1 2 Previous Next 23 Replies Latest reply: Feb 26, 2013 1:52 AM by User477708-OC RSS

    Auditing DBAs

    yxes2013
      Hi all,

      We have a "very" critical systems that has valuable information in it. For example a table of terrorist or blacklisted people around the world.
      I want to protect the information from the DBA themselves or the developers, as they are the ones who have direct access on the table.
      Can you share me some of your experience or your processes that involves protection of critical info from users who have powerful privileges themselves?
      I see docs like auditing the audit table. But i want some actual process being used in production.


      Thanks a lot,

      zxy
        • 1. Re: Auditing DBAs
          asahide
          Hi,

          I think that you can use Audit trail.
          <<http://www.dba-oracle.com/t_audit_table_command.htm>>
          <<http://www.dba-oracle.com/security/auditing_sys_connections.htm>>

          Regards,

          Edited by: asahideO on 2013/02/25 10:22
          • 2. Re: Auditing DBAs
            Aman....
            yxes2013 wrote:
            Hi all,

            We have a "very" critical systems that has valuable information in it. For example a table of terrorist or blacklisted people around the world.
            I want to protect the information from the DBA themselves or the developers, as they are the ones who have direct access on the table.
            Can you share me some of your experience or your processes that involves protection of critical info from users who have powerful privileges themselves?
            I see docs like auditing the audit table. But i want some actual process being used in production.

            Data Vault and Audit Vault ?

            Aman....
            • 3. Re: Auditing DBAs
              yxes2013
              I thank you all :)

              I am not using isqlplus or em :(

              Can you share me some advantages of using these tools?


              https://localhost:5501/em
              http://localhost:5560/isqlplus
              • 4. Re: Auditing DBAs
                sb92075
                yxes2013 wrote:
                I thank you all :)

                I am not using isqlplus or em :(
                isqlplus no longer exists & rightly so.
                EM is crutch for lazy folks
                • 5. Re: Auditing DBAs
                  yxes2013
                  Thanks dear :) ....so I am not alone? and I will just junk it?

                  I can not understand why this new company I am in, has docs related to them.

                  Actually I am browsing now the "EM" page. Can you tell me which topic here has relevance to look at? I can not find any :(
                  • 6. Re: Auditing DBAs
                    Hemant K Chitale
                    and I will just junk it?
                    No. You should familiarise yourself with using EM. Going forward, particularly since 10g, Oracle has been making enhancements and moving a lot of features and adminstration into EM.
                    Having said that, you must also be able to use command-line SQLPlus, SQL and able to to use the PLSQL DBMS APIs.


                    Hemant K Chitale
                    • 7. Re: Auditing DBAs
                      Girish Sharma
                      I want to protect the information from the DBA themselves or the developers, as they are the ones who have direct access on the table.
                      Don't you have direct access to your bank locker in which you kept your valuable documents and jewellery etc. ? How do a bank (Oracle) can protect the locker (table) from you (DBA/Developers) ? Bank (Oracle) has provided thumb impression (listener logging) on the main gate, there are plenty of security personnel (different auditing options) has been deployed, a good and perfect alarm (trigger), on the locker clerk bank has put a signature register (only certain users who can access the tble), in the locker room there the CCTVs (data vault), etc. What else bank (Oracle) can do for security of your locker (table). How can bank (Oracle) know that you (DBA) are going to hack your locker (table) ? Its not possible.

                      When I said oracle database security options to google, I found couple of good links like :

                      [url http://www.oracle.com/technetwork/topics/security/articles/index.html]Oracle Security by Oracle
                      [url http://dbpost.wordpress.com/2012/04/24/oracle-database-security-checklist/]Oracle Database Security Checklist
                      [url http://blog.opensecurityresearch.com/2012/03/top-10-oracle-steps-to-secure-oracle.html]Top 10 Oracle Steps to a Secure Oracle Database Server

                      In addition to above if you read great security articles and solution provided by [url http://www.petefinnigan.com/]Pete Finnigan, i think you have done all the steps which an Oracle DBA does.

                      Regards
                      Girish Sharma
                      • 8. Re: Auditing DBAs
                        yxes2013
                        I thank you all :) ...so what I can do is trust the DBAs themselves. What if they were paid 1Milllion USD just to tag the blacklist as cleared, then when the blacklist was able to leave/enter the ports
                        the DBA then return the tag to active so nothing has changed.
                        • 9. Re: Auditing DBAs
                          Girish Sharma
                          yxes2013 wrote:
                          I thank you all :) ...so what I can do is trust the DBAs themselves. What if they were paid 1Milllion USD just to tag the blacklist as cleared, then when the blacklist was able to leave/enter the ports
                          the DBA then return the tag to active so nothing has changed.
                          Yes, everything is possible. Nothing is protected when it is not in the boundary of protection. We can have security for machine, data, network, server room etc. There is lock for the door but one key require to unlock it and keys are lying with person. There is no lock for the person, if I wish to thief my own home than I am sure, its possible.

                          Regards
                          Girish Sharma
                          • 10. Re: Auditing DBAs
                            Aman....
                            yxes2013 wrote:
                            I thank you all :) ...so what I can do is trust the DBAs themselves. What if they were paid 1Milllion USD just to tag the blacklist as cleared, then when the blacklist was able to leave/enter the ports
                            the DBA then return the tag to active so nothing has changed.
                            Besides auditing the DBA operations, there is very less that you can do. As a basic principle, don't have those kind of people taking care of such data which is very sensitive and you expect them to steal it or sell it. Also, there is no such thing like 100% security. You can try to be as safer as possible but as Murphy's law says, if something can go wrong, it will go wrong and you would have to deal with it too!

                            Aman....
                            • 11. Re: Auditing DBAs
                              yxes2013
                              Got it :) Thanks

                              Is it part of security check to verify hash values of some files?
                              03fda2320221d273f0ca5775dccfce49  /home/oracle/scripts/reportaudit/users_database.lst
                              394782604b0187a07940fdebf19fdb47  /home/oracle/scripts/reportaudit/privs_system_database.lst
                              7ecd51daa3f6d84c323d76bb3b10eaeb  /home/oracle/scripts/reportaudit/priv_objs_database.lst
                              d41d8cd98f00b204e9800998ecf8427e  /home/oracle/scripts/reportaudit/audit_privs_opts.lst
                              5aca2712acbe0c1832a9214059b94023  /home/oracle/scripts/reportaudit/audit_objs_opts.lst
                              What do you think is the purpose of this? I see this in the documentation.

                              Thanks,
                              • 12. Re: Auditing DBAs
                                Aman....
                                Can you point the doc url to read?

                                Aman....
                                • 13. Re: Auditing DBAs
                                  yxes2013
                                  Sorry dear, it not really full time docs but I am just scanning the bits and pieces of some previous DBAs folder just to find some security process that I can copy. :) It just within the new company
                                  files which I am hired in.
                                  • 14. Re: Auditing DBAs
                                    yxes2013
                                    I am thinkin that he maybe what to check before and after if there has been changes made by other DBAs with these files? Or I am just paranoid. :)
                                    1 2 Previous Next