RE: Using DD to Read Data from Oracle Datafiles
- From: "Kerber, Andrew" <Andrew.Kerber@xxxxxxx>
- To: mwf@xxxxxxxx, Mark.Bobak@xxxxxxxxxxxxxxx, kevinc@xxxxxxxxxxxxx, "freelists" <oracle-l@xxxxxxxxxxxxx>
- Date: Fri, 9 Feb 2007 07:22:54 -0600
Having read through several of the sites that purport to express Oracle
best practices in light of Sarbanes-Oxley, I can safely say that if all
recommendations are implemented, you would have a completely secure
database.
And also one that could only be accessed by a dumb terminal hardwired
into the Oracle server.
Andrew W. Kerber
Oracle DBA
UMB
"If at first you dont succeed, dont take up skydiving"
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Mark W. Farnham
Sent: Thursday, February 08, 2007 8:05 PM
To: Mark.Bobak@xxxxxxxxxxxxxxx; kevinc@xxxxxxxxxxxxx; 'freelists'
Subject: RE: Using DD to Read Data from Oracle Datafiles
While I agree, in some corners this runs into the whole Sarbanes Oxley
catastrophe where the folks who facilitated the apparently false
financial reports of Enron are amongst the beneficiaries of the CPA
consultant full employment act to make life miserable to the most honest
and honorable rank and file group of people on the planet
(DBA/sysadmins).
So then the game shifts to "how can we prevent the DBAs and sysadmins
from discerning real data?"
I am not claiming to know a good universal answer. Starting by hiring
Dirty Harry as your HR director wouldn't be a bad start though.
I'd wink, but the overhead to American business is so sad it nearly
brings me to tears.
mwf
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Bobak, Mark
Sent: Thursday, February 08, 2007 4:13 PM
To: kevinc@xxxxxxxxxxxxx; freelists
Subject: RE: Using DD to Read Data from Oracle Datafiles
Kevin makes a fair point. I don't know about other shops, but our
production database servers are dedicated to being database servers.
The only users who are given logins are sysadmin and dba. I can't think
of any valid reason that anyone else would need login access on a
production database server. If you limit the users who have access to
the servers at all, then you really don't have to worry about the myriad
of possible local attacks.
-Mark
--
Mark J. Bobak
Senior Oracle Architect
ProQuest Information & Learning
There is nothing so useless as doing efficiently that which shouldn't be
done at all. -Peter F. Drucker, 1909-2005
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Kevin Closson
Sent: Thursday, February 08, 2007 4:00 PM
To: freelists
Subject: RE: Using DD to Read Data from Oracle Datafiles
If you are worried about a user getting to the dd(1) command, you should
probably worry about then compiling C (libc), or having shell access at
all, no?
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of rjamya
Sent: Thursday, February 08, 2007 12:39 PM
To: naqimirza@xxxxxxxxx
Cc: Oracle-L @ freelists.org
Subject: Re: Using DD to Read Data from Oracle Datafiles
So,
You can make sure that
1. any normal user can't get to the raw (or cooked) datafiles.
2. They don't have access to 'dd' command
in addition to whatever else that you are doing.
------------------------------------------------------------------------------
NOTICE: This electronic mail message and any attached files are confidential.
The information is exclusively for the use of the individual or entity intended
as the recipient. If you are not the intended recipient, any use, copying,
printing, reviewing, retention, disclosure, distribution or forwarding of the
message or any attached file is not authorized and is strictly prohibited. If
you have received this electronic mail message in error, please advise the
sender by reply electronic mail immediately and permanently delete the original
transmission, any attachments and any copies of this message from your computer
system. Thank you.
==============================================================================
Other related posts:
