Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.misc -> Re: Tough question for oracle DBAs/Solaris Admins. Log shipping.
Comments in-line
Karen Hill wrote:
> DA Morgan wrote:
>> Karen Hill wrote: >>> We know that Oracle and SUN/Solaris go together quite well on high end >>> installs. To insure an audit trail for BASEL , HIPPA, Sarbanes Ox and >>> other federal laws, one can ship oracle logs to an offsite server. >>> Yet, how can this guarentee an audit trail, when Solaris does not >>> support immutable files? Immutable files are files where not even root >>> can change/delete/move a file set as immutable. >> The secret it to keep audit trails inside the database and create an >> audit trail of any attempt to alter it. >> >> How can I tell if the audit trail's been altered? >> One way is to apply DBMS_CRYPTO to the data. >> Data alteration becomes impossible.
They can not sniff them for different reasons depending on how you go about creating the system. Here's one way.
Create they key using the DBMS_CRYPTO package with RANDOMBYTES inside of a function created using DBMS_DDL.CREATE_WRAPPED. No human ever sees it and no human ever can.
Just be very sure you back up the system with great care.
>> Want additional methods? Apply some of Oracle's built-in capabilities >> such as checksums. Here are a list of topics you can look up in Morgan's >> Library at www.psoug.org that may help.
>> DBMS_CRYPTO >> OWA_OPT_LOCK.CHECKSUM >> OWA_OPT_LOCK.VERIFY_VALUES
Stay out of the file system. The file system is for system admins and there is nothing they can do that they can not undo. And these days, with Oracle 10g there is really little you can do outside of the database you can't do better inside.
-- Puget Sound Oracle Users GroupReceived on Fri Sep 01 2006 - 19:08:34 CDT