Hi, Gavin!
On Nov 11, Gavin Towey wrote:
> This raises an issue that I've often wondered how other people handle:
>
> If a DBA (or anyone else) has shell access to the machine, then they
> can simply edit the log to cover their tracks. How do you prevent
> this scenario?
First, don't give DBA (or just anyone) shell access - that's the best
way.
Then, don't make the directory with the log files work readable and
don't make the log files writable by DBA (or just anyone).
If you don't trust the root user on that machine (which shouldn't be the
same person as DBA, as you known) - there are many solutions that can
prevent even root from accessing certain files.
Or you can simply pipe the logs to syslog and send them to a different
computer on the other end of the globe.
Neither of this has anything to do with MySQL, by the way
Regards / Mit vielen Grüßen,
Sergei
--
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik <serg@stripped>
/ /|_/ / // /\ \/ /_/ / /__ Principal Software Engineer/Server Architect
/_/ /_/\_, /___/\___\_\___/ Sun Microsystems GmbH, HRB München 161028
<___/ Sonnenallee 1, 85551 Kirchheim-Heimstetten
Geschäftsführer: Thomas Schroeder, Wolfgang Engels, Wolf Frenkel
Vorsitzender des Aufsichtsrates: Martin Häring
