Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 19th, 2017, 4:31am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Auditing
(Moderator: Pete Finnigan)
   OPS$DAEMON coming from apps server
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: OPS$DAEMON coming from apps server  (Read 2034 times)
edstevens
PeteFinnigan.com Newbie
*





   
View Profile |

Posts: 2
OPS$DAEMON coming from apps server
« on: Jun 11th, 2010, 5:49pm »
Quote | Modify

After setting up some initial auditing I see very frequent connections by OPS$DAEMON coming from the application server (running OAS).
 
SQL> select user_name,
  2  nvl(proxy_name,'NULL') proxy_name,
  3  privilege,
  4  success,
  5  failure
  6  from dba_priv_audit_opts
  7  where user_name='OPS$DAEMON';
 
USER_NAME  PROXY_NAME PRIVILEGE  SUCCESS    FAILURE
---------- ---------- --------------- ---------- ----------
OPS$DAEMON NULL  CREATE SESSION  BY ACCESS  BY ACCESS
 
SQL> select timestamp,
  2  nvl(os_username,'NULL') osuser,
  3  username,
  4  userhost,
  5  nvl(terminal,'NULL') terminal,
  6  action_name
  7  from dba_audit_trail
  8  where username = 'OPS$DAEMON'
  9  and timestamp > sysdate -1/96
 10  order by timestamp desc;
 
TIMESTAMP  OSUSER     USERNAME   USERHOST   TERMINAL   ACTION_NAME
-------------------- ---------- ---------- --------------- ---------- ----------------------------
11-jun-2010 10:57:49 NULL  OPS$DAEMON *************** NULL  LOGOFF
 
 
First, I don't know why the connections would be using OPS$DAEMON instead of the user supplied credentials, second I don't understand why I see only LOGOFF, but no associated LOGON.
IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: OPS$DAEMON coming from apps server
« Reply #1 on: Jun 14th, 2010, 10:49am »
Quote | Modify

Hi Ed,
 
I tried the same with a simple example in my database:
 
 
first check audit settings  
 
SQL> set serveroutput on size 1000000
SQL> exec print_table('select * from dba_priv_audit_opts where privilege=''CREATE SESSION''');
USER_NAME      :
PROXY_NAME     :
PRIVILEGE      : CREATE SESSION
SUCCESS        : BY ACCESS
FAILURE        : BY ACCESS
-----------------
 
Create a sample user and connect
 
SQL> connect sys/oracle1@ora11gpe as sysdba
Connected.
SQL> create user aud identified by aud;
 
User created.
 
SQL> grant create session to aud;
 
Grant succeeded.
 
SQL> connect aud/aud@ora11gpe
Connected.
 
Test the audit trail in a dfiffernet session whilst still connected in the first:
 
SQL> set serveroutput on size 1000000
SQL> select timestamp,username,os_username,action_name
  2  from dba_audit_trail
  3  where username='AUD';
 
TIMESTAMP USERNAME
--------- ------------------------------
OS_USERNAME
------------------------------------------------------------------
ACTION_NAME
----------------------------
14-JUN-10 AUD
Pete
LOGON
 
then exit the user AUD's session
 
SQL> exit
Disconnected from Personal Oracle Database 11g Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
 
C:\tools>
 
Then check the audit trail from a seperate session,
 
SQL> /
 
TIMESTAMP USERNAME
--------- ------------------------------
OS_USERNAME
----------------------------------------------
ACTION_NAME
----------------------------
14-JUN-10 AUD
Pete
LOGON
 
14-JUN-10 AUD
 
LOGOFF
 
There are two seperate records as expected. Can you check a complete session for OPS$DAEMON and see what else is in it. Maybe you hacve some other audit settings by session and then the LOGON will be reused by further audit actions. The LOGOFF would be a new record because its set by ACCESS. can you list out your audit settings?
 
cheers
 
Pete
 
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
edstevens
PeteFinnigan.com Newbie
*





   
View Profile |

Posts: 2
Re: OPS$DAEMON coming from apps server
« Reply #2 on: Jun 20th, 2010, 5:14am »
Quote | Modify

Pete,
 
Thanks for the reply.  I'm out of the office for the next couple of weeks, but I'll follow up on this as soon as I get back.
IP Logged
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board