Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: How do you audit a DBA?

RE: How do you audit a DBA?

From: Miller, Jay <JayMiller_at_TDWaterhouse.com>
Date: Wed, 05 Sep 2001 13:07:40 -0700
Message-ID: <F001.00383CBF.20010905130624@fatcity.com> 






Apparently it's possible to seperate certain functions out on NT.  I don't
know the details since my NT knowledge is limited to setting up Oracle
Client software on it.



-----Original Message-----


Sent: Wednesday, September 05, 2001 4:13 PM
To: Multiple recipients of list ORACLE-L




and the administrator account on a NT system can't do everything too?




>From: "Miller, Jay" <JayMiller_at_TDWaterhouse.com>

>Reply-To: ORACLE-L_at_fatcity.com

>To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>

>Subject: RE: How do you audit a DBA?

>Date: Wed, 05 Sep 2001 10:55:33 -0800

>

>It was our Internal Audit department.  And their issue with Unix is the 

>same

>issue they have with Oracle.  root can do anything, sys can do anything.

>This is evil incarnate.

>

>External security problems aren't nearly as important.  And yes, it's 

>crazy.

>

>Jay Miller

>

>-----Original Message-----

>Sent: Wednesday, September 05, 2001 1:32 PM

>To: Multiple recipients of list ORACLE-L

>

>

>

>Who was the Auditing Co?  If they think that NT is more secure than unix, I

>don't want them around

>any company I work for...

>

>Ron Thomas

>Hypercom, Inc

>rthomas_at_hypercom.com

>"Either lead by example, or become a terrible warning"

>

>

>

>

>                     JayMiller_at_TDWate

>

>                     rhouse.com              To:     ORACLE-L_at_fatcity.com

>

>                     Sent by:                cc:

>

>                     root_at_fatcity.com        Subject:     RE: How do you

>audit a DBA?

>

>

>

>

>                     09/05/01 09:15

>

>                     AM

>

>                     Please respond

>

>                     to ORACLE-L

>

>

>

>

>

>

>

>

>

>You mean you think DBAs should do things?  My company's auditors were 

>aghast

>when I told them that I did things such as write Unix scripts to monitor 

>the

>database.  They were firmly of the opinion that DBAs should not be allowed

>to write code, only developers should write code.  That was a major audit

>violation right there.  We eventually finessed the issue (we didn't bring 

>it

>up again and they forgot about it as they pursued more important things 

>such

>as trying to convince the company to drop Unix since it wasn't as secure as

>NT), but for a while I started speaking to headhunters again in case all 

>the

>things the auditors were insisting on were actually put in place.

>

>

>-----Original Message-----

>Sent: Wednesday, September 05, 2001 9:06 AM

>To: Multiple recipients of list ORACLE-L

>

>

>What is the purpose of having a dba if he is not allowed to do anything?

>

>"Do not criticize someone until you walked a mile in their shoes, that way

>when you criticize them, you are a mile a way and have their shoes."

>

>Christopher R. Spence

>Oracle DBA

>Phone: (978) 322-5744

>Fax:    (707) 885-2275

>

>Fuelspot

>73 Princeton Street

>North, Chelmsford 01863

>

>

>

>

>-----Original Message-----

>Sent: Thursday, August 23, 2001 1:12 PM

>To: Multiple recipients of list ORACLE-L

>

>

>Dave,

>

>     Your question is somewhat puzzling.  Anyone with DBA privileges can 

>get

>to any table they want since the DBA role contains the 'select any table',

>'update any table', 'delete any table', and 'insert any table' system

>privileges.  You would not require the sys or system passwords to 

>accomplish

>that task.  Is the person asking the question suspicious of one person or

>all of the DBA's at your site?  At any rate it would be best to audit all

>activity against the tables in question and then filter the data after the

>fact.  This is somewhat more important since a trigger cannot catch a

>select, but database auditing can.

>Also, if it's a DBA who is questionable he/she would have access to empty

>out the sys.aud$ table of any activity they created.

>

>Dick Goulet

>

>____________________Reply Separator____________________

>Author: Dave Leach <Dave.Leach_at_claybrook.co.uk>

>Date:       8/23/2001 7:56 AM

>

>Anyone who can help,

>

>I've been asked if Oracle can somehow audit the DBA ie. Raise an alert if

>the DBA were to execute DML statements against sensitive tables, this

>assumes the DBA has the SYS password.  I thought this was a pretty

>reasonable question but couldn't think of an answer.  My trail of though 

>was

>maybe an email alert to a designated member of staff sent via a trigger on

>the table.

