Is it possible to audit the DBA with certainty that the DBA cannot alter or remove the audit trail? This was the subject of a thread a couple of days ago on comp.databases.oracle.server. This subject is discussed from time to time on various newsgroups and mailing lists. Generally the talk falls into two or three camps, first suggestions to fire the DBA if you do not trust him or suggest that he has free reign if you do trust him because auditing him is pointless or suggest ways to comply and audit him whilst understanding that if he is determined he can probably get around your measures.
The need to audit the DBA’s activities as well as everyone else’s has become a real requirement for companies that have to comply with new regulations that have sprung up in recent years. From 9i you can use the parameter audit_sys_operations to create trace files in the location pointed at by audit_file_dest parameter. Ideally this will write to a directory that the DBA's do not have access to. Ensuring that methods that can be used within the database to access operating system files are restricted is essential in this case so that the DBA cannot use the database engine to alter or remove the files. Fine Grained Audit is also a possibility if the SYS.FGA_LOG$ table can be protected. The best method to do this is to copy it to another database or to the file system either in real time or on a regular basis. This could be done by moving the table out of the SYSTEM tablespace and even from the SYS user (pointing back with synonyms) so that a trigger can be added to it to copy the data. This is most likely not supported by Oracle. The same techniques can be used with SYS.AUD$. Notes on metalink exist to show how to do this. Again this is not supported by Oracle but could still be done. Auditing the normal audit trail in the database for changes to it is also possible. Again this could be turned off or the contents of the audit trail changed by a DBA who wanted to do it.
I think it all comes down to compromise as do most of these very difficult problems that need to be solved. You can audit the DBA and its possible to write the audit records from audit_sys_operations to a file system the DBA cannot access but having DBA's you trust is also necessary!
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "some interesting comments on ORACLE-L about alert #68"] [Next entry: "new shell for Windows"]
October 2004
- find_all_privs.sql : A script to find all privileges allocated to a user or role - 10/02/2004 by 10/02/2004
- PeteFinnigan.com Tools page updated - 10/03/2004 by 10/03/2004
- who_has_role.sql : A script to find which users and roles have been granted a role - 10/05/2004 by 10/05/2004
- Howard Rogers writes about Virtual Private databases - 10/06/2004 by 10/06/2004
- Tools page has been updated again - 10/07/2004 by 10/07/2004
- who_has_priv.sql : script to find user who have been granted a system privilege - 10/09/2004 by 10/09/2004
- Oracle remids all customers to apply Patches for alert #68 - 10/10/2004 by 10/10/2004
- preventing password leakage with SQL*Loader - 10/11/2004 by 10/11/2004
- which special characters can be used in Oracle database passwords - 10/12/2004 by 10/12/2004
- expired passwords, ORA-01045 and password changes - 10/13/2004 by 10/13/2004
- SQL Injection papers - 10/14/2004 by 10/14/2004
- where is the next monthly patch? - 10/15/2004 by 10/15/2004
- computerworld have also picked up the patch quickly story - 10/16/2004 by 10/16/2004
- Listener security guide - 10/17/2004 by 10/17/2004
- A tuning book and security? - 10/18/2004 by 10/18/2004
- An interesting SQL Injection paper - 10/19/2004 by 10/19/2004
- Internetnews article : "Customers Gripe About Oracle's Patch Plan" - 10/20/2004 by 10/20/2004
- Auditing DBA's? - 10/21/2004 by 10/21/2004
- You can search inside the SANS Oracle security step-by-step guide - 10/22/2004 by 10/22/2004
- Is setting trace a security risk? - part 1 - 10/23/2004 by 10/23/2004
- technewsworld.com says "Oracle's Security Luck Runs Out" - 10/24/2004 by 10/24/2004
- Another issue with alert 68 on AIX 32 bit - 10/25/2004 by 10/25/2004
- Writing to the alert log - 10/26/2004 by 10/26/2004
- more info on DBMS_SYSTEM.KSDWRT - 10/27/2004 by 10/27/2004
- massive data theft from a database in California - 10/28/2004 by 10/28/2004
- Can I connect to the database as the user PUBLIC? - 10/29/2004 by 10/29/2004
- Interesting question about Sarbanes-Oxley on Oracle 7.3.3 - 10/30/2004 by 10/30/2004
- Howard Rogers new paper on secure application roles - 10/31/2004 by 10/31/2004
Archives
Syndication
Powered by gm-rss 2.0.0
