Re: Tough question for oracle DBAs/Solaris Admins. Log shipping.

DA Morgan wrote:
> Karen Hill wrote:
> > We know that Oracle and SUN/Solaris go together quite well on high end
> > installs. To insure an audit trail for BASEL , HIPPA, Sarbanes Ox and
> > other federal laws, one can ship oracle logs to an offsite server.
> > Yet, how can this guarentee an audit trail, when Solaris does not
> > support immutable files? Immutable files are files where not even root
> > can change/delete/move a file set as immutable.
>
> The secret it to keep audit trails inside the database and create an
> audit trail of any attempt to alter it.
>
> How can I tell if the audit trail's been altered?
> One way is to apply DBMS_CRYPTO to the data.
> Data alteration becomes impossible.

Where does Oracle keep the encryption keys? If someone has root could they not just sniff out where oracle has the encryption keys and then decrypt the data?

>
> Want additional methods? Apply some of Oracle's built-in capabilities
> such as checksums. Here are a list of topics you can look up in Morgan's
> Library at www.psoug.org that may help.

checksums are good, but how about the collisions in the sha1 and md5 that have been discovered?

>
> DBMS_CRYPTO
> OWA_OPT_LOCK.CHECKSUM
> OWA_OPT_LOCK.VERIFY_VALUES
Looks very informative, I will certainly look into this. I understand that it is a layered defence which is good. I've read that oracle has its own filesystem that one can apply to the raw disk. Maybe the oracle filesystem has immutable settings? Received on Fri Sep 01 2006 - 17:15:49 CDT