Audit Questions
Our VOIP enviroment raised some flags on the latest audit scan and I am trying to resolve the items:
A few items have me confused:
The following showed up on 3 of the devices:
remote network time service has denial of service (123/udp)...Upgrade to NTP 4.2.4p8 or later.
1 callmanager had this and it running the latest revision 7.1.3.32900-4 and is supposed to be resolved. (Another CCM running the same version didn't have the vulernability).
Our 2 UCCX servers running Cisco Application Administration - 7.0(1)_Build168 had the same vulerability. From what I can tell Cisco has fixed for most products but not the UCCX platform. I know this is going to a linux based version soon but is there a patch or ugrade that can reslove this?
Also Weak Ciphers appear on almost all of the Linux based servers...is there a way to disable this?
Thanks,
Joe
Dear Laxmi
You can upload the questions through excel , XML template. The template and details is available in the SAP note 597982
Regards
Gajesh
Similar Messages
-
EHS- Audit question and findings table?
Hi Gurus
I wanted to know what is the table for Audit questions and findings and also wanted to know where do these corresponding texts are getting stored in SAP.
Thanks
MuraliHello Murali,
please check the following tables
PLMM_AUDIT - for Audit results
For questions:
PLMM_QUEST_H
PLMM_QUEST_I
PLMM_QUEST_RES
for text
CGPL_TEXT
CGPL _ PROJECT
Regards
gajesh -
kindly guide me how to upload audit questions in sap system my query is sap also provide one temple in that templet what is contents to be filled i cont understood any body work that temple kindly guide me in that templet we have filed like that external id description ext position hierarchy level task level assessm entsug desc
Please check the sap note: 597982. You can find the SAP supplied XL template as a zip atatchment in the note and step by step guidance on how to upload audit questions using import/export functionality of audit management.
Thanks,
Ram -
Read attachment details of Audit Question (PLMD_AUDIT)
Hi Experts,
Kindly request you to assist me on the below.
I'm trying to build a solution using ABAP for a requirement, where the logic has to find the attachment details of an audit question or action on the audit transaction (PLMD_AUDIT).
For example, please see the attached:
Screen shot 1.--> I'm not able to build the solution to check whether an audit question/action is having an attachment.
Screen shot 2.--> If the attachment exists, then how to get the attachment and send an email.
Appreciate your valuable inputs.
Thank you
MahendraHi Experts,
Kindly request you to assist me on the below.
I'm trying to build a solution using ABAP for a requirement, where the logic has to find the attachment details of an audit question or action on the audit transaction (PLMD_AUDIT).
For example, please see the attached:
Screen shot 1.--> I'm not able to build the solution to check whether an audit question/action is having an attachment.
Screen shot 2.--> If the attachment exists, then how to get the attachment and send an email.
Appreciate your valuable inputs.
Thank you
Mahendra -
Oracle Auditing question.
Hi All,
I have a application schema called SPRE. I want to audit insert/update/delete/alter on any SPRE objects by any database user but I dont want to audit any action performed by "SPRE" user itself.
I know how to setup this.....like run below as system
audit inser,update,delete on SPRE.table1;
audit inser,update,delete on SPRE.table2;
audit inser,update,delete on SPRE.table3;
but questions I have is...
1. How to audit if sys user perform any insert,update,delete?
2. How to stop audit entry if SPRE user performed insert,update,delete
Thanks,
Anujsys.aud$, dba_audit_trail
OR
SELECT view_name FROM dba_views WHERE view_name LIKE 'DBA%AUDIT%' ORDER BY view_name;
SELECT view_name
FROM dba_views
WHERE view_name LIKE 'DBA%AUDIT%'
ORDER BY view_name;
VIEW_NAME
DBA_AUDIT_EXISTS
DBA_AUDIT_OBJECT
DBA_AUDIT_POLICIES
DBA_AUDIT_POLICY_COLUMNS
DBA_AUDIT_SESSION
DBA_AUDIT_STATEMENT
DBA_AUDIT_TRAIL
DBA_COMMON_AUDIT_TRAIL
DBA_FGA_AUDIT_TRAIL
DBA_OBJ_AUDIT_OPTS
DBA_PRIV_AUDIT_OPTS
DBA_REPAUDIT_ATTRIBUTE
DBA_REPAUDIT_COLUMN
DBA_STMT_AUDIT_OPTSHTH
-Anantha
Edited by: Anantha R on Mar 29, 2010 3:23 PM -
Hello, people!
