Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: how bad are these vulnerabilities?

Re: how bad are these vulnerabilities?

From: DA Morgan <damorgan_at_psoug.org>
Date: Mon, 18 Dec 2006 16:59:28 -0800
Message-ID: <45873970.9010405@psoug.org> 





Niall Litchfield wrote:


> DA Morgan wrote:


>> Niall Litchfield wrote:
>>> DA Morgan wrote:
>>>> Well while they are doing that ... perhaps they can explain to your
>>>> legal department how they plan to handle SQL Server's inability to meet
>>>> SarbOx requirements?
>>> Only do that if you want to look rather silly. Legislation does not
>>> prohibit particular platforms, just mandates approaches and controls.
>>> You can do this with all the leading databases on the market today.
>> It mandates that you be able to audit the activities of the system
>> adminitrators and DBAs. If you can do that on (pre-Vista) Windows I'd
>> like to see how.




> 

> I'm assuming you mean pre-sql2005 sqlserver rather than pre-vista

> windows (this being a database forum and you referring to a database

> product and all) try

> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adminsql/ad_security_2ard.asp

> for size.




Actually no my reference is to the operating system. US laws don't
distinguish between operating system and database. They demand
auditability of anything that happens on the machine that could
affect the integrity of the data. That means vi. That means notepad.
That means rootkits. Everything.



> You can audit sysadmin and dba activity on windows, and you can fail to

> do it on *nix environments. To suggest otherwise is rather foolish don't

> you think.




Referencing the above ... the question becomes can you audit what a
domain administrator can do on a Windows box. If you can I would like
to know how. I don't spend much time in Windows and have been told that
it can not be done.



> <thought process>

> In an open source world the auditing process and hashing algorithms are

> open source. Wonder what happens then

> </thought process>




Good question I'd like to see someone answer. I suspect though that this
is part of what has led us to the dbms_crypto built-in and transparent 
data encryption.

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org


Received on Mon Dec 18 2006 - 18:59:28 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US