How should segregation of duties be enforced in a scenario with only one DBA having root access?

The correct approach to enforce segregation of duties in a scenario where there is only one DBA with root access is to ensure that database logs are forwarded to a UNIX server where the DBA does not have root access. This method strengthens security by creating an oversight mechanism that limits the DBA’s ability to alter or tamper with logs that could otherwise provide evidence of actions taken within the system.

By forwarding the database logs to a separate UNIX server, you minimize the risk associated with having a single individual with unrestricted access. This separation ensures that even if the DBA performs actions that might be considered unauthorized, there is an independent source of logging that cannot be modified by the DBA. This helps maintain the integrity of the audit trail, which is essential for accountability and compliance with various regulations.

In contrast, hiring a second DBA to split duties might not be feasible in all organizations and can come with additional costs and complexities. Simply removing the DBA's root access could hinder legitimate administrative functions necessary for maintaining the database environment. Ensuring that all actions of the DBA are logged and backing up those logs, while important, does not provide the same level of control and oversight as forwarding logs to a server with restricted access for the DBA. Thus, option D presents the most effective means of implementing