Home » RDBMS Server » Security » Bad user connect with SysDBA user? how? (10g)
Bad user connect with SysDBA user? how? [message #575752] Sun, 27 January 2013 02:39 Go to next message
POXER
Messages: 9
Registered: January 2013
Junior Member
In our system we run audit and see confused USERNAMEEEEE...

OS USER USERNAME USERHOST  Timestamp      OWNER OBJ_NAME GRANTEE    PRIV_USED
------- -------- --------  -------------  ----- -------- --------   -------------
SECSEC  Tom     INTER\SEC  1/27/2013 6:28  null null     null       CREATE SESSION
SECSEC  SysDBA  INTER\SEC  1/27/2013 6:28  null null     null       CREATE SESSION
SECSEC  Tom     INTER\SEC  1/27/2013 6:29  null null     null       CREATE SESSION
SECSEC  SysDBA  INTER\SEC  1/27/2013 6:29  null null     PROJECT    GRANT ANY ROLE
SECSEC  SysDBA  INTER\SEC  1/27/2013 6:29  null null     PROJECT    GRANT ANY PRIVILEGE
SECSEC  SysDBA  INTER\SEC  1/27/2013 6:29  null DBA      PROJECT    null
SECSEC  Tom     INTER\SEC  1/27/2013 7:37  null null     null       CREATE SESSION
SECSEC  Tom     INTER\SEC  1/27/2013 7:42  Tom  TSOC     null       null

How user tom could connect as SysDBA?
We check v$pwfile_users and Not SysDBA
We CHeck dba_sys_privs and just have connect role...

How we could find how this user do this action?

Thanks
Re: Bad user connect with SysDBA user? how? [message #575753 is a reply to message #575752] Sun, 27 January 2013 02:47 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
Welcome to the forum.
I do not think it is possible to answer your question with the information provided: I cannot interpret it. For example, it is very unusual to have mixed case usernames (such as "Tom" or "SysDBA") are they actually correct? There is of course a privilege "SYSDBA". What is the query used to generate that listing, and how is your auditing configured?
Re: Bad user connect with SysDBA user? how? [message #575754 is a reply to message #575753] Sun, 27 January 2013 03:00 Go to previous messageGo to next message
POXER
Messages: 9
Registered: January 2013
Junior Member
Thanks John Smile
I confused, how tom user could Connect SysDBA and Grant DBA to another USER...
(
I change real Username into tom
maybe user search internet and find this thread...
)

I just execute this audit command:
audit session
audit system grant
audit execute any procedure

I select from v$pwfile_users and this view return just SYS
Re: Bad user connect with SysDBA user? how? [message #575755 is a reply to message #575752] Sun, 27 January 2013 03:01 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
We check v$pwfile_users and Not SysDBA


What does this mean? You didn't check SYSDBA?
Please write complete sentences with all the words.
What is USERNAMEEEEE? This word does not seem to be in my dictionary.

Please read Administrator's Guide, chapter 1 "Overview of Administering an Oracle Database" contains 2 sections: "Administrative Privileges, SYSDBA and SYSOPER" and "Granting and Revoking SYSDBA and SYSOPER Privileges".

Regards
Michel

Re: Bad user connect with SysDBA user? how? [message #575756 is a reply to message #575754] Sun, 27 January 2013 03:03 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
I change...

Quote:
I just execute...

Quote:
I select from...


Do not give your interpretation of what you did: copy and paste your SQL*Plus session, the complete session (in text mode in-line, no image, no attached file).

Regards
Michel
Re: Bad user connect with SysDBA user? how? [message #575757 is a reply to message #575756] Sun, 27 January 2013 03:11 Go to previous messageGo to next message
POXER
Messages: 9
Registered: January 2013
Junior Member
SQL> Select * From v$pwfile_users;

USERNAME                       SYSDB SYSOP
------------------------------ ----- -----
SYS                            TRUE  TRUE


SQL> Select * from dba_sys_privs  Where Grantee = 'TOM';

GRANTEE                        PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
TOM                            CREATE SESSION                           NO
TOM                            CREATE VIEW                              NO
TOM                            CREATE TABLE                             NO


SQL> Select * From dba_role_privs where Grantee = 'TOM';

GRANTEE                 GRANTED_ROLE                   ADM DEF
----------------------- ------------------------------ --- ---
TOM                     PUBLIC                         NO  YES
TOM                     CONNECT                        NO  YES

[Updated on: Sun, 27 January 2013 03:12]

Report message to a moderator

Re: Bad user connect with SysDBA user? how? [message #575758 is a reply to message #575757] Sun, 27 January 2013 03:31 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
I've already asked you once: what is the query used to generate that first listing? We know that it is incorrect, because it reports usernames incorrectly. So it may be misleading in other ways, too. Whay do you think think that user TOM can connect AS SYSDBA? Why do you thnk TOM has granted any privileges?
Re: Bad user connect with SysDBA user? how? [message #575759 is a reply to message #575758] Sun, 27 January 2013 03:59 Go to previous messageGo to next message
POXER
Messages: 9
Registered: January 2013
Junior Member
Select
Select
     OS_USERNAME            ,
     USERNAME               ,
     USERHOST               ,
     TERMINAL               ,
     TIMESTAMP              ,
     OWNER                  ,
     OBJ_NAME               ,
     ACTION                 ,
     ACTION_NAME            ,
     NEW_OWNER              ,
     NEW_NAME               ,
     OBJ_PRIVILEGE          ,
     SYS_PRIVILEGE          ,
     ADMIN_OPTION           ,
     GRANTEE                ,
     AUDIT_OPTION           ,
     SES_ACTIONS            ,
     LOGOFF_TIME            ,
     LOGOFF_LREAD           ,
     LOGOFF_PREAD           ,
     LOGOFF_LWRITE          ,
     LOGOFF_DLOCK           ,
     COMMENT_TEXT           ,
     SESSIONID              ,
     ENTRYID                ,
     STATEMENTID            ,
     RETURNCODE             ,
     PRIV_USED              ,
     CLIENT_ID              ,
     ECONTEXT_ID            ,
     SESSION_CPU            ,
    -- EXTENDED_TIMESTAMP,
     PROXY_SESSIONID        ,
     GLOBAL_UID             ,
     INSTANCE_NUMBER        ,
     OS_PROCESS             ,
     TRANSACTIONID          ,
     SCN                    ,
     SQL_BIND               
  From dba_audit_trail
    Where USERHOST Like '%SEC%'
    Order by TIMESTAMP


Result:
OS USER USERNAME USERHOST  Timestamp      OWNER OBJ_NAME GRANTEE    PRIV_USED
------- -------- --------  -------------  ----- -------- --------   -------------
SECSEC  Tom     INTER\SEC  1/27/2013 6:28  null null     null       CREATE SESSION
SECSEC  SysDBA  INTER\SEC  1/27/2013 6:28  null null     null       CREATE SESSION
SECSEC  Tom     INTER\SEC  1/27/2013 6:29  null null     null       CREATE SESSION
SECSEC  SysDBA  INTER\SEC  1/27/2013 6:29  null null     PROJECT    GRANT ANY ROLE
SECSEC  SysDBA  INTER\SEC  1/27/2013 6:29  null null     PROJECT    GRANT ANY PRIVILEGE
SECSEC  SysDBA  INTER\SEC  1/27/2013 6:29  null DBA      PROJECT    null
SECSEC  Tom     INTER\SEC  1/27/2013 7:37  null null     null       CREATE SESSION
SECSEC  Tom     INTER\SEC  1/27/2013 7:42  Tom  TSOC     null       null

Re: Bad user connect with SysDBA user? how? [message #575760 is a reply to message #575758] Sun, 27 January 2013 04:06 Go to previous messageGo to next message
POXER
Messages: 9
Registered: January 2013
Junior Member
John Watson wrote on Sun, 27 January 2013 03:31
I've already asked you once: what is the query used to generate that first listing? We know that it is incorrect, because it reports usernames incorrectly. So it may be misleading in other ways, too. Whay do you think think that user TOM can connect AS SYSDBA? Why do you thnk TOM has granted any privileges?


