How safe is GnuCash?

Jean-David Beyer jeandavid8 at verizon.net
Sat Jan 14 10:15:29 EST 2017 

On 01/14/2017 09:58 AM, Securenym.net wrote:
> And that brings up another point.  SQL databases are supposed to have
> transaction logging as part of their rollback/recovery features.
> They use this to insure data integrity.  Most of these can be
> archived and recovered for analysis.  If that is the case, and SQL is
> used for gnucash, then Kai’s question Is gnucash safe?  can be
> answered with confidence: Yes.

It does not seem safe to me. The files (transaction logs, the data
itself, the indices, ... are all just files and can be edited, altered,
compromised, ... using tools other than the DB2, Oracle, postgreSQL, ...
Nothing is safe on a computer if there is not extreme physical security,
procedural security, withholding of sensitive passwords from even the
most privileged system administrator. So you must trust him or her. And
hence, once in a while, you will be wrong.

>  The transaction date and time of any
> change to the database is written in the logs for any permanent
> table.  These log files contain enough data that they can be tracked,
> including a sequence number which will allow an auditor to
> investigate what changed when.  The ones I’m familiar with  contain
> transaction id, a checksum, actual data and backup information.

The black hat team can alter the system clock.
> 
> If an sql database is in use, then the database logging and auditing
> features may very well be the key to satisfying the auditors, with
> the exception of tying changes to the individual user, but that is
> easily fixed with appropriate administrative controls —  knowing who
> has what access to your systems and when. And with at least some
> DBMS, if the log space is full to capacity, the DBMS will simply
> complain and not permit any more transactions.
> 
> This may be helpful in telling the auditors that yes, gnucash, when
> using sql is indeed safe.

If they are naive.

-- 
  .~.  Jean-David Beyer          Registered Linux User 85642.
  /V\  PGP-Key:166D840A 0C610C8B Registered Machine  1935521.
 /( )\ Shrewsbury, New Jersey    http://linuxcounter.net
 ^^-^^ 10:10:01 up 3 days, 18:55, 2 users, load average: 4.18, 4.52, 4.50

More information about the gnucash-user mailing list