OraFAQ Forum: Security » shocking problem.........!

Home » RDBMS Server » Security » shocking problem.........!

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

shocking problem.........! [message #122428]

Mon, 06 June 2005 08:42

balavignesh
Messages: 180
Registered: March 2005

Senior Member

today we have the new scenario in our firm that the oracle database is not up today blowing the errors that ora-01031 when dbstart on the Linux.then i use /nolog to enter sql and connect to sys where i saw that i could not get into that blowing username/passwd invalid.i got shocked to see that since the passwd was changed.is it possible..?then i guess the passwd to put the system's passwd and then it went up.see , how to know who had done this job..>since it is the production db with confidential data , it is to be known for us who was that..?how to get that details..?we have checked alert_log , audit(turned false in pfile..) but in vain.is there any way to know ..?plz help out in this issue..

regards
bala

[Updated on: Mon, 06 June 2005 08:51] by Moderator

Report message to a moderator

Re: shocking problem.........! [message #122431 is a reply to message #122428]

Mon, 06 June 2005 08:50

Mahesh Rajendran
Messages: 10708
Registered: March 2002
Location: oracleDocoVille

Senior Member
Account Moderator

it is the most common breach of security.
Ofcourse, you need to secure SYS and SYSTEM passwords.
Without any audit/logon-logoff triggers enabled, there is no way to see who did that.

Report message to a moderator

Re: shocking problem.........! [message #122432 is a reply to message #122431]

Mon, 06 June 2005 09:05

balavignesh
Messages: 180
Registered: March 2005

Senior Member

thanks a lot for ur mail.

see now the audit is enabled in pfile and we changed the sys passwd and we checked in the audit but there was no entry about the passwd change in the file.how to resolve..this to track the change for the user with regard to security.

regards
bala

Report message to a moderator

Re: shocking problem.........! [message #122439 is a reply to message #122432]

Mon, 06 June 2005 09:24

Mahesh Rajendran
Messages: 10708
Registered: March 2002
Location: oracleDocoVille

Senior Member
Account Moderator

>>see now the audit is enabled in pfile
It is late anyhow.
and you have to do specific auditing.
Please do some reading. It is more than enabling the parameter in pfile
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/audit.htm#1108

Report message to a moderator

Re: shocking problem.........! [message #125545 is a reply to message #122428]

Mon, 27 June 2005 06:57

EdVonk
Messages: 4
Registered: June 2005
Location: The Netherlands

Junior Member

Also make sure, if not the case yet, that no one can log on to your linux system directly with the users root or oracle. Always make them su from a personalized account and disable telnet (use ssh) if security is an issue in your company.

Then you're able to tell who has su-ed to oracle from the systems su log.

But auditing your database as described above should be your first step. Make sure that your sys user is audited as well.

Also make sure that no database user who is not supposed to has the "ALTER USER" privilege.

List this with:

select * from dba_sys_privs
where privilege = 'ALTER USER'
/

Report message to a moderator

Previous Topic:	sys passwd
Next Topic:	SYSDBA login

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat May 17 03:28:16 CDT 2025