Re: Auditing changes...By developers

On Mar 19, 7:59 pm, K. Brian Kelley <brian_kel...@REMOVE-
ME.sqlpass.org> wrote:
A couple of questions come to mind:

1) Do the developers need the ability to modify the data outside the application?
2) If so, how are they logging in? Do they know the single username/password
the application is using?

As Sue posted, a server side trace will show when data is being modified
because you can capture the statements. However, getting past the non-repudiation
hurdle (being able to deny you did it) is hard to do unless they are logging
in with an account whose password only they know and they aren't using shared
accounts of any sort.

K. Brian Kelley, brian underscore kelley at sqlpass dot orghttp://www.truthsolutions.com/



What is the best way to go to track changes by developers that are
privy to db usernames and passwords?

Not all application users have domain accounts, so we can't use
trusted connections. Instead, we have a single username that the
application (we only have one) uses to perform its work.

We have auditing at the internal application level...Now we need a way
to determine if any of the four developers are possibly manipulating
data.

I briefly looked at application roles, but considering that you can
run sp_setapprole from the QA, that doesn't seem worthwhile.

How is everyone else doing it? Our auditors assure us it is being
done...

Don't you love SOX?

Thanks!

Joseph- Hide quoted text -

- Show quoted text -

1) Actually, they *do* need the ability to modify outside of the app,
as it is a relatively new application, and corrections need to be
made.
2) Right now, all connections are being made with the username/
password the application uses. They do know it (although all options
are opened).

I was thinking that the developers could know the database login used
by the app, but then the application would switch to an application
role to get anything done. Thus the Query Analyzer statement: What's
to keep them from launching QA, executing sp_SetAppRole, and then
altering data without any of the application's safequards?

For the record, we are trusting the trail left by the application, and
we aren't concerned about that angle...

Thank you!

.

Relevant Pages

  • Re: Men Are Smarter Than Women
    ... "Men are more intelligent than women, claims new study By BEN CLERKIN & ... FIONA MACRAE Last updated at 13:38pm on 14th September 2006 ... ability and historically men have solved different types of problems than ... the developers. ...
    (soc.retirement)
  • Re: Access to variables, procs that have been sourced inside another proc
    ... That way your additional logging is not perturbing the app. ... but to provide additional layers of functionality. ... now you need a loggedAndPerfMeasured proc and every possible ... If you are arguing that seasoned developers should tolerate freshman ...
    (comp.lang.tcl)
  • Re: Using privilied ports <1024 with Java
    ... are to give customers who ... >> the ability to grant application folks the ability to run customized ... The VMS Developers had an illustration they passed around amongst ... DeeDee, don't press that button! ...
    (comp.unix.solaris)
  • RFC: klogger: kernel tracing and logging tool
    ... over the past few years I've developed a kernel logging tool called Klogger: http://www.cs.huji.ac.il/~etsman/klogger ... Klogger is much more flexible. ... it offers extremely low logging overhead by auto-generating the logging code from user-specified config files. ... This feature can allow developers to design the performance logging while designing the subsystem to be logged, allowing other developers/researchers to get some insights without having to fully understand a subsystem's code. ...
    (Linux-Kernel)
  • [Ann] FIBPlus and FastReport 4.0 compatibility
    ... FIBPlus and FastReport 4.0 integration component is available for immediate ... TfrxDatabase.LibraryName - an ability to define the client library. ... This feature enables developers to use native libraries for InterBase ... Minor bug fixes and code optimization have been implemented. ...
    (borland.public.delphi.thirdpartytools.general)