Re: Oracle OS level security

My $0.02...

Oracle9i provides the AUDIT_SYS_OPERATIONS parameter, which will audit only to the OS audit trail. Thus, anything that SYSDBA does can be audited.

The reason for the OS audit-trail only? Because SYSDBA can always erase a DB audit trail (even if the act of erasure is still audited). All SYSDBA however, can be prevented from reading or modifying the OS audit trail.

I believe the only secure configuration for an Oracle database has the "software owner" (typically named "oracle") and OS_SYSDBA and OS_SYSOPER groups under control of SysAdmins only. Those with SYSDBA do not need access to that OS account or those OS groups.

The only occasion that access is needed is during software installation/maintenance and Oracle is doing a reasonably good job with OUI to make even this a task which can be performed by SysAdmins assisted by DBAs. Even when this isn't the case, such access can be temporary and audited at the OS-level.

The real problem is DBAs ourselves, who seem to treasure day-to-day usage of the Oracle software owner and membership of private accounts in the OS_SYSDBA and OS_SYSOPER groups...

• Original Message ----- To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com> Sent: Thursday, November 28, 2002 4:53 AM

> Jared,
>
> Very interested in the "thread" you hypothetical raised. I'm working in a
> pharamceutical site which is subject to FDA and other regualtions part of
> which is the whole buisness of audit trails.
>
> We has a Standard Operating Procedure which states that whilst DBA's have
a
> access to data they will not change it. A recognition of the DBA's
> capabilties but stating on paper company trust they will "behave"
> themselves.
>
> On a more practical point with NT/W2K Oracle audit trail can be set to
write
> audit trail records to the event logs. DBA's can be prevented from
changing
> the event logs. So now it would take at least 2 people to instigate a
> fraud. Hey this might foster even better relations between DBA's and SA's
> ;)
>
> Just my 2 cent worth :)
> -------------------------
> Seán O' Neill
> Organon (Ireland) Ltd.
> [subscribed: digest mode]
>
> >> From: Jared.Still_at_radisys.com
> >> Date: Tue, 26 Nov 2002 14:40:24 -0800
> >> Subject: Oracle OS level security
> >>
> >>Dear list,
> >>
> >>Let me toss a hypothetical situation at you.
> etc. etc.
> --------------------------------------------------------------------
> This message, including attached files, may contain confidential
> information and is intended only for the use by the individual
> and/or the entity to which it is addressed. Any unauthorized use,
> dissemination of, or copying of the information contained herein is
> not allowed and may lead to irreparable harm and damage for which
> you may be held liable. If you receive this message in error or if
> it is intended for someone else please notify the sender by
> returning this e-mail immediately and delete the message.
> --------------------------------------------------------------------
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: O'Neill, Sean
> INET: Sean.ONeill_at_organon.ie
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Tim Gorman
  INET: Tim_at_SageLogix.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).