Re: Tough question for oracle DBAs/Solaris Admins. Log shipping.

On 2006-09-02 01:35:13 +0100, Ningi <ningi_at_EGGSANDSPAMblueyonder.co.uk> said:

> Frank Cusack wrote:
> <snip>
>
> m UNTRUSTED employees, not eliminating trust from the system.

>> 
>> No auditor will balk at not having immutable files as long as only trusted
>> employees are in the position to undetectably alter data.

Well, nobody who is not privileged on the machine can alter data. How do you get privileged access to the machine? Certainly you make sure that no one knows the root password (and I mean no one: if you have to recover it it's in a safe somewhere, requiring physical access and then several different security tokens to unlock it), instead you design a system where it takes at least n from m people collaborating on the system to do something privileged (this isn't very hard to do). And so on. It's relatively easy to design a system which requires quite a lot of people working together to compromise it.

Finally, because you have auditing turned on (and the audit data is obviously immediately leaving the machine and being watched by several other systems to which no one who even might have privileged access to the machine has access), when things do get changed you have a log of what happened.

I think the main issue is that you need to get away from the fact that any person will ever be able, on their own, to perform privileged actions on the machine.

--tim Received on Sat Sep 02 2006 - 13:36:51 CDT