Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Using DD to Read Data from Oracle Datafiles

RE: Using DD to Read Data from Oracle Datafiles

From: <Joel.Patterson_at_crowley.com>
Date: Fri, 9 Feb 2007 08:21:14 -0500
Message-ID: <02C2FA1C9961934BB6D16DE35707B27B0295BE5A@jax-mbh-01.jax.crowley.com>


Restrict DBA access to application data in 11g. using vault: See link, around slide 23. Saw the presentation on security, Oracle can do pretty good, and SOX has motivated oracle to implement data security, so that even superusers can be restricted.    

http://www.oracle.com/dm/07q3field/security_and_compliance.pdf    

Joel Patterson
Database Administrator
joel.patterson_at_crowley.com
x72546
904 727-2546


From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Mark W. Farnham
Sent: Thursday, February 08, 2007 9:05 PM To: Mark.Bobak_at_il.proquest.com; kevinc_at_polyserve.com; 'freelists' Subject: RE: Using DD to Read Data from Oracle Datafiles  

While I agree, in some corners this runs into the whole Sarbanes Oxley catastrophe where the folks who facilitated the apparently false financial reports of Enron are amongst the beneficiaries of the CPA consultant full employment act to make life miserable to the most honest and honorable rank and file group of people on the planet (DBA/sysadmins).  

So then the game shifts to "how can we prevent the DBAs and sysadmins from discerning real data?"  

I am not claiming to know a good universal answer. Starting by hiring Dirty Harry as your HR director wouldn't be a bad start though.  

I'd wink, but the overhead to American business is so sad it nearly brings me to tears.  

mwf  


From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Bobak, Mark
Sent: Thursday, February 08, 2007 4:13 PM To: kevinc_at_polyserve.com; freelists
Subject: RE: Using DD to Read Data from Oracle Datafiles  

Kevin makes a fair point. I don't know about other shops, but our production database servers are dedicated to being database servers. The only users who are given logins are sysadmin and dba. I can't think of any valid reason that anyone else would need login access on a production database server. If you limit the users who have access to the servers at all, then you really don't have to worry about the myriad of possible local attacks.  

-Mark  

--

Mark J. Bobak

Senior Oracle Architect

ProQuest Information & Learning

There is nothing so useless as doing efficiently that which shouldn't be
done at all.  -Peter F. Drucker, 1909-2005

 

 

________________________________

From: oracle-l-bounce_at_freelists.org

[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Kevin Closson
Sent: Thursday, February 08, 2007 4:00 PM To: freelists Subject: RE: Using DD to Read Data from Oracle Datafiles If you are worried about a user getting to the dd(1) command, you should probably worry about then compiling C (libc), or having shell access at all, no? ________________________________ From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of rjamya
Sent: Thursday, February 08, 2007 12:39 PM To: naqimirza_at_yahoo.com Cc: Oracle-L @ freelists.org Subject: Re: Using DD to Read Data from Oracle Datafiles So, You can make sure that 1. any normal user can't get to the raw (or cooked) datafiles. 2. They don't have access to 'dd' command in addition to whatever else that you are doing. -- http://www.freelists.org/webpage/oracle-l
Received on Fri Feb 09 2007 - 07:21:14 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US