Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Auditing >> OPS$DAEMON coming from apps server
        
(Message started by: Pete Finnigan on Jun 11th, 2010, 5:49pm)
Title: OPS$DAEMON coming from apps server
Post by Pete Finnigan on Jun 11th, 2010, 5:49pm
After setting up some initial auditing I see very frequent connections by OPS$DAEMON coming from the application server (running OAS).

SQL> select user_name,
 2       nvl(proxy_name,'NULL') proxy_name,
 3       privilege,
 4       success,
 5       failure
 6  from dba_priv_audit_opts
 7  where user_name='OPS$DAEMON';

USER_NAME  PROXY_NAME PRIVILEGE       SUCCESS    FAILURE
---------- ---------- --------------- ---------- ----------
OPS$DAEMON NULL       CREATE SESSION  BY ACCESS  BY ACCESS

SQL> select timestamp,
 2       nvl(os_username,'NULL') osuser,
 3       username,
 4       userhost,
 5       nvl(terminal,'NULL') terminal,
 6       action_name
 7  from dba_audit_trail
 8  where username = 'OPS$DAEMON'
 9  and timestamp > sysdate -1/96
10  order by timestamp desc;

TIMESTAMP            OSUSER     USERNAME   USERHOST        TERMINAL   ACTION_NAME
-------------------- ---------- ---------- --------------- ---------- ----------------------------
11-jun-2010 10:57:49 NULL       OPS$DAEMON *************** NULL       LOGOFF


First, I don't know why the connections would be using OPS$DAEMON instead of the user supplied credentials, second I don't understand why I see only LOGOFF, but no associated LOGON.
Title: Re: OPS$DAEMON coming from apps server
Post by Pete Finnigan on Jun 14th, 2010, 10:49am
Hi Ed,

I tried the same with a simple example in my database:


first check audit settings

SQL> set serveroutput on size 1000000
SQL> exec print_table('select * from dba_priv_audit_opts where privilege=''CREATE SESSION''');
USER_NAME                     :
PROXY_NAME                    :
PRIVILEGE                     : CREATE SESSION
SUCCESS                       : BY ACCESS
FAILURE                       : BY ACCESS
-----------------

Create a sample user and connect

SQL> connect sys/oracle1@ora11gpe as sysdba
Connected.
SQL> create user aud identified by aud;

User created.

SQL> grant create session to aud;

Grant succeeded.

SQL> connect aud/aud@ora11gpe
Connected.

Test the audit trail in a dfiffernet session whilst still connected in the first:

SQL> set serveroutput on size 1000000
SQL> select timestamp,username,os_username,action_name
 2  from dba_audit_trail
 3  where username='AUD';

TIMESTAMP USERNAME
--------- ------------------------------
OS_USERNAME
------------------------------------------------------------------
ACTION_NAME
----------------------------
14-JUN-10 AUD
Pete
LOGON

then exit the user AUD's session

SQL> exit
Disconnected from Personal Oracle Database 11g Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

C:\tools>

Then check the audit trail from a seperate session,

SQL> /

TIMESTAMP USERNAME
--------- ------------------------------
OS_USERNAME
----------------------------------------------
ACTION_NAME
----------------------------
14-JUN-10 AUD
Pete
LOGON

14-JUN-10 AUD

LOGOFF

There are two seperate records as expected. Can you check a complete session for OPS$DAEMON and see what else is in it. Maybe you hacve some other audit settings by session and then the LOGON will be reused by further audit actions. The LOGOFF would be a new record because its set by ACCESS. can you list out your audit settings?

cheers

Pete
Title: Re: OPS$DAEMON coming from apps server
Post by Pete Finnigan on Jun 20th, 2010, 5:14am
Pete,

Thanks for the reply.  I'm out of the office for the next couple of weeks, but I'll follow up on this as soon as I get back.


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board