I have question about auditing in Oracle Internet Directory.
1. I turn audit on in my OID.
2. Restart OID.
3. Searching for Audit Log Entries by Using ldapsearch. The DN for the audit log container is cn=auditlog. To search for audit log entries, perform a subtree or one-level search, with the container object cn=auditlog as the base of the search. Work fine.
4. But when i add some user to some group, i get record like:
orclSequence=348,cn=auditlog
objectclass=top
objectclass=orclauditoc
orcluserdn=cn=orcladmin
orcleventtype=Modify
orclauditmessage=Modifying entry cn=XMLP_ADMIN,cn=Groups,dc=rd,dc=local
orclsequence=348
orclopresult=Success
orcleventtime=20091125141137z
Did any one knows, how determine what changes done?
Thanks,
Jeff.it will be good if you are adding HR as OU , in case if you have IT or someother Organization Unit it will can be easily added and identified.
Once you add it as OU autimatically all required class will be added automatically , further if you have any custom attribute you can add your own custom class -
Audit Question - Access to SU01
I have a question in regards to access to SU01. We currently have a team to setup users and assign roles. We are SOx regulated and have been questioned about having individual having this access.
Does it make sense to have one user setting up the ID without any authorizations assigned and then another person add the roles? We have compliance calibrator installed and no issues from that, but I am aware sometimes it is a business process decision from our auditors.
To me this does not make sense to me at all. Not sure if this would be the same for all our other applications either at this point including BW, IPC, XI, network access etc. etc. etc.Chris,
This causes a lot of confusion and consternation across the industry. Having been on both sides of the fence from an audit perspective, I tend to take a pragmatic approach.
The key issue is about being able to amend roles and assign to users. Wherever possible, this should be avoided. It is up to you how you manage that but if you have a situation whereby a single person can create a role / profile and assign it to a user they control, then you have a potential audit issue.
You can split it in any way you like but you are basically trying to stop that SoD.
Some choose to have a dedicated team who are able to create users but not create or assign authorisations, a separate team who can assign authorisations and not create users or roles and a third team who can only create roles but not create or assign to users.
While that is ideal, it is not always practical so it is often somewhere in the middle.
As long as your central team cannot amend the roles and authorisations that they are assigning (or assign super user access like SAP_ALL) without appropriate controls in place, then you can generally have a fairly reasonable discussion with your auditors.
Simon -
ABS quirks / auditing question / kernel request
My original post is below but it's wrong. All I'm asking now is if someone can enable CONFIG_AUDIT in the kernel or tell me a program that lets you spy on files just as well as auditd.
Today when I was making packages, something I haven't done in awhile and badly needed to do again, I noticed exclamation marks appearing beside the filenames in the medit tabs. Those exclamation marks mean that since I last saved the text file in medit, another process edited the file on the disk. Subsequent saving required me to click "yes I'm sure I want to overwrite" in this popup window. This was responsive to my saves. Every time I saved something (a PKGBUILD, a patch, anyting under the /var/abs tree) it was changed half a second later.
I tried to find out what was going on. Inotify-tools told me when the PKGBUILD was being modified but not by what process. Lsof and Glsof had no hope because they don't watch a specific file in real time, they only tell you things that are currently open so I'd need inhuman reflexes to get useful information out of them.
One thing that looks perfect for me is auditd. This page http://www.cyberciti.biz/tips/linux-aud … -file.html says how you can use it to see what process edited what file. I spent a couple hours fine tuning the PKGBUILD of it only to hit the error where auditd says "Connection refused." Every other poster reporting this did so because his or her kernel did not have audit support and sure enough in the kernel26 package, CONFIG_AUDIT is not set.
So I need to ask three things:
1. Does anyone know why my files are being accessed this way in /var/abs?
2. Does anyone know a program compatible with the default kernel26 that could help me investigate?
3. If it's not too much trouble, would the kernel26 maintainers consider adding CONFIG_AUDIT so I don't have to start using a custom kernel over this one triviality?
