Re: OT - SarBox paranoia prevention ?
- From: rachel carmichael <wisernet100@xxxxxxxxx>
- To: chip.briggs@xxxxxxxxx
- Date: Sat, 19 Feb 2005 17:01:00 -0500
not sure it's possible. System admins can su to the account that owns
the oracle binaries, which can then (usually) do sqlplus / as sysdba.
Voila! I am now god within the database.
there is no way to prevent this. But you CAN do keystroke logging of
all access to these accounts, then have the logs sent to a security
officer who reviews them. Nowhere near perfect but at least there's
some sort of control
On Sat, 19 Feb 2005 13:21:03 -0700, Chip Briggs <chip.briggs@xxxxxxxxx> wrote:
> Earlier this week, SarBox auditors wanted proof that DBA's
> could not change database stored procedures (which would
> prevent DBA's from applying vendor patches for vendor
> supplied stored procedures). Also presents a problem since
> DBA's managed stored procedure configuration. SarBox
> auditors do not like DBA privileged access to application data.
> Looks like these auditors do not trust anyone and want duties
> segregated so no single person has the ability to cook any
> books (complete prevention for Enron repeat).
>
> Any ideas how to prevent execution of non-production code
> against production data, whether the data resides in a
> database or operating system files (unix and windows) ?
>
> Have Fun :)
> --
> //www.freelists.org/webpage/oracle-l
>
--
//www.freelists.org/webpage/oracle-l
Other related posts:
