RE: dba_audit_session

• From: "Don Granaman" <granaman@xxxxxxx>
• To: <dmarc-noreply@xxxxxxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
• Date: Sun, 10 May 2015 19:51:15 -0500

Has anyone ever seen “audit network” produce an audit record? I haven’t and
I’ve tried repeatedly in several versions. When I filed an SR on it (long ago
- I’m retired now), the response was that it didn’t actually work.



From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On
Behalf Of Mladen Gogala (Redacted sender "mgogala@xxxxxxxxx" for DMARC)
Sent: Saturday, May 09, 2015 4:47 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: dba_audit_session



It would also be helpful to turn on "audit network" to and examine the audit
trail carefully. The AUDIT NETWORK command should reveal the source IP address
and then you can figure out whether your database is under attack or an
application is just coded incorrectly. My guess is that the latter is the case,
since "EXAMPLE.COM" is frequently found in the 3rd party application as a
connection example. It is likely the case of mis-configured application which
shouldn't have gained access to the network with the production database but
somehow did.

On 05/08/2015 11:46 AM, Powell, Mark wrote:

Someone else may recognize what causes these messages but until someone else
posts you should be able to pull the IP address from the audit information for
the failed connections and verify that the failed attempts are all coming from
within your environment or from outside. If inside you can look more closely
at what the server in question is running?





From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On
Behalf Of Chris King
Sent: Thursday, May 07, 2015 11:47 AM
To: Oracle-l Digest Users
Subject: Fw: dba_audit_session



dbconsole has reported that "There have been 1068 failed login attempts in the
last 30 minutes." So I did a select on dba_audit_sessions where returncode !=0
and found that in every case, the os_username is oracle, the returncode is 1017
(invalid username/password).. but.. and here's my question.. the username field
of dba_audit_session varies and does not contain database username. Some of the
70 different values are "MSGBOX(" "HTTPS:" ".EXAMPLE.COM" "AND1=1".



How can I further track down what is happening?



Note that this has only begun happening since I applied COST to restrict
instance registration in Oracle RAC (Doc ID 1340831.1), so could be related,
but it's not clear how the change would cause this.



Thanks in advance all!














--
Mladen Gogala
Oracle DBA
http://mgogala.freehostia.com

• Follow-Ups:
  • Re: dba_audit_session
    • From: Mladen Gogala

• References:
  • Fw: dba_audit_session
    • From: Chris King
  • RE: dba_audit_session
    • From: Powell, Mark

Other related posts:

• » RE: dba_audit_session- Powell, Mark
• » Re: dba_audit_session- Mladen Gogala
• » RE: dba_audit_session - Don Granaman
• » Re: dba_audit_session- Mladen Gogala

1. Home
2. oracle-l
3. Archive
4. 05-2015

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---