Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Sarbanes-Oxley

Re: Sarbanes-Oxley

From: DA Morgan <damorgan_at_x.washington.edu>
Date: Sat, 30 Oct 2004 08:40:33 -0700
Message-ID: <1099150774.474962@yasure> 





Oradba Linux wrote:


> "DA Morgan" <damorgan_at_x.washington.edu> wrote in message
> news:1099101690.698157_at_yasure...
> 




>>Oradba Linux wrote:

>>

>>

>>>"DA Morgan" <damorgan_at_x.washington.edu> wrote in message

>>>news:1099009667.807386_at_yasure...

>>>

>>>

>>>>I just picked up a new publicly held company as a client today that has,

>>>>I know I know, multiple applications running on 7.3.3 on a paleolithic

>>>>version of Solaris.

>>>>

>>>>My question ... can anyone think of a way to audit logons and activities

>>>>conducted by SYS, SYSTEM, and INTERNAL?

>>>>

>>>>I don't think so but then some of you, unfortunately, have been forced

>>>>to work in version 7 for the last decade and may know, or remember,

>>>>something. Upgrading will come soon ... but the need to comply with the

>>>>law will come sooner.

>>>>

>>>>Thanks.

>>>>--

>>>>Daniel A. Morgan

>>>>University of Washington

>>>>damorgan_at_x.washington.edu

>>>>(replace 'x' with 'u' to respond)

>>>

>>>

>>>did you think about OS auditing ?

>>

>>I did. But how is that going to catch someone logging in from SQL*Plus?

>>I don't just need to know they are there ... I need to know what they

>>are doing. I think it impossible but that doesn't mean someone out there

>>doesn't know how to do it.

>>

>>Thanks.

>>--

>>Daniel A. Morgan

>>University of Washington

>>damorgan_at_x.washington.edu

>>(replace 'x' with 'u' to respond)


> 
> 
> Hello Daniel ,
> 
> Is there a specific list of things that need to be done with respect to
> oracle databases to be SOX Compliant.
> If yes, could you post here or send me an email offline .
> 
> Thanks





My interpretation and the auditors interpretation differ but their
opinion is the one that matters as they are the ones that have to
sign off on the financial statements.



They want to log ALL insert, update, and select statements that occur
anywhere in the database, under all schemas, that did not originate
through an approved application interface.



Which means logging on as internal through server manager and then
performing any action that can change any data.

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)


Received on Sat Oct 30 2004 - 10:40:33 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US