Home » RDBMS Server » Security » shocking problem.........!
shocking problem.........! [message #122428] Mon, 06 June 2005 08:42 Go to next message
balavignesh
Messages: 180
Registered: March 2005
Senior Member


today we have the new scenario in our firm that the oracle database is not up today blowing the errors that ora-01031 when dbstart on the Linux.then i use /nolog to enter sql and connect to sys where i saw that i could not get into that blowing username/passwd invalid.i got shocked to see that since the passwd was changed.is it possible..?then i guess the passwd to put the system's passwd and then it went up.see , how to know who had done this job..>since it is the production db with confidential data , it is to be known for us who was that..?how to get that details..?we have checked alert_log , audit(turned false in pfile..) but in vain.is there any way to know ..?plz help out in this issue..

regards
bala

[Updated on: Mon, 06 June 2005 08:51] by Moderator

Report message to a moderator

Re: shocking problem.........! [message #122431 is a reply to message #122428] Mon, 06 June 2005 08:50 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10694
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
it is the most common breach of security.
Ofcourse, you need to secure SYS and SYSTEM passwords.
Without any audit/logon-logoff triggers enabled, there is no way to see who did that.
Re: shocking problem.........! [message #122432 is a reply to message #122431] Mon, 06 June 2005 09:05 Go to previous messageGo to next message
balavignesh
Messages: 180
Registered: March 2005
Senior Member
thanks a lot for ur mail.

see now the audit is enabled in pfile and we changed the sys passwd and we checked in the audit but there was no entry about the passwd change in the file.how to resolve..this to track the change for the user with regard to security.

regards
bala
Re: shocking problem.........! [message #122439 is a reply to message #122432] Mon, 06 June 2005 09:24 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10694
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
>>see now the audit is enabled in pfile
It is late anyhow.
and you have to do specific auditing.
Please do some reading. It is more than enabling the parameter in pfile
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/audit.htm#1108
Re: shocking problem.........! [message #125545 is a reply to message #122428] Mon, 27 June 2005 06:57 Go to previous message
EdVonk
Messages: 4
Registered: June 2005
Location: The Netherlands
Junior Member
Also make sure, if not the case yet, that no one can log on to your linux system directly with the users root or oracle. Always make them su from a personalized account and disable telnet (use ssh) if security is an issue in your company.

Then you're able to tell who has su-ed to oracle from the systems su log.

But auditing your database as described above should be your first step. Make sure that your sys user is audited as well.

Also make sure that no database user who is not supposed to has the "ALTER USER" privilege.

List this with:

select * from dba_sys_privs
where privilege = 'ALTER USER'
/

Previous Topic: sys passwd
Next Topic: SYSDBA login
Goto Forum:
  


Current Time: Fri Sep 24 05:00:29 CDT 2021