RE: Using DD to Read Data from Oracle Datafiles
- From: <Joel.Patterson@xxxxxxxxxxx>
- To: <mwf@xxxxxxxx>, <Mark.Bobak@xxxxxxxxxxxxxxx>, <kevinc@xxxxxxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
- Date: Fri, 9 Feb 2007 08:21:14 -0500
Restrict DBA access to application data in 11g. using vault: See
link, around slide 23. Saw the presentation on security, Oracle can do
pretty good, and SOX has motivated oracle to implement data security, so
that even superusers can be restricted.
http://www.oracle.com/dm/07q3field/security_and_compliance.pdf
Joel Patterson
Database Administrator
joel.patterson@xxxxxxxxxxx
x72546
904 727-2546
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Mark W. Farnham
Sent: Thursday, February 08, 2007 9:05 PM
To: Mark.Bobak@xxxxxxxxxxxxxxx; kevinc@xxxxxxxxxxxxx; 'freelists'
Subject: RE: Using DD to Read Data from Oracle Datafiles
While I agree, in some corners this runs into the whole Sarbanes Oxley
catastrophe where the folks who facilitated the apparently false
financial reports of Enron are amongst the beneficiaries of the CPA
consultant full employment act to make life miserable to the most honest
and honorable rank and file group of people on the planet
(DBA/sysadmins).
So then the game shifts to "how can we prevent the DBAs and sysadmins
from discerning real data?"
I am not claiming to know a good universal answer. Starting by hiring
Dirty Harry as your HR director wouldn't be a bad start though.
I'd wink, but the overhead to American business is so sad it nearly
brings me to tears.
mwf
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Bobak, Mark
Sent: Thursday, February 08, 2007 4:13 PM
To: kevinc@xxxxxxxxxxxxx; freelists
Subject: RE: Using DD to Read Data from Oracle Datafiles
Kevin makes a fair point. I don't know about other shops, but our
production database servers are dedicated to being database servers.
The only users who are given logins are sysadmin and dba. I can't think
of any valid reason that anyone else would need login access on a
production database server. If you limit the users who have access to
the servers at all, then you really don't have to worry about the myriad
of possible local attacks.
-Mark
--
Mark J. Bobak
Senior Oracle Architect
ProQuest Information & Learning
There is nothing so useless as doing efficiently that which shouldn't be
done at all. -Peter F. Drucker, 1909-2005
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Kevin Closson
Sent: Thursday, February 08, 2007 4:00 PM
To: freelists
Subject: RE: Using DD to Read Data from Oracle Datafiles
If you are worried about a user getting to the dd(1) command, you should
probably worry about then compiling C (libc), or having shell access at
all, no?
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of rjamya
Sent: Thursday, February 08, 2007 12:39 PM
To: naqimirza@xxxxxxxxx
Cc: Oracle-L @ freelists.org
Subject: Re: Using DD to Read Data from Oracle Datafiles
So,
You can make sure that
1. any normal user can't get to the raw (or cooked) datafiles.
2. They don't have access to 'dd' command
in addition to whatever else that you are doing.
Other related posts:
