| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: How do you audit a DBA?
Re. Windows security...
http://www.wired.com/news/infostructure/0,1377,46531,00.html
<http://www.wired.com/news/infostructure/0,1377,46531,00.html>
Seems WindowsXP is circulating already.
Patrice Boivin
Systems Analyst (Oracle Certified DBA)
-----Original Message-----
From: Miller, Jay [SMTP:JayMiller_at_TDWaterhouse.com]
Sent: Wednesday, September 05, 2001 1:16 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: How do you audit a DBA?
You mean you think DBAs should do things? My company's auditors
were aghast
when I told them that I did things such as write Unix scripts to
monitor the
database. They were firmly of the opinion that DBAs should not be
allowed
to write code, only developers should write code. That was a major
audit
violation right there. We eventually finessed the issue (we didn't
bring it
up again and they forgot about it as they pursued more important
things such
as trying to convince the company to drop Unix since it wasn't as
secure as
NT), but for a while I started speaking to headhunters again in case
all the
things the auditors were insisting on were actually put in place.
-----Original Message-----
Sent: Wednesday, September 05, 2001 9:06 AM
To: Multiple recipients of list ORACLE-L
What is the purpose of having a dba if he is not allowed to do
anything?
"Do not criticize someone until you walked a mile in their shoes, that way
when you criticize them, you are a mile a way and have their shoes."
Christopher R. Spence
Oracle DBA
Phone: (978) 322-5744
Fax: (707) 885-2275
Fuelspot
73 Princeton Street
North, Chelmsford 01863
-----Original Message-----
Sent: Thursday, August 23, 2001 1:12 PM
To: Multiple recipients of list ORACLE-L
Dave,
Your question is somewhat puzzling. Anyone with DBA privileges
can get
to any table they want since the DBA role contains the 'select any
table',
'update any table', 'delete any table', and 'insert any table'
system
privileges. You would not require the sys or system passwords to
accomplish
that task. Is the person asking the question suspicious of one
person or
all of the DBA's at your site? At any rate it would be best to
audit all
activity against the tables in question and then filter the data
after the
fact. This is somewhat more important since a trigger cannot catch
a
select, but database auditing can.
Also, if it's a DBA who is questionable he/she would have access to
empty
out the sys.aud$ table of any activity they created.
Dick Goulet
____________________Reply Separator____________________
Author: Dave Leach <Dave.Leach_at_claybrook.co.uk>
Date: 8/23/2001 7:56 AM
Anyone who can help,
I've been asked if Oracle can somehow audit the DBA ie. Raise an
alert if
the DBA were to execute DML statements against sensitive tables,
this
assumes the DBA has the SYS password. I thought this was a pretty
reasonable question but couldn't think of an answer. My trail of
though was
maybe an email alert to a designated member of staff sent via a
trigger on
the table.
Any comments would be very appreciated.
Dave Leach
**********************************************************************
The above information is confidential to the addressee and may be
privileged. Unauthorised access and use is prohibited.
Internet communications are not secure and therefore this Company
does not
accept legal responsibility for the contents of this message.
If you are not the intended recipient, any disclosure, copying,
distribution
or any action taken or omitted to be taken in reliance on it, is
prohibited
and may be unlawful.
Claybrook Computing Limited is a subsidiary of
Claybrook Computing (Holdings) Limited
Registered Office: Abbey House. 282 Farnborough Road, Farnborough,
Hampshire
GU14 7NJ Registered in England and Wales No 1287205
A Hogg Robinson plc company
**********************************************************************
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Dave Leach
INET: Dave.Leach_at_claybrook.co.uk
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the
message BODY, include a line containing: UNSUB ORACLE-L (or the name
of
mailing list you want to be removed from). You may also send the
HELP
command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: dgoulet_at_vicr.com
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the
message BODY, include a line containing: UNSUB ORACLE-L (or the name
of
mailing list you want to be removed from). You may also send the
HELP
command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Christopher Spence
INET: cspence_at_FuelSpot.com
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Miller, Jay
INET: JayMiller_at_TDWaterhouse.com
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Boivin, Patrice J INET: BoivinP_at_mar.dfo-mpo.gc.ca Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Wed Sep 05 2001 - 10:38:09 CDT
 |
 |