Re: Database comparisons
Date: Mon, 11 Jan 2010 10:43:24 -0800 (PST)
Perhaps this the DBA battles with IT auditors is what Tennyson was thinking about when he wrong Charge of the light Brigade...
Just a thought...
Robert G. Freeman
Ask me about on-site Oracle Training! RMAN, DBA, Tuning, you name it! Author:
Oracle Database 11g RMAN Backup and Recovery (Oracle Press) - ON ITS WAY SOON! OCP: Oracle Database 11g Administrator Certified Professional Study Guide (Sybex) Oracle Database 11g New Features (Oracle Press) Oracle Database 10g New Features (Oracle Press) Other various titles
Blog: http://robertgfreeman.blogspot.com Check out my new blog series on installing Oracle Database 11gR2 on Windows using VMWare!
From: "Goulet, Richard" <Richard.Goulet_at_parexel.com> To: oracledba.williams_at_gmail.com; oracle-l_at_freelists.org Sent: Mon, January 11, 2010 10:57:33 AM
Subject: RE: Database comparisons
For one thing I've got to take your question from the perspective of my current situation where I don't create change scripts to production database, just run them. In this case I'd simply refer the auditor to the creator of the script & leave well enough alone. (the less I have to do with auditors the better).
But from your message I take it that you are one, if not the only, creator of these scripts and so the task lies in your lap. First off, I'm going to assume (maybe reaching on this one) that the auditor is sufficiently knowledgeable that he/she is not including the data dictionary in their question. The reason is that any script that changes data or structure in the database is going to make changes in dictionary tables, heck for one the SCN is going to change. And we all should know that this is normal and expected behavior. Outside of that the only way one table can change data in another table is if there is a trigger on the table(s) that you are modifying that propagates data to other tables, like MLOG triggers. Probably the easiest way is to enable auditing of the schema while the script is running. If the auditing doesn't catch a change it never happen, simple.
On another note, I've recently run into the auditor who believed he had a right to question changes made to any database within the company. Thankfully the legal folks were happily able to correct his interpretation of SOX.
DBA/NA Team Lead
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Dennis Williams
Sent: Monday, January 11, 2010 12:25 PM
We have an audit finding related to data integrity. I'm looking for a way to detect all database changes on a small test database. Fortunately the environment is well-contained. Typically when we've made application changes, we verify that the data changes are what we expect. The auditors are insisting that we somehow verify there aren't unexpected changes in other tables. The environment is Oracle 10.2.0.4 on Solaris. I have three thoughts:
- The test database is freshly loaded from an export. After the tests, take an export and use UNIX "diff" and compare with the import.
- Log Miner, or somehow more directly inspecting the archive logs.
- Use some of the new flashback features to detect changes. This just occurred to me and I haven't had time to investigate it.
Has anyone else done anything like this before?
Dennis WilliamsReceived on Mon Jan 11 2010 - 12:43:24 CST