Re: OT - SarBox paranoia prevention ?

not sure it's possible. System admins can su to the account that owns
the oracle binaries, which can then (usually) do sqlplus / as sysdba.
Voila! I am now god within the database.

there is no way to prevent this. But you CAN do keystroke logging of
all access to these accounts, then have the logs sent to a security
officer who reviews them.  Nowhere near perfect but at least there's
some sort of control


On Sat, 19 Feb 2005 13:21:03 -0700, Chip Briggs <chip.briggs@xxxxxxxxx> wrote:
> Earlier this week, SarBox auditors wanted proof that DBA's
> could not change database stored procedures (which would
> prevent DBA's from applying vendor patches for vendor
> supplied stored procedures). Also presents a problem since
> DBA's managed stored procedure configuration.  SarBox
> auditors do not like DBA privileged access to application data.
> Looks like these auditors do not trust anyone and want duties
> segregated so no single person has the ability to cook any
> books (complete prevention for Enron repeat).
> 
> Any ideas how to prevent execution of non-production code
> against production data, whether the data resides in a
> database or operating system files (unix and windows) ?
> 
> Have Fun :)
> --
> http://www.freelists.org/webpage/oracle-l
>
--
http://www.freelists.org/webpage/oracle-l

Other related posts: