Re: Tripwire question
- From: Niall Litchfield <niall.litchfield@xxxxxxxxx>
- To: koehned@xxxxxxxxx
- Date: Mon, 17 Jun 2013 18:30:44 +0100
That must come down to how you classify what constitutes a "change". I'd
argue that in your example *not* creating/dropping the expected partition
was a change, in that behaviour necessary for application operations had
changed. You (corporately rather than individually) ought to be able to
define that.
It strikes me that teams generally aren't motivated to reduce work for
other teams unless they perceive that reduction as meeting corporate goals
as communicated to them. If you can't redefine what "change" means to meet
their understanding, perhaps it is possible to align their goals with yours
, say by mailing them proactively a list of expected changes for them to
reconcile with their records. This has the security advantage of ensuring
that the team that has the power to make these changes (yours) doesn't get
the power to account for/hide them. It also has the economic advantage of
ensuring that the cost of checking falls where the benefit of checking is
felt (in security).
On Jun 17, 2013 6:05 PM, "daniel koehne" <koehned@xxxxxxxxx> wrote:
> My company's security team uses the Tripwire product (tripwire.com, not
> sure what version) to monitor Oracle databases for changes. The current
> Tripwire configuration means that most of the daily changes detected by
> tripwire are changes like automatic partition maintenance that can be
> classified by an algorithm as an expected change.
> Our security team do not seem to be motivated to address the issue of
> doing unnecessary work and the Tripwire product docs etc... seem to be
> behind a gated wall so I can't do any research.
>
> My question is, if you are using the Tripwire product do you know of a way
> of automatically classifying and promoting changes?
>
> Thanks
> Daniel
>
>
> --
> //www.freelists.org/webpage/oracle-l
>
>
>
--
//www.freelists.org/webpage/oracle-l
Other related posts:
