has expired but they are developing jobs in DataStage without any problem.

Even, I opened a eSupport case with IBM and they agreed on this one and asked me to try PAM security. which I still need to test.

Dinesh

[Ultramundane]

Do you know if Ascential will fix their bug in the current release or are they going to wait until they give us all "the bird"?

[DSguru2B]

Wow, i didnt know that. Thanks Dinesh for the info.

[ray.wurlod]

Have these developers simply stayed logged in?

[newtier]

Logging in with an expired unix id huh, wow, harry potter is real

We are on AIX and do not have that "issue". If your password is expired on Unix, you don't get in. (In fact that has been true for several versions back of DataStage.)

My guess is there is an environmental hole your site could address without IBM having to make changes.

[csrazdan]

Logging in with an expired unix id huh, wow, harry potter is real

We are on AIX and do not have that "issue". If your password is expired on Unix, you don't get in. (In fact that has been true for several versions back of DataStage.)

My guess is there is an environmental hole your site could address without IBM having to make changes.

We are on AIX and I have also faced this problem. If UNIX account is locked (For example, invalid password entered more than 3 times) DataStage is able to restrict login. But if the password is expired (User not login to for n number of days) or for login with new account created where password need to be changed for the first time login, DataStage is not able to restrict login.

For SOX compliance, we have put following process in place:
1. For new accounts, user has to login once and reset his password before UNIX administrator can assign secondary group dstage to his id.
2. For expired accounts, our UNIX administrators run a script to remove the users from dstage group.

Hope it helps....

Do you know if Ascential will fix their bug in the current release or are they going to wait until they give us all "the bird"?

"The Bird"....

[kumar_s]

I have faced this in AIX. And not in HP-UX. But as per Dinesh, it occurs in Solaris as well. So I need to check with my end on next time.