Re: ACL issue

From: <david_at_databasesecurity.com>
Date: Tue, 31 Dec 2013 02:00:16 -0000
Message-ID: <75706C7211224C3DBEE3C6B69DAEB273_at_NAUTILUS>

Hi Sandra,
Do you know when the ACL was actually changed? What do the redo logs say? You might be able to narrow down the source of the change. RedoWalker could help http://www.databaseforensics.com/redowalker_for_oracle.htm Cheers,
David

From: Sandra Becker
Sent: Monday, December 30, 2013 8:59 PM
To: oracle-l
Subject: Re: ACL issue

Only batch jobs were processed between the successful run on Sunday morning and the run this morning. No one but DBAs can add/remove users from the ACL. I did not even log in to either database. Nothing automatically runs that will do the grants, or drop/create an ACL for that matter. The other DBAs are enjoying their week off--I'm the only one working. My biggest concern was that the ACL in production was somehow dropped.

Thanks for your thoughts.

On Mon, Dec 30, 2013 at 9:41 AM, Andrew Kerber <andrew.kerber_at_gmail.com> wrote:

This problem was almost certainly caused by user error. But another possibility is that a trigger was used improperly when adding and removing users from the ACL.

On Mon, Dec 30, 2013 at 10:14 AM, Sandra Becker <sbecker6925_at_gmail.com> wrote:

Oracle: 11gR2 EE

OS: SunOS 5.10 Generic_148888-01 (64 bit)

Access control lists were set up in several production and non-production databases about 4 years ago. Certain scheduled jobs use UTL_SMTP. They have been working successfully since they were set up. This morning at 4:00am, two databases began failing when trying to email. The other 50+ databases continues working correctly.

While troubleshooting the issue, I noticed that the privilege for the specific user was no longer there in the non-production database and the acl was missing from the production database. I re-granted the privilege in the non-production database and the job completed successfully. I had to re-create the acl, assign the host, and grant the privilege to the specific user in the production database and the jobs began executing successfully again.

Questions:

What would cause this behavior? I have been the on-call DBA since Dec 25th and haven't even looked at these databases until I was paged this morning.
Is this common? Is this something we should be checking for? I've been here only 4 months and the lead DBA isn't sure what might have been the root cause.

Any suggestions are appreciated. Thank you.

Sandy

    --
    Sandy
    Transzap, Inc.

--
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

--

Sandy
Transzap, Inc.

--

http://www.freelists.org/webpage/oracle-l Received on Tue Dec 31 2013 - 03:00:16 CET

This message: [ Message body ]
Next message: Mark Bobak: "Re: Apress 12 Days of Tech"
Previous message: Niall Litchfield: "Apress 12 Days of Tech"
In reply to: Sandra Becker: "Re: ACL issue"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message