Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: how bad are these vulnerabilities?

Re: how bad are these vulnerabilities?

From: DA Morgan <>
Date: Mon, 18 Dec 2006 16:59:28 -0800
Message-ID: <>

Niall Litchfield wrote:
> DA Morgan wrote:

>> Niall Litchfield wrote:
>>> DA Morgan wrote:
>>>> Well while they are doing that ... perhaps they can explain to your
>>>> legal department how they plan to handle SQL Server's inability to meet
>>>> SarbOx requirements?
>>> Only do that if you want to look rather silly. Legislation does not
>>> prohibit particular platforms, just mandates approaches and controls.
>>> You can do this with all the leading databases on the market today.
>> It mandates that you be able to audit the activities of the system
>> adminitrators and DBAs. If you can do that on (pre-Vista) Windows I'd
>> like to see how.

> I'm assuming you mean pre-sql2005 sqlserver rather than pre-vista
> windows (this being a database forum and you referring to a database
> product and all) try
> for size.

Actually no my reference is to the operating system. US laws don't distinguish between operating system and database. They demand auditability of anything that happens on the machine that could affect the integrity of the data. That means vi. That means notepad. That means rootkits. Everything.

> You can audit sysadmin and dba activity on windows, and you can fail to
> do it on *nix environments. To suggest otherwise is rather foolish don't
> you think.

Referencing the above ... the question becomes can you audit what a domain administrator can do on a Windows box. If you can I would like to know how. I don't spend much time in Windows and have been told that it can not be done.

> <thought process>
> In an open source world the auditing process and hashing algorithms are
> open source. Wonder what happens then
> </thought process>

Good question I'd like to see someone answer. I suspect though that this is part of what has led us to the dbms_crypto built-in and transparent data encryption.

Daniel A. Morgan
University of Washington
(replace x with u to respond)
Puget Sound Oracle Users Group
Received on Mon Dec 18 2006 - 18:59:28 CST

Original text of this message