Re: Auditing DBAs

Daniel Morgan <damorgan_at_x.washington.edu> wrote in message news:<1097949538.946698_at_yasure>...
> Howard J. Rogers wrote:
>
> > I presumably missed the bit where everyone posted the fact that in 9i
> > Release 2, auditing SYS operations is a piece of cake, and requires
> > the setting of one init.ora/spfile parameter.
>
> I did.
>
> > Audit_sys_operations=true is your friend.
> >
> > It requires that you set the directory where the SYS audit trail is
> > written to, and that requires in turn that you set appropriate O/S
> > permissions on that directory so that Mr. DBA doesn't just waltz in to
> > the directory and delete the audit trail. But nothing a moderately
> > competent Unix administrator couldn't cope with, I suspect.
> >
> > Regards
> > HJR
And since the DBA has access to the OS Oracle Id, which naturally has full OS permissions to the audit trail directory, cleaning up the audit trail should be a snap. 8-D

If the off-shore DBA's only have DBA privilege within the database and do not have access to the OS id then auditing SYS might work for some sites. But the reality is that if the DBA has access to the OS ID then the audit trail is more of "Yes, we audit the DBA" in name but not in substance.

The IBM VM System Programmers manual had a note in for auditors. Because the VM administrator could bring the system up without the security package, do whatever they wanted without an audit trail, stop and restart with security and leave no record that they had ever played with the system that you should trust you VM System Programmers or get new ones.

The are reasonable steps that every company should take to monitor its DBA's and System Administrators, but the most basic step is that they should hire reliable people.

IMHO -- Mark D Powell -- Received on Sat Oct 16 2004 - 18:47:18 CDT