RE: dba_audit_session

From: Don Granaman <granaman_at_cox.net>
Date: Sun, 10 May 2015 19:51:15 -0500
Message-ID: <005301d08b84$95dfa3f0$c19eebd0$_at_cox.net>

Has anyone ever seen “audit network” produce an audit record? I haven’t and I’ve tried repeatedly in several versions. When I filed an SR on it (long ago - I’m retired now), the response was that it didn’t actually work.

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Mladen Gogala (Redacted sender "mgogala_at_yahoo.com" for DMARC) Sent: Saturday, May 09, 2015 4:47 PM
To: oracle-l_at_freelists.org
Subject: Re: dba_audit_session

It would also be helpful to turn on "audit network" to and examine the audit trail carefully. The AUDIT NETWORK command should reveal the source IP address and then you can figure out whether your database is under attack or an application is just coded incorrectly. My guess is that the latter is the case, since "EXAMPLE.COM" is frequently found in the 3rd party application as a connection example. It is likely the case of mis-configured application which shouldn't have gained access to the network with the production database but somehow did.

On 05/08/2015 11:46 AM, Powell, Mark wrote:

Someone else may recognize what causes these messages but until someone else posts you should be able to pull the IP address from the audit information for the failed connections and verify that the failed attempts are all coming from within your environment or from outside. If inside you can look more closely at what the server in question is running?

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Chris King Sent: Thursday, May 07, 2015 11:47 AM
To: Oracle-l Digest Users
Subject: Fw: dba_audit_session

dbconsole has reported that "There have been 1068 failed login attempts in the last 30 minutes." So I did a select on dba_audit_sessions where returncode !=0 and found that in every case, the os_username is oracle, the returncode is 1017 (invalid username/password).. but.. and here's my question.. the username field of dba_audit_session varies and does not contain database username. Some of the 70 different values are "MSGBOX(" "HTTPS:" ".EXAMPLE.COM" "AND1=1".

How can I further track down what is happening?

Note that this has only begun happening since I applied COST to restrict instance registration in Oracle RAC (Doc ID 1340831.1), so could be related, but it's not clear how the change would cause this.

Thanks in advance all!

--

Mladen Gogala
Oracle DBA
http://mgogala.freehostia.com

--

http://www.freelists.org/webpage/oracle-l Received on Mon May 11 2015 - 02:51:15 CEST

This message: [ Message body ]
Next message: Mladen Gogala: "Re: dba_audit_session"
Previous message: MARK BRINSMEAD: "Re: Remote Storage Mirroring vs Dataguard - Important"
Maybe in reply to: Powell, Mark: "RE: dba_audit_session"
Next in thread: Mladen Gogala: "Re: dba_audit_session"
Reply: Mladen Gogala: "Re: dba_audit_session"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message