Right, I agree there are things I can do to minimize impact,
but If SAS70 or similar comes in and says w/o superuser auditing
we're not giving you the certification, then that still causes us a
problem.
I don't think it does though, I've gone through SOX and all they
require is "controlled" superuser access. So they recognise that
DBA / superuser is all powerful, they just want to make sure your
company has policies and procedures in place to ensure that very
few people have that access.
I'm hoping someone on the list has experience to confirm or deny that
assumption with regards to SAS70.
Thanks!
Dave
On Mon, Sep 14, 2009 at 01:38:14PM -0600, Scott Marlowe wrote:
- Yeah, I question the intelligence of your security expert in this
- situation. As the superuser, I can do nearly anything I please, it's
- kind of the point. Now, if he wants you to setup non-superuser roles
- to do other stuff, I can understand, but there are some things only
- the superuser can do, and for that, you gotta trust them.
-
- On Mon, Sep 14, 2009 at 1:17 PM, David Kerr <dmk@mr-paradox.net> wrote:
- > anyone pass a SAS70 audit with postgres?
- >
- > Our security expert has a lot of concerns due to the lack of
- > user audit logging that's provided.
- >
- > especally for logging superuser / DBA actions.
- >
- > Of course, my stance is that you need to trust your DBAs,
- > but I don't know if SAS70 shares my belief.
- >
- > Thanks
- >
- > Dave
- >
- > --
- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
- > To make changes to your subscription:
- > http://www.postgresql.org/mailpref/pgsql-general
- >
-
-
-
- --
- When fascism comes to America, it will be intolerance sold as diversity.
-