Avatar of Petrofac_ITlogmein
Petrofac_ITlogmeinFlag for United Arab Emirates asked on

Preventive controls on Db Admin activity

To enable auditing on database admin activities is considered a detective control not independent of database Admins own realm.

Is there a way we can audit Db admin activities independently and can push in preventive controls rather than just detective?

I am aware that there is a DB vault available from Oracle but that works from 10G ent. edition upwards. We are using 9i standard edition.
http://www.oracle.com/technology/software/products/database_vault/index.html

For 9i, DB vaults support is listed only for Sun Solaris Edition and not windows :(
Oracle DatabaseSecurity

Avatar of undefined
Last Comment
Computer101

8/22/2022 - Mon
David VanZandt

If I understand your question correctly, the answer is no.  The privileges to view permission-related behavior is limited to the sysdba or sysoper type accounts, so external controls cannot be used that manner.  Before you get side-tracked with vaults or wallets, can we clarify whether your concern is truly "audit", the reporting of events such as attempts to alter the payroll table -- or database security?  

At a high level, database security is controlled by granting SELECT, INSERT, UPDATE, DELETE, ALTER, or EXECUTE permissions on a schema object to one or more other accounts.  Generally we use ROLES to define the set of permissions needed by a class of user, as appropriate for development, test, or production.  In addition, PROFILES provide control of a user's resource consumption limits, and password enforcement.  For example, you'll find in the rdbms/admin folder a package that the profile can use to enforce your organization's password policy.

Am I on track with your intent?  I'll be glad to help further.
ASKER
Petrofac_ITlogmein

The concerns largely emanate from external auditors comments in their Audit report where they (as most of the auditors routinely do), state that there is no effective mechanism to audit DB Admin activities.
Oracles inbuilt audit mechanism is too crude to be effectively taken as an efficient 'preventive' mechanism in case the DB Admin is upto some malicious activity. Auditing DB Admin activity is, according to Auditors, only a detective rather than preventive control. One way is to create a profile that enables drop/delete and other such high level activities of DB Admin and then share that password with some support manager or internal security function but to me, that's not practical and doable in our scenario.

The auditors concern here is and you guessed it the DB Admin attempts to alter the payroll tables, drop and change table values and do away with the logs generated while he/she did all that.
David VanZandt

My condolences, if your shop cannot trust its adinistrators to have integrity.  I have worked (a short while) as an IT special auditor for Alcoa, but this is draconian indeed.  What O/S?  On UNIX/LINUX it's fairly common to require a DBA to login as oneself, then su to the OPS$DBA account where the OPS account is indentified externally -- so that the OPS account may SQLPLUS "/" from the database node but not from his/her PC.  In my current shop, the schema owner accounts are locked in production.  A scheduled release plan is required to do any DDL.

Do you have specific deliverables required to satisfy your external pests, I mean guests?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
Petrofac_ITlogmein

Your last line says it all..it's not about my shop truting it's DBAs it's about external auditors report and their observation that we should have preventive rather than detective controls on our DBA activities. All said and done, it's easy to make our comment on their report that 'we accept the inherent risk' but I was only wondering if there is a doable solution in light of our Oracle 9i running on windows 200/3 OS?
It appears that you are following a well laid out release plan, can you please relate that in a nutshell, I mean, how do you cater to code change between development to production. (I've increased the points :)
ASKER CERTIFIED SOLUTION
David VanZandt

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Computer101

Forced accept.

Computer101
EE Admin