hi There

I'm hoping someone may be able to provide some advice.

Running Baan over Oracle, a SOx requirement for our auditors is to ensure that no (undocumented) changes to the data directly via Oracle is happening.

I'm thinking this shouldn't be too difficult, ie, placing triggers on the database and auto-emailing the results or something "system generated"

Has anyone done anything like this and how did you implement?

Thanks

The ideal approach is to trun on the GTM log reports to show any data changes. Remove any shell access to the database server.

The ideal approach is to trun on the GTM log reports to show any data changes. Remove any shell access to the database server.

Hey,
rmarles is asking about Oracle level. GTM comes via BaaN and those changes can be recorded in Audit. :mad:

I have gone through multiple SOX audits. What I do is document all users who have "Black-Screen" privileges, all users who have BaaN Administrator privileges and all users who have direct access to the Oracle database without the Application. Actually that comes out to a total of 6 for my environment (1500 + employees with BaaN access)

I use BaaN audit for the initial list and then show the auditor process documentation for ALL activity that has changed BaaN, Oracle or the environment with change logs for each privileged User.

I also explain how the Application works allowing a normal user to access the database, but ONLY through the Application. Of course this may take a couple discussions, but the Auditor generally understands Application driven database access.

The most important thing is the documentation of ANY change, The more documentation, the easier the audit, of course IMHO

Good Luck

Hi Tuple9i

Sounds similar to us.

We have 3 users that have black screen privs, these are the users that the auditors are concerned about. Like you, the auditors are happy with application access.

We also document, document, document, but they want to catch direct changes to the baan database within oracle (which doesn't happen often, I can't remember the last time I had to do that) and ensure that there's documentation to match the change.

I'm thinking triggers may do the trick but I'm unfamiliar with how to implement them, hence the post for ideas.

Thanks

In our case, we added a trigger to deny any 'Direct' Oracle connections other than the Application Server and on the Application server all shell access got turned off. The only way for any data modification is thru GTM.

Tuple9i,

What report/audit log repors do you use to validate for the users with Shell access privileges (Balck - Screen). And for BaaN Administrators what reports do you generate. Would appreciate if you share the information about these
reports.

Do you also generate any reports, to verify/validate if any AMS roles got changed, or if any elevated privileges got assigned to any roles?

Is is a 'custom' or 'standard' report that pull from BaaN fto show auditors what got changed in BaaN. Is auditing is turned on for all the tables? or is is the report at a session (name) level?

How do valiate BaaN code/components for SOx compliance?


Thanks
Patyogi

In our case, we added a trigger to deny any 'Direct' Oracle connections other than the Application Server and on the Application server all shell access got turned off. The only way for any data modification is thru GTM.

Hi,

Whenever we reorganize/reconfigure/delete/create tables, DB level authorizations are deleted and you have to reassign these...beware of that

Regards,
Kaustubh

In our case, we added a trigger to deny any 'Direct' Oracle connections other than the Application Server and on the Application server all shell access got turned off. The only way for any data modification is thru GTM.

Hi Patyogi,

just out of curiosity, how did you implement this on a technical level. How would Oracle know the difference between a "direct" and a Baan connection, if it is the same user etc?

Regards

Markus

good Q. Markus...!! :)

I'm also curious as to how you have your users set up...

If we were to deny direct access through sqlplus, we wouldn't be able to create new users in the oracle database (we have one oracle account for every baan account)...

Is there a way to set up auditing in oracle for direct access via sqlplus only? That may be sufficient to meet my needs. The auditors could review the aaudit log and question the actions accordingly...

-Rob

We created a Table and defined the IP address of the Application Server. The trigger will validate if the connectivity is from teh defined IP address, If so, it will allow the Database connectivity, If not, it will reject the connectivity. When the hardware and the IP address is changes (Not that often), the infrastructure team will communicate on this, and DBA's will update the trigger.