Comments below ... -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Parvez Bashir Sent: Saturday, April 01, 2006 12:53 PM To: oracle-l@xxxxxxxxxxxxx Subject: SOX Compliance and Segregation of Duties Folks, We are currently using the following "watch the DBA" approach for SOX. 1) Lock SYS/SYSTEM except for upgrades/one-off patches/patch sets 2) Each DBA logins in "AS SYSDBA". We have turned on SYS_AUDIT_OPERATIONS 3) We are auditing all DDL including "AUDIT all on sys.aud$ by access" Here is the problem with this approach: 1) Logins for db user " X AS SYSDBA" create the AUD$ audit record for SYS (not X). Is there any way to work around this problem? [rr] No. "... AS SYSDBA" is effectively logging in as SYS. 2) The OS audit files are created with "oracle" OS account privileges and can be removed by the "oracle" account. Is this possible to send the information to non-Oracle logs? There is some mention in metalink that this is possible for certain operating systems but it is not clear which ones. [rr] Yes, upgrade to 10.2.0.2.0. Audit logs can be written to SYSLOG (Unix). Syslogs can be saved to a remote server. This effectively keeps those who can access the oracle account from altering/delting the DBA audit trail. Also, is there any white paper for "Oracle DBA SOX Compliance"? Regards, Parvez -- //www.freelists.org/webpage/oracle-l This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system. -- //www.freelists.org/webpage/oracle-l