| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: OT - SarBox paranoia prevention ?
not sure it's possible. System admins can su to the account that owns
the oracle binaries, which can then (usually) do sqlplus / as sysdba.
Voila! I am now god within the database.
there is no way to prevent this. But you CAN do keystroke logging of all access to these accounts, then have the logs sent to a security officer who reviews them. Nowhere near perfect but at least there's some sort of control
On Sat, 19 Feb 2005 13:21:03 -0700, Chip Briggs <chip.briggs_at_gmail.com> wrote:
> Earlier this week, SarBox auditors wanted proof that DBA's
> could not change database stored procedures (which would
> prevent DBA's from applying vendor patches for vendor
> supplied stored procedures). Also presents a problem since
> DBA's managed stored procedure configuration. SarBox
> auditors do not like DBA privileged access to application data.
> Looks like these auditors do not trust anyone and want duties
> segregated so no single person has the ability to cook any
> books (complete prevention for Enron repeat).
>
> Any ideas how to prevent execution of non-production code
> against production data, whether the data resides in a
> database or operating system files (unix and windows) ?
>
> Have Fun :)
> --
> http://www.freelists.org/webpage/oracle-l
>
-- http://www.freelists.org/webpage/oracle-lReceived on Sat Feb 19 2005 - 17:03:58 CST
 |
 |