| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Using DD to Read Data from Oracle Datafiles
Restrict DBA access to application data in 11g. using vault: See
link, around slide 23. Saw the presentation on security, Oracle can do
pretty good, and SOX has motivated oracle to implement data security, so
that even superusers can be restricted.
http://www.oracle.com/dm/07q3field/security_and_compliance.pdf
Joel Patterson
Database Administrator
joel.patterson_at_crowley.com
x72546
904 727-2546
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Mark W. Farnham
Sent: Thursday, February 08, 2007 9:05 PM
To: Mark.Bobak_at_il.proquest.com; kevinc_at_polyserve.com; 'freelists'
Subject: RE: Using DD to Read Data from Oracle Datafiles
While I agree, in some corners this runs into the whole Sarbanes Oxley catastrophe where the folks who facilitated the apparently false financial reports of Enron are amongst the beneficiaries of the CPA consultant full employment act to make life miserable to the most honest and honorable rank and file group of people on the planet (DBA/sysadmins).
So then the game shifts to "how can we prevent the DBAs and sysadmins from discerning real data?"
I am not claiming to know a good universal answer. Starting by hiring Dirty Harry as your HR director wouldn't be a bad start though.
I'd wink, but the overhead to American business is so sad it nearly brings me to tears.
mwf
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Bobak, Mark
Sent: Thursday, February 08, 2007 4:13 PM
To: kevinc_at_polyserve.com; freelists
Subject: RE: Using DD to Read Data from Oracle Datafiles
Kevin makes a fair point. I don't know about other shops, but our production database servers are dedicated to being database servers. The only users who are given logins are sysadmin and dba. I can't think of any valid reason that anyone else would need login access on a production database server. If you limit the users who have access to the servers at all, then you really don't have to worry about the myriad of possible local attacks.
-Mark
-- Mark J. Bobak Senior Oracle Architect ProQuest Information & Learning There is nothing so useless as doing efficiently that which shouldn't be done at all. -Peter F. Drucker, 1909-2005 ________________________________ From: oracle-l-bounce_at_freelists.orgReceived on Fri Feb 09 2007 - 07:21:14 CST
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Kevin Closson
Sent: Thursday, February 08, 2007 4:00 PM To: freelists Subject: RE: Using DD to Read Data from Oracle Datafiles If you are worried about a user getting to the dd(1) command, you should probably worry about then compiling C (libc), or having shell access at all, no? ________________________________ From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of rjamya
Sent: Thursday, February 08, 2007 12:39 PM To: naqimirza_at_yahoo.com Cc: Oracle-L @ freelists.org Subject: Re: Using DD to Read Data from Oracle Datafiles So, You can make sure that 1. any normal user can't get to the raw (or cooked) datafiles. 2. They don't have access to 'dd' command in addition to whatever else that you are doing. -- http://www.freelists.org/webpage/oracle-l
 |
 |