How TOM could connect with SysDBA and Grant DBA Role to Project?
SysDBA is not a User,
What is SysDBA Username in Audit table?
Re: Bad user connect with SysDBA user? how? [message #575761 is a reply to message #575759] Sun, 27 January 2013 04:32 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
Poxer, that result did not come from that query. No-one can assist if you tell lies.

Re: Bad user connect with SysDBA user? how? [message #575762 is a reply to message #575760] Sun, 27 January 2013 04:32 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
What is SysDBA Username in Audit table?


SYS but it is not in the standard audit trail, it is in SYSDBA audit trail.
Please read the sections I pointed you to.

Regards
Michel
Re: Bad user connect with SysDBA user? how? [message #575773 is a reply to message #575761] Sun, 27 January 2013 06:48 Go to previous messageGo to next message
POXER
Messages: 9
Registered: January 2013
Junior Member
John Watson wrote on Sun, 27 January 2013 04:32
Poxer, that result did not come from that query. No-one can assist if you tell lies.


Now, I'm not at work, tomorrow send all Column of "Select * From dba_audit_trail" for you...
Re: Bad user connect with SysDBA user? how? [message #575774 is a reply to message #575773] Sun, 27 January 2013 07:45 Go to previous messageGo to next message
POXER
Messages: 9
Registered: January 2013
Junior Member
May be user have a access to EXECUTE DBMS_SQL?
Re: Bad user connect with SysDBA user? how? [message #575776 is a reply to message #575774] Sun, 27 January 2013 08:24 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Maybe you should read what I posted?

Regards
Michel
Re: Bad user connect with SysDBA user? how? [message #575788 is a reply to message #575761] Sun, 27 January 2013 22:22 Go to previous messageGo to next message
POXER
Messages: 9
Registered: January 2013
Junior Member
John Watson wrote on Sun, 27 January 2013 04:32
Poxer, that result did not come from that query. No-one can assist if you tell lies.


Attached CSV file :
"Select * From dba_audit_trail Where USERHOST Like '%SEC%'"
  • Attachment: 01.csv
    (Size: 3.58KB, Downloaded 1936 times)
Re: Bad user connect with SysDBA user? how? [message #575789 is a reply to message #575776] Sun, 27 January 2013 22:25 Go to previous messageGo to next message
POXER
Messages: 9
Registered: January 2013
Junior Member
Michel Cadot wrote on Sun, 27 January 2013 08:24
Maybe you should read what I posted?

Regards
Michel

Thanks Michel, I start reading "Administering an Oracle Database".
Re: Bad user connect with SysDBA user? how? [message #575816 is a reply to message #575788] Mon, 28 January 2013 02:12 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
Poxer, you are not thinking. Do you really believe that file is readable? By anyone?

For the last time, what was the query used to generate the output you posted earlier? It shows no evidence that anyone connected as SYSDBA. It does not show that user "Tom" granted anthing. It does purport to show that user "SysDBA" granted something. But without thhe code, there is no possibility of understanding what that output means.
Re: Bad user connect with SysDBA user? how? [message #575821 is a reply to message #575788] Mon, 28 January 2013 02:35 Go to previous message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
POXER wrote on Mon, 28 January 2013 05:22
John Watson wrote on Sun, 27 January 2013 04:32
Poxer, that result did not come from that query. No-one can assist if you tell lies.


Attached CSV file :
"Select * From dba_audit_trail Where USERHOST Like '%SEC%'"


Michel Cadot wrote on Sun, 27 January 2013 11:32
Quote:
What is SysDBA Username in Audit table?


SYS but it is not in the standard audit trail, it is in SYSDBA audit trail.
Please read the sections I pointed you to.

Regards
Michel


[Updated on: Mon, 28 January 2013 02:35]

Report message to a moderator

Previous Topic: Integrating LDAP for User Authentication
Next Topic: Check Password?
Goto Forum:
  


Current Time: Fri Mar 29 10:19:37 CDT 2024