i want to secure my oracle database from system administrator
DBAsupport.com Forums - Powered by vBulletin
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: i want to secure my oracle database from system administrator

  1. #1
    Join Date
    Jul 2008
    Posts
    2

    i want to secure my oracle database from system administrator

    I am using window 2003 server and I want to secure my oracle database from system administrator. (start/stop database server, copy of full database folder) etc.
    Last edited by hrishy; 07-18-2008 at 04:15 AM.

  2. #2
    Join Date
    Nov 2000
    Location
    Pittsburgh, PA
    Posts
    4,015
    Quote Originally Posted by Owais
    I am using window 2003 server and I want to secure my oracle database from system administrator. (start/stop database server, copy of full database folder) etc.
    No problem, just take them out of the admin group.
    this space intentionally left blank

  3. #3
    Join Date
    Jul 2008
    Posts
    2
    Ok but to do daily network related task, we create one User on windows for network person with Power User rights but how can I restrict him not to copy the database folder in any other location.

    Note:One window user for DBA with user & ORA_DBA rights

  4. #4
    Join Date
    Nov 2000
    Location
    Pittsburgh, PA
    Posts
    4,015
    Quote Originally Posted by Owais
    Ok but to do daily network related task, we create one User on windows for network person with Power User rights but how can I restrict him not to copy the database folder in any other location.

    Note:One window user for DBA with user & ORA_DBA rights
    I was being sarcastic with my previous comment. If someone is a sys admin then they have full access to the server. you need to setup a daily hot backup and any other jobs that need to run on the database like a stats job yourself, and let them know what you want them to do. Can you create one folder/volume/partition to use as your backup directory and have them only backup that? I administer Unix servers and we have an /oracle/backups volume on every server. Anything we backup to that directory via our hot backup gets backed up by the backup system, if we don't backup to that directory then it doesn't get backed up.

    if someone is a sys admin they can hose your database whether intentionally or by accident.
    this space intentionally left blank

  5. #5
    Join Date
    Jan 2001
    Posts
    2,828
    Quote Originally Posted by Owais
    I am using window 2003 server and I want to secure my oracle database from system administrator. (start/stop database server, copy of full database folder) etc.

    This is not possible.

    This is like the developer saying i want to stop the DBA from looking at my records in the database.

    The least you can do is audit the dba's activites but i doubt you can prevent him from seeing

    regards
    Hrishy

  6. #6
    Join Date
    Mar 2007
    Location
    Ft. Lauderdale, FL
    Posts
    3,554
    Quote Originally Posted by hrishy
    This is not possible.

    This is like the developer saying i want to stop the DBA from looking at my records in the database.

    The least you can do is audit the dba's activites but i doubt you can prevent him from seeing
    You have to read a little about Oracle Vault.
    Pablo (Paul) Berzukov

    Author of Understanding Database Administration available at amazon and other bookstores.

    Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.

  7. #7
    Join Date
    Jan 2001
    Posts
    2,828
    Hi Pavb

    Thanks for the valuable info on oracle audit vault.
    I had no clue of this but when i read about it FAQ it looks like it audits everybody who looks into your data but cannot prevent say a system administrator from looking into the data.If a system adminitsrator looks into the data then that action is audited

    is my observation correct ?

    regards
    Hrishy

  8. #8
    Join Date
    Mar 2007
    Location
    Ft. Lauderdale, FL
    Posts
    3,554
    You are always welcome Hrishy but Oracle Vault is much more than an audit tool, Vault will stop you for viewing the data -even if you have DBA privs - then report your attempted violation of policies.
    Pablo (Paul) Berzukov

    Author of Understanding Database Administration available at amazon and other bookstores.

    Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.

  9. #9
    Join Date
    Jan 2001
    Posts
    2,828
    Quote Originally Posted by PAVB
    You are always welcome Hrishy but Oracle Vault is much more than an audit tool, Vault will stop you for viewing the data -even if you have DBA privs - then report your attempted violation of policies.
    Hi PAVB

    Great piece of info....I am really lucky to have run into this this is very very valuable for me.

    Its strange though that reading the FAQ it looks like it only aduits and doesn't prevent anyone from seeing the data

    Just one more question is it a seprate product that we need to buy over and above Oracle Database Enterprise Edition

    regards
    Hrishy

  10. #10
    Join Date
    Mar 2007
    Location
    Ft. Lauderdale, FL
    Posts
    3,554
    Glad you like it, Vault brings to the table a set of very interesting features.

    Answering you first question... Yes, vault actually prevents power users like DBA, etc to access the data, you may want to search for "Oracle Database Vault, Realms"

    Answering your last question, Yes! you have to pay for it.
    Pablo (Paul) Berzukov

    Author of Understanding Database Administration available at amazon and other bookstores.

    Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width