Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "6 Oracle security presentations added to Oracle security white papers page"] [Next entry: "Decompilation - reality or myth"]

Using Log Miner for database forensics



I posted the other day links to my upcoming presentations, one of which at the main UKOUG is about Oracle Forensics. Alex Gorbachev was good enough to email me a link to an article on his blog titled http://www.pythian.com/blogs/509/forensic-dba-oracle-logminer-helps-detect-sabotage - (broken link) Forensic DBA: Oracle LogMiner Helps Detect Sabotage. This is a great article that shows how Alex investigate using Log Miner how a departing DBA made some changes to various procedures in the database. Alex also points to a second article that he wrote last year titled http://www.pythian.com/blogs/269/oracle-logminer-helps-investigate-security-issues - (broken link) Security Issues. This is a great story that shows where a database had a 1017 error on a materialised view and the management started to worry that someone had changed the password without authorisation. This is a really good example of how to investigate an issue where audit was not enabled. Alex checks timestamps, SYS connection audit files, log Miner to find the changes to USER$ and then he dumps the archive logs to see the actual changes. Alex found that the session was local, the terminal and the process ID. He was able to correllate with with /var/log/message and also found the person who made the change and why. This is a great pair of articles and good background for my UKOUG paper!