On Fri, 01 Sep 2006 15:07:44 -0700
Frank Cusack <fcusack@fcusack.com> wrote:

> On Fri, 1 Sep 2006 23:33:06 +0200 Stefaan A Eeckels <hoendech@ecc.lu>
> wrote:
> > On 1 Sep 2006 12:28:12 -0700
> > "Karen Hill" <karen_hill22@yahoo.com> wrote:
> >
> >> Immutable files are files where not even root
> >> can change/delete/move a file set as immutable.
> >
> > But root can unset the immutable flag. Thus it only serves as
> > protection against accidental deletions or modifications. This is
> > slightly useful. Roles are better for that purpose.
> >
> >> For the Oracle DBAs, how can you guarentee an audit trail without
> >> immutable files?
> >
> > You cannot guarantee it with immutable files.
> >
> > Immutability is _not_ a security feature. It does _not_ solve the
> > problem that root can change any file.
>
> In *BSD, it can. You can disable unsetting the immutable flag.

You have to get into single user mode, which makes doing evil things a
bit more difficult. But only a bit, because scheduled downtime happens.

> > If you cannot trust your root user, you've got major problems. Trust
> > is a difficult concept for PHBs, but there is no magic solution.
>
> For some environments, root indeed has to be untrusted. e.g.
> kerberized NFS can be setup in such a way that root on the local box
> does not get you access to data you shouldn't have access to. (lots
> of ifs and buts here, of course).

OK, root on a workstation != the sysadmins. What I meant is that if
the sysadmins of the "corporate servers" cannot be trusted, you have
major problems.

<...>
> Audit controls are about protecting yourself from UNTRUSTED
> employees, not eliminating trust from the system.

Indeed - but the OP suggested that immutable files enabled a DBA to
protect her database from interference by the sysadmin.

> No auditor will balk at not having immutable files as long as only
> trusted employees are in the position to undetectably alter data.

In the 1980ies, I had to deal with an auditor who wanted to ensure that
two people were needed -together- to gain root access (each having
half the password). He also wanted a transcript of the root sessions to
be printed to a printer in a locked cabinet in his office. Major PITA,
this fellow, but he caught the GM at financial irregularities, so maybe
he had a point.

--
Stefaan A Eeckels
--
You rarely have time for everything you want in this life, so you
have to make choices. And hopefully your choices can come from a
deep sense of who you are. -- Fred Rogers