Thanks alot.
Last edited by ConnorBehan (2008-12-27 00:13:11)ConnorBehan wrote:
Oh thanks monster, Thunar was open for me too. And it happened again today in /home so it's nothing to do with ABS. I guess my question now is:
Could someone enable CONFIG_AUDIT in kernel26 or tell me a way to audit with the kernel I have out of curiosity?
No problem, I'm glad I could help. I was a little unsure of what was going on myself until I stumbled on to the connection. If you figure out what is going on could you try and pass that along? I am curious to know the answer but not knowledgeable enough to dig into kernel audits to figure it out -
Simple auditing question...
Hello,
We are running 11.2.0.2 on AIX 7.1.
I'm trying to understand why our auditing is not behaving the way I think it should.
First, we have the default auditing turned on as part of 11GR2.
It seems to be capturing some things, but not always everything.
In some cases, it captures the creation of a table by a user, but in other cases, it may not.
Even though the same user created a table, or dropped a table.
Today, trying to figure this out, I created a test user and logged in as that test user (in SQL*Plus) and created a simple table, then inserted a record into it and did a commit. I then logged out.
But when I check the audit views, I don't see the audit actions, or even the session logon information.
I've checked using both Toad and by selecting from the dba_audit_objects and dba_audit_session views in SQL*Plus.
What am I missing?
That last DDL statement I see that was captured in the audit records was on July 20th.
In this case, it captured the drop and creation of a public synonym, but not of the underlying table that was also dropped.
I don't believe anyone has changed any of the audit settings.
First, let's confirm everything:
sho parameter audit
NAME TYPE VALUE
audit_file_dest string /u01/app/oracle/admin/xxxxxxxx
/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
SQL> SELECT privilege from dba_priv_audit_opts where user_name is NULL;
PRIVILEGE
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
CREATE USER
ALTER USER
DROP USER
CREATE ANY TABLE
ALTER ANY TABLE
DROP ANY TABLE
CREATE PUBLIC DATABASE LINK
GRANT ANY ROLE
ALTER DATABASE
CREATE ANY PROCEDURE
ALTER ANY PROCEDURE
DROP ANY PROCEDURE
ALTER PROFILE
DROP PROFILE
GRANT ANY PRIVILEGE
CREATE ANY LIBRARY
EXEMPT ACCESS POLICY
GRANT ANY OBJECT PRIVILEGE
CREATE ANY JOB
CREATE EXTERNAL JOB
23 rows selected.
SQL> select object_name, object_type, owner, created from dba_objects where object_name = 'EXPENDABLE_USE';
OBJECT_NAME OBJECT_TYPE OWNER CREATED
EXPENDABLE_USE SYNONYM PUBLIC 20-JUL-11
EXPENDABLE_USE TABLE SISI 20-JUL-11
2 rows selected.
Now, view the dba_audit_objects view:
1 select os_username, username, timestamp, action_name from dba_audit_object where timestamp > sysdate-9
2* order by timestamp desc
SQL> /
OS_USERNAME USERNAME TIMESTAMP ACTION_NAME
scmsrvacct SISI 20-JUL-2011 11:44 CREATE PUBLIC SYNONYM
scmsrvacct SISI 19-JUL-2011 19:40 DROP PUBLIC SYNONYM
scmsrvacct SISI 19-JUL-2011 19:40 DROP PUBLIC SYNONYM
3 rows selected.Notice that the table created on 20-JUL-2011 is not included above.
why not?
Any why isn't my test user shown, or the creation of the simple table created by the test user?Well, I can't exactly do what you asked because 'privilege' is not a column.
