On Thursday 28 November 2002 12:03, Tim Gorman wrote: > My $0.02... > > Oracle9i provides the AUDIT_SYS_OPERATIONS parameter, which will audit only > to the OS audit trail. Thus, anything that SYSDBA does can be audited. > > The reason for the OS audit-trail only? Because SYSDBA can always erase a > DB audit trail (even if the act of erasure is still audited). All SYSDBA > however, can be prevented from reading or modifying the OS audit trail.
This doesn't prevent a SA with DBA knowledge from wreaking havoc. > I believe the only secure configuration for an Oracle database has the > "software owner" (typically named "oracle") and OS_SYSDBA and OS_SYSOPER > groups under control of SysAdmins only. Those with SYSDBA do not need > access to that OS account or those OS groups. SA's still a problem. > > The real problem is DBAs ourselves, who seem to treasure day-to-day usage > of the Oracle software owner and membership of private accounts in the > OS_SYSDBA and OS_SYSOPER groups... Personally, I log into the 'oracle' or 'root' account only as needed. Except on NT of course, where I need admin access to do my job properly. Maybe in a larger shop that wouldn't be necessary, but in a small shop it's very difficult to have an SA at your side when needed for admin level access. Jared > > ----- Original Message ----- > To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> > Sent: Thursday, November 28, 2002 4:53 AM > > > Jared, > > > > Very interested in the "thread" you hypothetical raised. I'm working in > > a pharamceutical site which is subject to FDA and other regualtions part > > of which is the whole buisness of audit trails. > > > > We has a Standard Operating Procedure which states that whilst DBA's have > > a > > > access to data they will not change it. A recognition of the DBA's > > capabilties but stating on paper company trust they will "behave" > > themselves. > > > > On a more practical point with NT/W2K Oracle audit trail can be set to > > write > > > audit trail records to the event logs. DBA's can be prevented from > > changing > > > the event logs. So now it would take at least 2 people to instigate a > > fraud. Hey this might foster even better relations between DBA's and > > SA's ;) > > > > Just my 2 cent worth :) > > ------------------------- > > Seán O' Neill > > Organon (Ireland) Ltd. > > [subscribed: digest mode] > > > > >> From: [EMAIL PROTECTED] > > >> Date: Tue, 26 Nov 2002 14:40:24 -0800 > > >> Subject: Oracle OS level security > > >> > > >>Dear list, > > >> > > >>Let me toss a hypothetical situation at you. > > > > etc. etc. > > -------------------------------------------------------------------- > > This message, including attached files, may contain confidential > > information and is intended only for the use by the individual > > and/or the entity to which it is addressed. Any unauthorized use, > > dissemination of, or copying of the information contained herein is > > not allowed and may lead to irreparable harm and damage for which > > you may be held liable. If you receive this message in error or if > > it is intended for someone else please notify the sender by > > returning this e-mail immediately and delete the message. > > -------------------------------------------------------------------- > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > -- > > Author: O'Neill, Sean > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com > > San Diego, California -- Mailing list and web hosting services > > --------------------------------------------------------------------- > > To REMOVE yourself from this mailing list, send an E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > the message BODY, include a line containing: UNSUB ORACLE-L > > (or the name of mailing list you want to be removed from). You may > > also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).