Re: Fw: OT - Getting fired for database oops

2009/5/27 Nuno Souto <dbvision@xxxxxxxxxxxx>:

>
>
> Which is a tricky proposition
> at best: how often should one check and for how long?

Daily (or more/less often depending on your level of paranoia), as
long as the server is in operation.

The last place where I was doing direct support of the databases all
key settings files were checked every day (using diff).  Basically
we'd have a 'clean' copy and each day a script would be run by cron
that would compare the live file with a 'clean' copy.  If there were
any differences an email was sent to the root mailbox and thence
forwarded to the ops mailbox.  If the changes were authorised the
changed file would be copied over to the 'clean' copy, otherwise the
changed file would be quarantined and the file refreshed with a known
safe version (most of our settings files were version controlled in
SCCS so we'd just revert to an earlier version, then manually run the
check script for that file, if not then we'd copy back the 'clean'
copy).  Additionally any legitimate changes had to go through the
change control system and the change would have the change control
number above it in a comment line so we could quickly confirm if a
change was legitimate.

It's not perfect, it could take up to a day to identify a change, but
it did the job.

No system is perfectly secure, no piece of software is guaranteed bug
free.  You just have to do your best and be resigned to the fact that
your users are probably your biggest security hole.

Stephen

-- 
It's better to ask a silly question than to make a silly assumption.

http://stephensorablog.blogspot.com/ |
http://www.linkedin.com/in/stephenboothuk | Skype: stephenbooth_uk

Apparently I'm a "Eierlegende Woll-Milch-Sau", I think it was meant as
a compliment.
--
http://www.freelists.org/webpage/oracle-l

Other related posts: