RE: Monitoring DB Admin

["Ackley, Alex" <aackley () epmgpc com>]

I'm not sure you'll be able to do preventive controls on a DB Admin as a
role.  But you can do it on a person by rotating duties and basing
permissions on role not person.

There are a few good apps out there to monitor database activities.  So
combine a good monitoring tool with role based permissions and you may
be able to appease them.

If you have more then one DB Admin; ask yourself if they all need the
same access?  Can they be segregated by database or databases?

What the auditors want to see are tools in place to limit the damage any
single person can cause.  It's the same reason you don't want to give
your developers admin access to your network.  They may never do
anything bad; but giving them more access then is required is asking for
trouble.

Alex Ackley, CISSP, GSEC
Security Administrator

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of WALI
Sent: Monday, May 28, 2007 11:31 PM
To: security-basics () securityfocus com
Subject: Monitoring DB Admin

....And the auditors report mentions that I (the internal IT Security 
Admin) should have independent monitoring of DB Admin activities, the
likes 
of DROP, ALTERS etc on an inhouse developed accounting package using
Oracle 
9i backened.

Not only this, the crazy auditing guys want to have preventive rather
than 
detective controls in place for DB Admin.

How secure can we make an application if we start doubting the guys we 
trust...the next thing the auditors would want is preventive controls
over 
me...Grrr!!

But still...is this doable!!??