Thread: SAS70 audit + postgres
anyone pass a SAS70 audit with postgres? Our security expert has a lot of concerns due to the lack of user audit logging that's provided. especally for logging superuser / DBA actions. Of course, my stance is that you need to trust your DBAs, but I don't know if SAS70 shares my belief. Thanks Dave
Yeah, I question the intelligence of your security expert in this situation. As the superuser, I can do nearly anything I please, it's kind of the point. Now, if he wants you to setup non-superuser roles to do other stuff, I can understand, but there are some things only the superuser can do, and for that, you gotta trust them. On Mon, Sep 14, 2009 at 1:17 PM, David Kerr <dmk@mr-paradox.net> wrote: > anyone pass a SAS70 audit with postgres? > > Our security expert has a lot of concerns due to the lack of > user audit logging that's provided. > > especally for logging superuser / DBA actions. > > Of course, my stance is that you need to trust your DBAs, > but I don't know if SAS70 shares my belief. > > Thanks > > Dave > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general > -- When fascism comes to America, it will be intolerance sold as diversity.
Right, I agree there are things I can do to minimize impact, but If SAS70 or similar comes in and says w/o superuser auditing we're not giving you the certification, then that still causes us a problem. I don't think it does though, I've gone through SOX and all they require is "controlled" superuser access. So they recognise that DBA / superuser is all powerful, they just want to make sure your company has policies and procedures in place to ensure that very few people have that access. I'm hoping someone on the list has experience to confirm or deny that assumption with regards to SAS70. Thanks! Dave On Mon, Sep 14, 2009 at 01:38:14PM -0600, Scott Marlowe wrote: - Yeah, I question the intelligence of your security expert in this - situation. As the superuser, I can do nearly anything I please, it's - kind of the point. Now, if he wants you to setup non-superuser roles - to do other stuff, I can understand, but there are some things only - the superuser can do, and for that, you gotta trust them. - - On Mon, Sep 14, 2009 at 1:17 PM, David Kerr <dmk@mr-paradox.net> wrote: - > anyone pass a SAS70 audit with postgres? - > - > Our security expert has a lot of concerns due to the lack of - > user audit logging that's provided. - > - > especally for logging superuser / DBA actions. - > - > Of course, my stance is that you need to trust your DBAs, - > but I don't know if SAS70 shares my belief. - > - > Thanks - > - > Dave - > - > -- - > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) - > To make changes to your subscription: - > http://www.postgresql.org/mailpref/pgsql-general - > - - - - -- - When fascism comes to America, it will be intolerance sold as diversity. -
Had a similar thing when I was in Chicago about Oracle. Whie oracle has some form of auditing, the fact is that any resourceful DBA with root access can cover their tracks if they want. Best of luck. On Mon, Sep 14, 2009 at 1:45 PM, David Kerr <dmk@mr-paradox.net> wrote: > Right, I agree there are things I can do to minimize impact, > but If SAS70 or similar comes in and says w/o superuser auditing > we're not giving you the certification, then that still causes us a > problem. > > I don't think it does though, I've gone through SOX and all they > require is "controlled" superuser access. So they recognise that > DBA / superuser is all powerful, they just want to make sure your > company has policies and procedures in place to ensure that very > few people have that access. > > I'm hoping someone on the list has experience to confirm or deny that > assumption with regards to SAS70. > > Thanks! > > Dave > > > On Mon, Sep 14, 2009 at 01:38:14PM -0600, Scott Marlowe wrote: > - Yeah, I question the intelligence of your security expert in this > - situation. As the superuser, I can do nearly anything I please, it's > - kind of the point. Now, if he wants you to setup non-superuser roles > - to do other stuff, I can understand, but there are some things only > - the superuser can do, and for that, you gotta trust them. > - > - On Mon, Sep 14, 2009 at 1:17 PM, David Kerr <dmk@mr-paradox.net> wrote: > - > anyone pass a SAS70 audit with postgres? > - > > - > Our security expert has a lot of concerns due to the lack of > - > user audit logging that's provided. > - > > - > especally for logging superuser / DBA actions. > - > > - > Of course, my stance is that you need to trust your DBAs, > - > but I don't know if SAS70 shares my belief. > - > > - > Thanks > - > > - > Dave > - > > - > -- > - > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > - > To make changes to your subscription: > - > http://www.postgresql.org/mailpref/pgsql-general > - > > - > - > - > - -- > - When fascism comes to America, it will be intolerance sold as diversity. > - > -- When fascism comes to America, it will be intolerance sold as diversity.
=) yeah, same. Thanks Dave On Mon, Sep 14, 2009 at 01:54:25PM -0600, Scott Marlowe wrote: - Had a similar thing when I was in Chicago about Oracle. Whie oracle - has some form of auditing, the fact is that any resourceful DBA with - root access can cover their tracks if they want. Best of luck. - - On Mon, Sep 14, 2009 at 1:45 PM, David Kerr <dmk@mr-paradox.net> wrote: - > Right, I agree there are things I can do to minimize impact, - > but If SAS70 or similar comes in and says w/o superuser auditing - > we're not giving you the certification, then that still causes us a - > problem. - > - > I don't think it does though, I've gone through SOX and all they - > require is "controlled" superuser access. So they recognise that - > DBA / superuser is all powerful, they just want to make sure your - > company has policies and procedures in place to ensure that very - > few people have that access. - > - > I'm hoping someone on the list has experience to confirm or deny that - > assumption with regards to SAS70. - > - > Thanks! - > - > Dave - > - > - > On Mon, Sep 14, 2009 at 01:38:14PM -0600, Scott Marlowe wrote: - > - Yeah, I question the intelligence of your security expert in this - > - situation. As the superuser, I can do nearly anything I please, it's - > - kind of the point. Now, if he wants you to setup non-superuser roles - > - to do other stuff, I can understand, but there are some things only - > - the superuser can do, and for that, you gotta trust them. - > - - > - On Mon, Sep 14, 2009 at 1:17 PM, David Kerr <dmk@mr-paradox.net> wrote: - > - > anyone pass a SAS70 audit with postgres? - > - > - > - > Our security expert has a lot of concerns due to the lack of - > - > user audit logging that's provided. - > - > - > - > especally for logging superuser / DBA actions. - > - > - > - > Of course, my stance is that you need to trust your DBAs, - > - > but I don't know if SAS70 shares my belief. - > - > - > - > Thanks - > - > - > - > Dave - > - > - > - > -- - > - > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) - > - > To make changes to your subscription: - > - > http://www.postgresql.org/mailpref/pgsql-general - > - > - > - - > - - > - - > - -- - > - When fascism comes to America, it will be intolerance sold as diversity. - > - - > - - - - -- - When fascism comes to America, it will be intolerance sold as diversity. -