Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: is it possible to edit archivelog files?

Re: is it possible to edit archivelog files?

From: Paul Brewer <paul_at_paul.brewers.org.uk>
Date: Tue, 22 Oct 2002 22:34:31 +0100
Message-ID: <3db6f193_2@mk-nntp-1.news.uk.worldonline.com> 






"Daniel Morgan" <dmorgan_at_exesolutions.com> wrote in message
news:3DB43A03.79AC3EF5_at_exesolutions.com...


> Wijbrand Pauw wrote:

>

> > Hi,

> >

> > I work at al large bank and we want to get on Unix-Oracle the highest

> > possible classification on availability and integrety.

> >

> > You all know the expressions that one fool can ask more questions than

100


> > wise man can answer, well than our security officer is a fool.....

> >

> > He now wants to know if it is possible to edit/change an archivelogfile

and


> > then apply it to an standby database.

> > We are doing a checksum on the files on the production and standby

machine


> > before applying, for what that's worth.

> > He wants to know because he wants to be very sure that someone can't

fake a


> > disaster on production, going to the standby database, bringing it up

and


> > there are for example new financial transactions (there will be over

> > $50.000.000.000,- transferred every day) which weren't in the orignal

> > production environment (that one is for example completly destroyed).

> >

> > I know that this sounds perhaps a bit silly or overdone but they want to

> > know.

> > So is there a chance that someone can hack the archivelog files and the

file


> > still be accepted by the standby database?

> >

> > Can you think of other potential dangers of changing the standby

database


> > without being noticed (of course the database will remain in standby

mode


> > but it is also used in ready only)?

> >

> > Thanks for your reply!

> >

> > Regards,

> >

> > Wijbrand

>

> Reading the various answers to your post I am left with the following (A)

anyone


> can do it and (B) hard as heck. So I'm not sure how you will decipher

which


> answer is correct.

>

> My answer is a bit different.

>

> The biggest security leak to any system is a post-it note with a user-id

and


> password on it taped to the bottom of a keyboard or stuck inside of a

drawer.


>

> The security risks of Oracle are lower than with its competitors if one

> institutes good policies and procedures and takes advantage of all of the

> security features Oracle has to offer. One thing you might consider is to

write


> a function that encrypts/decrypts dollar amounts and wrap the code. Then

people


> may be able to hack anything but it will be impossible to know what they

are


> hacking.

>

> But in the end the problem really comes down to controlling physical

access. If


> someone can't get to it ... they can't alter it.

>

> Daniel Morgan




Seems sensible to me.


Just keep your database server in the machine room, and lock it.



Paul
Received on Tue Oct 22 2002 - 16:34:31 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US