>

>Any comments would be very appreciated.

>

>Dave Leach

>

>

>

>

>**********************************************************************

>The above information is confidential to the addressee and may be

>privileged.  Unauthorised access and use is prohibited.

>

>Internet communications are not secure and therefore this Company does not

>accept legal responsibility for the contents of this message.

>

>If you are not the intended recipient, any disclosure, copying, 

>distribution

>or any action taken or omitted to be taken in reliance on it, is prohibited

>and may be unlawful.

>

>Claybrook Computing Limited is a subsidiary of

>Claybrook Computing (Holdings) Limited

>Registered Office: Abbey House. 282 Farnborough Road, Farnborough, 

>Hampshire

>GU14 7NJ Registered in England and Wales No 1287205

>

>A Hogg Robinson plc company

>**********************************************************************

>--

>Please see the official ORACLE-L FAQ: http://www.orafaq.com

>--

>Author: Dave Leach

>   INET: Dave.Leach_at_claybrook.co.uk

>

>Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

>San Diego, California        -- Public Internet access / Mailing Lists

>--------------------------------------------------------------------

>To REMOVE yourself from this mailing list, send an E-Mail message

>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the

>message BODY, include a line containing: UNSUB ORACLE-L (or the name of

>mailing list you want to be removed from).  You may also send the HELP

>command for other information (like subscribing).

>--

>Please see the official ORACLE-L FAQ: http://www.orafaq.com

>--

>Author:

>   INET: dgoulet_at_vicr.com

>

>Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

>San Diego, California        -- Public Internet access / Mailing Lists

>--------------------------------------------------------------------

>To REMOVE yourself from this mailing list, send an E-Mail message

>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the

>message BODY, include a line containing: UNSUB ORACLE-L (or the name of

>mailing list you want to be removed from).  You may also send the HELP

>command for other information (like subscribing).

>--

>Please see the official ORACLE-L FAQ: http://www.orafaq.com

>--

>Author: Christopher Spence

>   INET: cspence_at_FuelSpot.com

>

>Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

>San Diego, California        -- Public Internet access / Mailing Lists

>--------------------------------------------------------------------

>To REMOVE yourself from this mailing list, send an E-Mail message

>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

>the message BODY, include a line containing: UNSUB ORACLE-L

>(or the name of mailing list you want to be removed from).  You may

>also send the HELP command for other information (like subscribing).

>--

>Please see the official ORACLE-L FAQ: http://www.orafaq.com

>--

>Author: Miller, Jay

>   INET: JayMiller_at_TDWaterhouse.com

>

>Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

>San Diego, California        -- Public Internet access / Mailing Lists

>--------------------------------------------------------------------

>To REMOVE yourself from this mailing list, send an E-Mail message

>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

>the message BODY, include a line containing: UNSUB ORACLE-L

>(or the name of mailing list you want to be removed from).  You may

>also send the HELP command for other information (like subscribing).

>

>

>

>

>--

>Please see the official ORACLE-L FAQ: http://www.orafaq.com

>--

>Author: Ron Thomas

>   INET: rthomas_at_hypercom.com

>

>Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

>San Diego, California        -- Public Internet access / Mailing Lists

>--------------------------------------------------------------------

>To REMOVE yourself from this mailing list, send an E-Mail message

>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

>the message BODY, include a line containing: UNSUB ORACLE-L

>(or the name of mailing list you want to be removed from).  You may

>also send the HELP command for other information (like subscribing).

>--

>Please see the official ORACLE-L FAQ: http://www.orafaq.com

>--

>Author: Miller, Jay

>   INET: JayMiller_at_TDWaterhouse.com

>

>Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

>San Diego, California        -- Public Internet access / Mailing Lists

>--------------------------------------------------------------------

>To REMOVE yourself from this mailing list, send an E-Mail message

>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

>the message BODY, include a line containing: UNSUB ORACLE-L

>(or the name of mailing list you want to be removed from).  You may

>also send the HELP command for other information (like subscribing).







Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Rachel Carmichael
  INET: carmichr_at_hotmail.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Miller, Jay
  INET: JayMiller_at_TDWaterhouse.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Wed Sep 05 2001 - 15:07:40 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US