Re: security against dba´s

[Andre Rodrigues <acastanheira2001 () yahoo com br>]

Hi Pax,

We have Oracle databases.

I was thinking about informing the dbas:

1- The security regulations our enterprise is obliged to.

2- The controls we are implmenting:
 
   2.1- Log all the access the dba do on the database.
   2.2- Open an access to the security team.
   2.3- Make regular audits on the database access.

What else can I do?



Thanks,
André


--- On Tue, 2/10/09, Pax Nwo <paxnwo () yahoo com> wrote:

> From: Pax Nwo <paxnwo () yahoo com>
> Subject: Re: security against dba´s
> To: acastanheira2001 () yahoo com br
> Date: Tuesday, February 10, 2009, 2:58 PM
> need more info. what kind of db ? oracle, mysql ? the dba
> can remote connect to the db through connection clients like
> sqlyog and navicat. if the dba uses mysql, he can also login
> to the phpmyadmin panel. 
> how can you protect the dba from the db ? temporarily,
> change the password (althou he will get it back ). how ? get
> detailes like host, username, password. email the sysadmin
> that administrates the hosting server ( i think you will
> need the dba's email address ). if phpmyadmin allows you
> to change the admin password, go ahead. how can you find out
> the password ? using a cookie grabber, keylogging, scamming.
> i dont think that you can restrict an admin's privileges
> to acces his db. you can at least delay him. use your brain.
> get inside his pc, scramble his data, kill his wife, do
> something :) 
>
> regards, pax. 
>
>
>
>
> ________________________________
> From: Andre Rodrigues <acastanheira2001 () yahoo com br>
> To: security-basics () securityfocus com
> Sent: Tuesday, February 10, 2009 10:15:08 PM
> Subject: security against dba´s
>
> Hi,
>
> How can I protect the database from the dba?
>
> As far as I know they don´t need to access the database
> data in order to do their job.
>
> Any related material appreciated.
>
> Thanks,
> André