But I'm guessing this is what you are asking for:
1* select * from dba_stmt_audit_opts where user_name is NULL
SQL> /
USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE
ALTER ANY TABLE BY ACCESS BY ACCESS
SYSTEM GRANT BY ACCESS BY ACCESS
DROP ANY TABLE BY ACCESS BY ACCESS
CREATE ANY PROCEDURE BY ACCESS BY ACCESS
DROP ANY PROCEDURE BY ACCESS BY ACCESS
ALTER ANY PROCEDURE BY ACCESS BY ACCESS
GRANT ANY PRIVILEGE BY ACCESS BY ACCESS
GRANT ANY OBJECT PRIVILEGE BY ACCESS BY ACCESS
GRANT ANY ROLE BY ACCESS BY ACCESS
SYSTEM AUDIT BY ACCESS BY ACCESS
CREATE EXTERNAL JOB BY ACCESS BY ACCESS
CREATE ANY JOB BY ACCESS BY ACCESS
CREATE ANY LIBRARY BY ACCESS BY ACCESS
CREATE PUBLIC DATABASE LINK BY ACCESS BY ACCESS
EXEMPT ACCESS POLICY BY ACCESS BY ACCESS
ALTER USER BY ACCESS BY ACCESS
CREATE USER BY ACCESS BY ACCESS
ROLE BY ACCESS BY ACCESS
CREATE SESSION BY ACCESS BY ACCESS
DROP USER BY ACCESS BY ACCESS
ALTER DATABASE BY ACCESS BY ACCESS
ALTER SYSTEM BY ACCESS BY ACCESS
ALTER PROFILE BY ACCESS BY ACCESS
DROP PROFILE BY ACCESS BY ACCESS
DATABASE LINK BY ACCESS BY ACCESS
PROFILE BY ACCESS BY ACCESS
PUBLIC SYNONYM BY ACCESS BY ACCESS
CREATE ANY TABLE BY ACCESS BY ACCESS
28 rows selected.also
SQL> select distinct(user_name) from dba_stmt_audit_opts;
USER_NAME
1 row selected. -
CC 2014 Using "Edit in Adobe Audition" question?
In Premiere Pro CC (2014). When I send an audio clip that is an .aif from the timeline to Audition using “Edit in Adobe Audition > Clip”, when it shows up in Audition, the file is a .wav file. Is there a preference that will keep it a .aif file?
Dont know... but possibly an Audition Preference or a workflow actually in Audition for Mixer or Sound File Editor setup
-
OAM/OIM 11.1.1.3 audit question
All,
We are collecting login information in the IAU_BASE table. Most of the time IAU_INITIATOR value is null. Does anyone have an idea why this is the case? Is there a setup that we are missing in OAM configuration?
thanks in advance,
Prasad.Hi - did you ever get an answer to this question or figure this out?
-
Premiere Pro/Audition question
I am running Premiere Pro CS4 and Audition 2.0. I have some musical HD footage that I have loaded into PP. I would like to export only the audio, work on it in Audition and reimport into PP. The only audio only export option in Media is AAC (+/- Version 1 or 2) which Audition doesn't recognize.
Suggestions?With File Associations in Windows, at least one user has bypassed Soundbooth for Audition, so that Edit in Audition works as it did back in the old PrPro 2.0 days. Not sure of what any ins-and-outs might be, and do not have CS4, but Edit in Audition works for other, even in CS4, with a little work in Control Panel.
Doing an Export to PCM/WAV, editing in Audition, doing a Save, and then an Import will work too.
Good luck,
Hunt -
Auditing question executing the TRUNCATE command.
Hello.
We have some audit controls in place that interrogate SQL codes to determine whether an INSERT, UPDATE or DELETE command has been executed by a user. However, when a user executes a TRUNCATE command, an sudit record is not generated. Since I cannot find a specific code for Truncate, I was thinking that the code that caputes a DELETE command would work... but it doesn't appear that is the case.
We only have a very few users that can issue the TRUNCATE command, but I'd like to know if anyone knows of a specific code for TRUNCATE. Or if anyone has an idea how we could generate AUDIT records when a user does issue a TRUNCATE command.
Thanks!There is certainly a lot of bad information floating around on this topic.
"Audit table" will audit create table, drop table and truncate table - which is absolutely true. It is the ONLY way to reliably audit truncate table operations.
Object auditing on a specific table (e.g. audit all on scott.mytab) never creates an audit record for truncation.
You can audit "DROP ANY TABLE" which will create an audit record ONLY when someone with the DROP ANY TABLE system privilege attempts to truncate a table in another schema.
Contrary to what some "experts" (including at least one ACE) think, "audit truncate table" is NOT valid syntax.
