maria-discuss team mailing list archive

[Roberto Spadim <roberto@xxxxxxxxxxxxx>]

the guy with server room key is god of god of god :P


Em seg, 25 de mar de 2019 às 22:30, Felipe Gasper <felipe@xxxxxxxxxxxxxxxx>
escreveu:

>
>
> > On Mar 25, 2019, at 9:09 PM, Peter McLarty <peter.mclarty63@xxxxxxxxx>
> wrote:
> >
> > The governance committee would have a fit about that security. That
> would set up the possibility of the DBA logging in as an application
> service user or some other user and edit data implicitly implying that the
> service account or the user has been hacked as the edits came from that
> user in the audit logs.
>
> The audit logs … that the admin can falsify anyway? An application service
> that likely has its credentials stored on the same server over which the
> admin has total access? User credentials that very likely are stored in
> ~/.my.cnf?
>
> > Yes by nature the DBA is god and this is true in all databases. SOX
> based users in the US will talk about all the problems they have been dealt
> with by auditors when addressing compliance.
>
> What I’m getting at is not that “DBA is god” so much as that “sysadmin is
> god of gods”. The idea of “DBA” just means someone who can do anything at
> all within the DB.
>
> But a local administrator, who can SIGKILL the DB (as opposed to asking
> the DB to shut itself down), who can edit the actual DB files manually, who
> can swap out anything for anything else, is another level of privilege.
> *That* user should have no need for credentials: they are who they say they
> are by the nature of what a sysadmin is.
>
> -FG
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>


-- 
Roberto Spadim
SPAEmpresarial - Software ERP
Eng. Automação e Controle