| Bad user connect with SysDBA user? how? [message #575752] |
Sun, 27 January 2013 02:39  |
 |
POXER
Messages: 9
Registered: January 2013
|
Junior Member |
|
|
In our system we run audit and see confused USERNAMEEEEE...
OS USER USERNAME USERHOST Timestamp OWNER OBJ_NAME GRANTEE PRIV_USED
------- -------- -------- ------------- ----- -------- -------- -------------
SECSEC Tom INTER\SEC 1/27/2013 6:28 null null null CREATE SESSION
SECSEC SysDBA INTER\SEC 1/27/2013 6:28 null null null CREATE SESSION
SECSEC Tom INTER\SEC 1/27/2013 6:29 null null null CREATE SESSION
SECSEC SysDBA INTER\SEC 1/27/2013 6:29 null null PROJECT GRANT ANY ROLE
SECSEC SysDBA INTER\SEC 1/27/2013 6:29 null null PROJECT GRANT ANY PRIVILEGE
SECSEC SysDBA INTER\SEC 1/27/2013 6:29 null DBA PROJECT null
SECSEC Tom INTER\SEC 1/27/2013 7:37 null null null CREATE SESSION
SECSEC Tom INTER\SEC 1/27/2013 7:42 Tom TSOC null null
How user tom could connect as SysDBA?
We check v$pwfile_users and Not SysDBA
We CHeck dba_sys_privs and just have connect role...
How we could find how this user do this action?
Thanks
|
|
|
|
| Re: Bad user connect with SysDBA user? how? [message #575753 is a reply to message #575752] |
Sun, 27 January 2013 02:47  |
John Watson
Messages: 8964
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
Welcome to the forum.
I do not think it is possible to answer your question with the information provided: I cannot interpret it. For example, it is very unusual to have mixed case usernames (such as "Tom" or "SysDBA") are they actually correct? There is of course a privilege "SYSDBA". What is the query used to generate that listing, and how is your auditing configured?
|
|
|
|
|
|
|
|
|
|
| Re: Bad user connect with SysDBA user? how? [message #575757 is a reply to message #575756] |
Sun, 27 January 2013 03:11 |
|
POXER
Messages: 9
Registered: January 2013
|
Junior Member |
|
|
SQL> Select * From v$pwfile_users;
USERNAME SYSDB SYSOP
------------------------------ ----- -----
SYS TRUE TRUE
SQL> Select * from dba_sys_privs Where Grantee = 'TOM';
GRANTEE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
TOM CREATE SESSION NO
TOM CREATE VIEW NO
TOM CREATE TABLE NO
SQL> Select * From dba_role_privs where Grantee = 'TOM';
GRANTEE GRANTED_ROLE ADM DEF
----------------------- ------------------------------ --- ---
TOM PUBLIC NO YES
TOM CONNECT NO YES [Updated on: Sun, 27 January 2013 03:12] Report message to a moderator |
|
|
|
| Re: Bad user connect with SysDBA user? how? [message #575758 is a reply to message #575757] |
Sun, 27 January 2013 03:31 |
John Watson
Messages: 8964
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
|
I've already asked you once: what is the query used to generate that first listing? We know that it is incorrect, because it reports usernames incorrectly. So it may be misleading in other ways, too. Whay do you think think that user TOM can connect AS SYSDBA? Why do you thnk TOM has granted any privileges?
|
|
|
|
| Re: Bad user connect with SysDBA user? how? [message #575759 is a reply to message #575758] |
Sun, 27 January 2013 03:59 |
|
POXER
Messages: 9
Registered: January 2013
|
Junior Member |
|
|
Select
Select
OS_USERNAME ,
USERNAME ,
USERHOST ,
TERMINAL ,
TIMESTAMP ,
OWNER ,
OBJ_NAME ,
ACTION ,
ACTION_NAME ,
NEW_OWNER ,
NEW_NAME ,
OBJ_PRIVILEGE ,
SYS_PRIVILEGE ,
ADMIN_OPTION ,
GRANTEE ,
AUDIT_OPTION ,
SES_ACTIONS ,
LOGOFF_TIME ,
LOGOFF_LREAD ,
LOGOFF_PREAD ,
LOGOFF_LWRITE ,
LOGOFF_DLOCK ,
COMMENT_TEXT ,
SESSIONID ,
ENTRYID ,
STATEMENTID ,
RETURNCODE ,
PRIV_USED ,
CLIENT_ID ,
ECONTEXT_ID ,
SESSION_CPU ,
-- EXTENDED_TIMESTAMP,
PROXY_SESSIONID ,
GLOBAL_UID ,
INSTANCE_NUMBER ,
OS_PROCESS ,
TRANSACTIONID ,
SCN ,
SQL_BIND
From dba_audit_trail
Where USERHOST Like '%SEC%'
Order by TIMESTAMP
Result:
OS USER USERNAME USERHOST Timestamp OWNER OBJ_NAME GRANTEE PRIV_USED
------- -------- -------- ------------- ----- -------- -------- -------------
SECSEC Tom INTER\SEC 1/27/2013 6:28 null null null CREATE SESSION
SECSEC SysDBA INTER\SEC 1/27/2013 6:28 null null null CREATE SESSION
SECSEC Tom INTER\SEC 1/27/2013 6:29 null null null CREATE SESSION
SECSEC SysDBA INTER\SEC 1/27/2013 6:29 null null PROJECT GRANT ANY ROLE
SECSEC SysDBA INTER\SEC 1/27/2013 6:29 null null PROJECT GRANT ANY PRIVILEGE
SECSEC SysDBA INTER\SEC 1/27/2013 6:29 null DBA PROJECT null
SECSEC Tom INTER\SEC 1/27/2013 7:37 null null null CREATE SESSION
SECSEC Tom INTER\SEC 1/27/2013 7:42 Tom TSOC null null
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Bad user connect with SysDBA user? how? [message #575816 is a reply to message #575788] |
Mon, 28 January 2013 02:12 |
John Watson
Messages: 8964
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
Poxer, you are not thinking. Do you really believe that file is readable? By anyone?
For the last time, what was the query used to generate the output you posted earlier? It shows no evidence that anyone connected as SYSDBA. It does not show that user "Tom" granted anthing. It does purport to show that user "SysDBA" granted something. But without thhe code, there is no possibility of understanding what that output means.
|
|
|
|
| Re: Bad user connect with SysDBA user? how? [message #575821 is a reply to message #575788] |
Mon, 28 January 2013 02:35 |
 |
Michel Cadot
Messages: 68733
Registered: March 2007
Location: Saint-Maur, France, https...
|
Senior Member
Account Moderator |
|
|
POXER wrote on Mon, 28 January 2013 05:22John Watson wrote on Sun, 27 January 2013 04:32Poxer, that result did not come from that query. No-one can assist if you tell lies.
Attached CSV file :
"Select * From dba_audit_trail Where USERHOST Like '%SEC%'"
Michel Cadot wrote on Sun, 27 January 2013 11:32Quote:What is SysDBA Username in Audit table?
SYS but it is not in the standard audit trail, it is in SYSDBA audit trail.
Please read the sections I pointed you to.
Regards
Michel
[Updated on: Mon, 28 January 2013 02:35] Report message to a moderator |
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
