This discussion is archived
1 2 Previous Next 23 Replies Latest reply: Feb 25, 2013 11:52 PM by User477708-OC RSS

Auditing DBAs

yxes2013 Newbie
Currently Being Moderated
Hi all,

We have a "very" critical systems that has valuable information in it. For example a table of terrorist or blacklisted people around the world.
I want to protect the information from the DBA themselves or the developers, as they are the ones who have direct access on the table.
Can you share me some of your experience or your processes that involves protection of critical info from users who have powerful privileges themselves?
I see docs like auditing the audit table. But i want some actual process being used in production.


Thanks a lot,

zxy
  • 1. Re: Auditing DBAs
    asahide Expert
    Currently Being Moderated
    Hi,

    I think that you can use Audit trail.
    <<http://www.dba-oracle.com/t_audit_table_command.htm>>
    <<http://www.dba-oracle.com/security/auditing_sys_connections.htm>>

    Regards,

    Edited by: asahideO on 2013/02/25 10:22
  • 2. Re: Auditing DBAs
    Aman.... Oracle ACE
    Currently Being Moderated
    yxes2013 wrote:
    Hi all,

    We have a "very" critical systems that has valuable information in it. For example a table of terrorist or blacklisted people around the world.
    I want to protect the information from the DBA themselves or the developers, as they are the ones who have direct access on the table.
    Can you share me some of your experience or your processes that involves protection of critical info from users who have powerful privileges themselves?
    I see docs like auditing the audit table. But i want some actual process being used in production.

    Data Vault and Audit Vault ?

    Aman....
  • 3. Re: Auditing DBAs
    yxes2013 Newbie
    Currently Being Moderated
    I thank you all :)

    I am not using isqlplus or em :(

    Can you share me some advantages of using these tools?


    https://localhost:5501/em
    http://localhost:5560/isqlplus
  • 4. Re: Auditing DBAs
    sb92075 Guru
    Currently Being Moderated
    yxes2013 wrote:
    I thank you all :)

    I am not using isqlplus or em :(
    isqlplus no longer exists & rightly so.
    EM is crutch for lazy folks
  • 5. Re: Auditing DBAs
    yxes2013 Newbie
    Currently Being Moderated
    Thanks dear :) ....so I am not alone? and I will just junk it?

    I can not understand why this new company I am in, has docs related to them.

    Actually I am browsing now the "EM" page. Can you tell me which topic here has relevance to look at? I can not find any :(
  • 6. Re: Auditing DBAs
    Hemant K Chitale Oracle ACE
    Currently Being Moderated
    and I will just junk it?
    No. You should familiarise yourself with using EM. Going forward, particularly since 10g, Oracle has been making enhancements and moving a lot of features and adminstration into EM.
    Having said that, you must also be able to use command-line SQLPlus, SQL and able to to use the PLSQL DBMS APIs.


    Hemant K Chitale
  • 7. Re: Auditing DBAs
    Girish Sharma Guru
    Currently Being Moderated
    I want to protect the information from the DBA themselves or the developers, as they are the ones who have direct access on the table.
    Don't you have direct access to your bank locker in which you kept your valuable documents and jewellery etc. ? How do a bank (Oracle) can protect the locker (table) from you (DBA/Developers) ? Bank (Oracle) has provided thumb impression (listener logging) on the main gate, there are plenty of security personnel (different auditing options) has been deployed, a good and perfect alarm (trigger), on the locker clerk bank has put a signature register (only certain users who can access the tble), in the locker room there the CCTVs (data vault), etc. What else bank (Oracle) can do for security of your locker (table). How can bank (Oracle) know that you (DBA) are going to hack your locker (table) ? Its not possible.

    When I said oracle database security options to google, I found couple of good links like :

    [url http://www.oracle.com/technetwork/topics/security/articles/index.html]Oracle Security by Oracle
    [url http://dbpost.wordpress.com/2012/04/24/oracle-database-security-checklist/]Oracle Database Security Checklist
    [url http://blog.opensecurityresearch.com/2012/03/top-10-oracle-steps-to-secure-oracle.html]Top 10 Oracle Steps to a Secure Oracle Database Server

    In addition to above if you read great security articles and solution provided by [url http://www.petefinnigan.com/]Pete Finnigan, i think you have done all the steps which an Oracle DBA does.

    Regards
    Girish Sharma
  • 8. Re: Auditing DBAs
    yxes2013 Newbie
    Currently Being Moderated
    I thank you all :) ...so what I can do is trust the DBAs themselves. What if they were paid 1Milllion USD just to tag the blacklist as cleared, then when the blacklist was able to leave/enter the ports
    the DBA then return the tag to active so nothing has changed.
  • 9. Re: Auditing DBAs
    Girish Sharma Guru
    Currently Being Moderated
    yxes2013 wrote:
    I thank you all :) ...so what I can do is trust the DBAs themselves. What if they were paid 1Milllion USD just to tag the blacklist as cleared, then when the blacklist was able to leave/enter the ports
    the DBA then return the tag to active so nothing has changed.
    Yes, everything is possible. Nothing is protected when it is not in the boundary of protection. We can have security for machine, data, network, server room etc. There is lock for the door but one key require to unlock it and keys are lying with person. There is no lock for the person, if I wish to thief my own home than I am sure, its possible.

    Regards
    Girish Sharma
  • 10. Re: Auditing DBAs
    Aman.... Oracle ACE
    Currently Being Moderated
    yxes2013 wrote:
    I thank you all :) ...so what I can do is trust the DBAs themselves. What if they were paid 1Milllion USD just to tag the blacklist as cleared, then when the blacklist was able to leave/enter the ports
    the DBA then return the tag to active so nothing has changed.
    Besides auditing the DBA operations, there is very less that you can do. As a basic principle, don't have those kind of people taking care of such data which is very sensitive and you expect them to steal it or sell it. Also, there is no such thing like 100% security. You can try to be as safer as possible but as Murphy's law says, if something can go wrong, it will go wrong and you would have to deal with it too!

    Aman....
  • 11. Re: Auditing DBAs
    yxes2013 Newbie
    Currently Being Moderated
    Got it :) Thanks

    Is it part of security check to verify hash values of some files?
    03fda2320221d273f0ca5775dccfce49  /home/oracle/scripts/reportaudit/users_database.lst
    394782604b0187a07940fdebf19fdb47  /home/oracle/scripts/reportaudit/privs_system_database.lst
    7ecd51daa3f6d84c323d76bb3b10eaeb  /home/oracle/scripts/reportaudit/priv_objs_database.lst
    d41d8cd98f00b204e9800998ecf8427e  /home/oracle/scripts/reportaudit/audit_privs_opts.lst
    5aca2712acbe0c1832a9214059b94023  /home/oracle/scripts/reportaudit/audit_objs_opts.lst
    What do you think is the purpose of this? I see this in the documentation.

    Thanks,
  • 12. Re: Auditing DBAs
    Aman.... Oracle ACE
    Currently Being Moderated
    Can you point the doc url to read?

    Aman....
  • 13. Re: Auditing DBAs
    yxes2013 Newbie
    Currently Being Moderated
    Sorry dear, it not really full time docs but I am just scanning the bits and pieces of some previous DBAs folder just to find some security process that I can copy. :) It just within the new company
    files which I am hired in.
  • 14. Re: Auditing DBAs
    yxes2013 Newbie
    Currently Being Moderated
    I am thinkin that he maybe what to check before and after if there has been changes made by other DBAs with these files? Or I am just paranoid. :)
1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points