I believe you could use logminer for this, although it can be quite onerous
depending on the time frame you need to look at.
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On ;
Behalf Of Seth Miller
Sent: Tuesday, January 26, 2016 10:44 AM
To: Niall Litchfield <niall.litchfield@xxxxxxxxx>
Cc: emjay.mody@xxxxxxxxx; ORACLE-L <oracle-l@xxxxxxxxxxxxx>
Subject: Re: db unsolicited access
MJ,
Database auditing is your friend. You can audit almost anything in the
database, including queries but it won't do you any good unless you have it
turned on and correctly configured before the threat happens.
Database Firewall and Database Vault can also help with diagnosis and even
prevention in these situations but again, they have to be in place and running
before the event occurs.
Seth Miller
On Tue, Jan 26, 2016 at 3:30 AM, Niall Litchfield
<niall.litchfield@xxxxxxxxx<mailto:niall.litchfield@xxxxxxxxx>> wrote:
Hypotheticals don't work here. You'd need to understand the specific threat and
timeframes involved and investigate accordingly. If you are concerned about
object definition changes you'd look for evidence of that, for data changes a
different set of specific steps would be required.
I'd expect the in-house info sec team to lead on this, potentially with
external consultancy as well.
On Tue, Jan 26, 2016 at 2:42 AM, MJ Mody
<emjay.mody@xxxxxxxxx<mailto:emjay.mody@xxxxxxxxx>> wrote:
Oracle Experts
I have a hypothetical scenario and apologize for open-ended questions. I will
not confirm or deny the following statements. Say your management just got word
that some clients' pcs had malware that compromised external facing
applications and database objects supporting these applications.
While there are v$ and dba_ views that DBA can use to investigate the severity.
Any recommendations or sql that DBA can run to do 'damage assessment' or
'damage control'.
Your insight is greatly appreciated.
Best
MJ--
//www.freelists.org/webpage/oracle-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freelists.org_webpage_oracle-2Dl&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=nuksxWpfCowpBg4Cp5kXjpZaU1tTDw8lEWmpll_GZcQ&m=u74OPYIxJ5X1qKMo37JHbjjmeHeSD5_LJnttjH3YdI8&s=6G7JM00lvSphHF3q0tGN5GcrbTxr8LIjV7LLBku8Tvg&e=>
--
Niall Litchfield
Oracle DBA
http://www.orawin.info<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.orawin.info&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=nuksxWpfCowpBg4Cp5kXjpZaU1tTDw8lEWmpll_GZcQ&m=u74OPYIxJ5X1qKMo37JHbjjmeHeSD5_LJnttjH3YdI8&s=aJAqPLZ3jVBj_7xyisuacocewUkAq07PJPqEuQnaBZ8&e=>