"Audit truncate" does not return an error, but (as far as I can tell and I've actually tested it on 9.2.0.4, 10.2.0.1, 10.2.0.5 and 11.2.0.3) it does nothing. It creates no record in DBA_STMT_AUDIT_OPTS or DBA_PRIV_AUDIT_OPTS and it never produces a record in the audit trail. It is a half-baked auditing option that does not actually work - so, "audit truncate" should return an error! -
Greetings, I am working with a client who outsources their DBA services to a third party. The third party has unfettered 24 hour access to the database using one generic id. This is creating an issue from an audit perspective. I have been told by other people within my firm that Oracle 9i, which is what the client is running, has an auditing feature that will allow you to audit statements issued by a specific user id? Further, it is my understanding that you can place the log file on a network drive that the DBA wouldn't have access to? Does anyone have any information on this, or a link that I could go to for more information. I want to at least be able to recommend a starting point to the client. They have a manager that has general knowledge of Oracle, but not the expertise of a typical DBA. Any help on this topic would be greatly appreciated.
Take a look at chapter 26 of database admin guide (Auditing Database Use), that should give you a starting point. If the "user" the third party will use is a sysdba, consider making use of the init parameter called audit_sys_operations.
Daniel -
Hello,
We have a customer running SBS 2011 who we monitor with Kaseya. They have an application they are unfortunately stuck with, that syncs to their AD but it's very basic and has no notifications if it fails. If a user changes their credentials it stops working
and it's not immediately obvious to the user. Because of this we monitor for password changes by event ID and then proactively contact the user to get their password and update the software's credentials. Unfortunately the SBSMonacct as part of its normal
actions resets it's password every 30 minutes creating a lot of false tickets alert/tickets from the events generated. I have tried using auditpol.exe to exclude the SBSMonacct from auditing on a per user basis but since it's an admin account it doesn't seem
to have any effect. Is there a way to disable the SBSMonacct procedure (we monitor with Kaseya not the SBS reports) or exclude it from the security log?
Thanks,
BrianHi Brian,
Based on your description, I understand that you want to disable some specific alerts in the SBS report email.
You can configure notification settings to achieve this target in Windows SBS Console.
Please refer to the detailed operations.
Open the
Windows SBS Console.
On the navigation bar, click
Network, and then click the Computers tab.
In the task pane, click
View notification settings. The Notification settings page appears.
Then you can configure the Service, Performance counters and Event Log errors what you want to be notified about in email.
In addition, I can find that you monitor with Kaseya. So, please also refer to following thread. It may help
you.
SBSMonAcct how to disable Reports
http://social.technet.microsoft.com/Forums/exchange/en-US/04a81fff-fc52-492c-ba3b-8161dcb7382a/sbsmonacct-how-to-disable-reports?forum=smallbusinessserver
If anything I misunderstand, please don’t hesitate to let me know.
Hope this helps.
Best regards,
Justin Gu
Maybe you are looking for
-
HP Photosmart C3180 All In One Installation Problems
A while back I posted about problems with installing this printer, where the install cd v7.8.0 worked but the HP Set Up Assistant hung on the 2nd step. The software on the hp site for this printer (v7.9.1), did not work either, and froze mid install
-
NOKIA N80 Internal Error Message PLEASE HELP
Does anbody Know why I Get an Internal Error Message When I Send a Multimedia Message.... Everytime I Try to Send a Picture as Multimedia it Says Unable to Send Message and When I Click Details it Says Internal Error....... Please Help
-
I have a MacBook Pro and I have developed eczema on the palms of both my hands and I am wondering if this might be an allergic reaction to nickel. If it is, is there a solution out there so that I can still use my Mac?
-
How can I fix wifi communication MountainLion to printer MG8250?
I have a MacBookPro and Canon 8250 printer connected by in house wifi. The printer worked fine until a few days ago. Then printing started to generate the message "Support code 300: The printer does not respond." Help getting printer going again much
-
This is probably really simple BUT, I have a font that I downloaded, it is available on all of my font lists (iMovie, Photoshop) but not when I go to create a lower third title in FCP. It does, however, show up when I create a title crawl. Which fold