| |
 |
|
Oracle Tips by Burleson |
Chapter 8 General Oracle Auditing
The output comes back as:
OS_USERNAME
USERNAME CLIENT ACTION_NAME RETURNCODE
----------- ------------ ---------- ----------- ----------
jdoe CLAIM_SCHEMA cap1-pts/5 LOGON 1017
Here we see that the operating system user jdoe
tried to login as CLAIM_SCHEMA from the terminal pts/5 on machine
cap1. The return code was 1017, which is the Oracle error for
"invalid username/password; logon denied". This proves that the user
supplied a wrong password for CLAIM_SCHEMA. Does this smell of
attempted break-in? It could. There could be a simple explanation –
the user forgot the password of CLAIM_SCHEMA and at the second
attempt provided the correct one. A series of repeated attempts,
however, would arouse suspicion.
Another thing to note here is the OS user jdoe
was doing this. Is jdoe authorized to connect to CLAIM_SCHEMA? If
jdoe is a DBA, or an application owner, this may not arouse any
suspicion, but if that user is really a claim analyst, he or she has
no reason to connect to the CLAIM_SCHEMA user, and this event
certainly needs more investigation.
dba_audit_statement
This view contains
information where the user entered statements that did not
particularly access the data inside an object, e.g. ALTER SYSTEM,
GRANT, REVOKE on objects, etc. Here is a complete list of the
statements that are captured in this view:
The above text is
an excerpt from:
Oracle Privacy Security Auditing
The
Final Word on Oracle Security
This is the only authoritative
book on Oracle Security, Oracle Privacy, and Oracle Auditing written
by two of the world’s leading Oracle Security experts.
This indispensable book is only
$39.95
and has an
immediate download of working security scripts:
|
