RE: SOX Compliance and Segregation of Duties

  • From: "Reidy, Ron" <Ron.Reidy@xxxxxxxxxxxxxxxxxx>
  • To: <pbashir@xxxxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
  • Date: Sat, 1 Apr 2006 19:18:33 -0700

Comments below ...

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Parvez Bashir
Sent: Saturday, April 01, 2006 12:53 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: SOX Compliance and Segregation of Duties


We are currently using the following "watch the DBA" approach for SOX.

1) Lock SYS/SYSTEM except for upgrades/one-off patches/patch sets
2) Each DBA logins in "AS SYSDBA". We have turned on
3) We are auditing all DDL including "AUDIT all on sys.aud$ by access"

Here is the problem with this approach:

1) Logins for db user " X AS SYSDBA"  create the AUD$ audit record for
(not X). Is there any way to work around this problem?
[rr]  No. "... AS SYSDBA" is effectively logging in as SYS.
2) The OS audit files are created with "oracle" OS account privileges
can be removed by the "oracle" account. Is this possible to send the 
information to non-Oracle logs? There is some mention in metalink that
is possible for certain operating systems but it is not clear which
[rr] Yes, upgrade to  Audit logs can be written to SYSLOG
(Unix).  Syslogs can be saved to a remote server.  This effectively
keeps those who can access the oracle account from altering/delting the
DBA audit trail.

Also, is there any white paper for "Oracle DBA SOX Compliance"?



This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is 
to be for the use of the individual or entity named above. If you are not the 
intended recipient, please be aware that any disclosure, copying, distribution 
or use of the contents of this information is prohibited. Please notify the
sender  of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.


Other related posts: