Return-Path: Delivered-To: 2-oracle-l@orafaq.com Received: (qmail 25627 invoked from network); 11 Mar 2008 18:51:26 -0500 Received: from freelists-180.iquest.net (HELO turing.freelists.org) (206.53.239.180) by static-ip-69-64-49-119.inaddr.intergenia.de with SMTP; 11 Mar 2008 18:51:17 -0500 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id A195481EE9F; Tue, 11 Mar 2008 19:50:34 -0400 (EDT) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11804-05; Tue, 11 Mar 2008 19:50:34 -0400 (EDT) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 0EC5481EEA3; Tue, 11 Mar 2008 19:50:34 -0400 (EDT) Received: with ECARTIS (v1.0.0; list oracle-l); Tue, 11 Mar 2008 19:14:05 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id AE2AE81E3E3 for ; Tue, 11 Mar 2008 19:14:05 -0400 (EDT) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07736-03 for ; Tue, 11 Mar 2008 19:14:05 -0400 (EDT) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.172]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 53E8E81E1A7 for ; Tue, 11 Mar 2008 19:14:05 -0400 (EDT) Received: by wf-out-1314.google.com with SMTP id 28so2656452wfa.25 for ; Tue, 11 Mar 2008 16:14:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=/sKh5nIaHhNPSkVekyy1Ce2AEL7+b/geakBYPv1YtIQ=; b=sEGiGmCEsypUXjckz9RNbeJEyf8JRTCNUWnwJLZH5naCzcXDYzFayHD1IWDxqua1JwKiY14kNBFTJN9FLvukZHXdtS3sRlN1r3vzB0ey4IPKU6/6ULbxVKV0bboqR2feiZrtYcZu44kgLdJjQkWjGoFTNAvvKw0L5E1ZKdZQaAg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=CjscU68yEvDBWlUWj88fDC4pqRLzdyL7fcycWvD8AdaUqD3ZWtgaR0IaGNleasmkV5dYyobgLECc8d5lpPz3loGTxFE832VSkcUP98KlDAAO0V9BFRhyFcd56VpFAuuxefpr8y1BZpkMmNHnfNSz7z7IOzGmsEX0lKjBq5tWGAc= Received: by 10.142.115.10 with SMTP id n10mr3196433wfc.8.1205277244790; Tue, 11 Mar 2008 16:14:04 -0700 (PDT) Received: by 10.142.223.10 with HTTP; Tue, 11 Mar 2008 16:14:04 -0700 (PDT) Message-ID: Date: Tue, 11 Mar 2008 16:14:04 -0700 From: "Jared Still" To: mary_mcneely@yahoo.com Subject: Re: Audit for program at login time Cc: oracle-l@freelists.org In-Reply-To: <83269.11309.qm@web54111.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_5504_24994458.1205277244789" References: <83269.11309.qm@web54111.mail.re2.yahoo.com> X-archive-position: 6181 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-to: oracle-l-bounce@freelists.org X-original-sender: jkstill@gmail.com Precedence: normal Reply-to: jkstill@gmail.com List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: oracle-l X-List-ID: oracle-l List-subscribe: List-owner: List-post: List-archive: X-list: oracle-l X-Virus-Scanned: Debian amavisd-new at localhost.localdomain ------=_Part_5504_24994458.1205277244789 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline This information might be good for troubleshooting, or determining how legitimate users access the database. Keep in mind that the value in v$session.program is easily spoofed by any user with nefarious purposes simply by renaming the executable. eg. C:> move toad.exe sqlplus.exe Something that anyone with ill intent is likely to know about. On Tue, Mar 11, 2008 at 12:41 PM, Mary Elizabeth McNeely < mary_mcneely@yahoo.com> wrote: > Hello all, > > I am tasked with auditing who accesses the database with what program > (equivalent of v$session.program) upon database login. I can get everything > I want into the audit trail by using "audit connect", except the equivalent > of v$session.program. > > (a) Does anyone know of a supported way to push the program information > into sys.aud$, and if not, > > (b) Does anyone know of a way to accomplish this other than a login > trigger? Any sample code available? > > Thanks in advance for any hints you can offer. > > Mary Elizabeth McNeely > -- > http://www.freelists.org/webpage/oracle-l > > > -- Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist ------=_Part_5504_24994458.1205277244789 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline This information might be good for troubleshooting, or determining how legitimate
users access the database.

Keep in mind that the value in v$session.program is easily spoofed by any user
with nefarious purposes simply by renaming the executable.

eg.  C:> move toad.exe sqlplus.exe

Something that anyone with ill intent is likely to know about.

On Tue, Mar 11, 2008 at 12:41 PM, Mary Elizabeth McNeely <mary_mcneely@yahoo.com> wrote:
Hello all,

I am tasked with auditing who accesses the database with what program (equivalent of v$session.program) upon database login.  I can get everything I want into the audit trail by using "audit connect", except the equivalent of v$session.program.

(a) Does anyone know of a supported way to push the program information into sys.aud$, and if not,

(b) Does anyone know of a way to accomplish this other than a login trigger?  Any sample code available?

Thanks in advance for any hints you can offer.

Mary Elizabeth McNeely
--
http://www.freelists.org/webpage/oracle-l





--
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
------=_Part_5504_24994458.1205277244789-- -- http://www.freelists.org/webpage/oracle-l