How to audit SYSTEM account

Similar Messages

• How to implement an audit system to track ADF applications DML activity?

  We have implemented a complete audit system for one of our databases in order to keep history for every table and every value that has been modified.
  The solution that we currently have can be split into two discrete parts:
  1. Keeping a record of all connections to the db account
  This is achieved via a table ‘user_sessions’ into which we record data for every session in the database with the help of on-logon and on-logoff triggers and some PL/SQL procedures:
  Column name        |  Explanation
  -------------------|-------------------------------------------
  US_ID              | PK, based on a sequence
  SESSION_ID         | sys_context('USERENV' ,'SESSIONID')  
  USER_NAME          | sys_context('USERENV' ,'OS_USER')
  LOGON_TIME         | when the on-logon trigger fires
  LOGOFF_TIME        | when the on-logoff trigger fires
  USER_SCHEMA        | sys_context('USERENV' ,'SESSION_USER')
  IP_ADDRESS         | sys_context('USERENV' ,'IP_ADDRESS')
  us_id |session_id |user_name|user_sschema|ip_address|logon_time               |logoff_time     
  560066|8498062       |BOB      |ABD         |1.1.1.2   |14-SEP-06 03.51.52.000000|14-SEP-06 03.52.30.000000
  560065|8498061       |ALICE    |ABC         |1.1.1.1   |14-SEP-06 02.45.31.000000|14-SEP-06 04.22.43.0000002. Keeping the history of every change of data made by a given user
  For every table in the account there is a corresponding history table with all of the columns of the original table plus columns to denote the type of the operation (Insert, Delete, Update), start and end time of validity for this record (createtime, retiretime) and us_id (which points to the user_sessions table).
  The original table has triggers, which fire if there is an insert, update or delete and they insert the data into the corresponding history table. For every record inserted into a history table the us_id taken from the user_sessions table is recorded as well, allowing us to determine who has modified what data via the combination of these two tables.
  Below is an example of a table TASKS, the history related triggers and the history table TASKS_HIST.
  At the moment we are developing new applications by using ADF. Since there is an Application Module Pool and Database Connection Pool implemented for the ADF, one connection to the database could be used by several users at different moments of time. In that case the history records will point to a database session logged into the user_sessions table, but we will not know who actually modified the data.
  Could you, please, give us a suggestion, how we can know at any moment of time who (which of our users currently making use of an ADF application) is using a given database connection?
  By way of an example of the problem we are facing, here is how we solved the same problem posed by the use of Oracle Forms applications.
  When the user starts to work with a given Forms application, user_sessions table would attempt to record the relevant information about he user, but since the db session was created by the application server, would in actual fact record the username and ip address of the application server itself.
  The problem was easy to solve due to the fact that there is no connection pooling and when a user opens their browser to work with Forms applications, a db connection is opened for the duration of their session (until they close their browser window).
  In that case, the moment when the user is authenticated (they log in), there is a PL/SQL procedure called from the login Form, which updates the record in the user_sessions table with the real login name and ip address of the user.
  Example of a table and its ‘shadow’ history table
  CREATE TABLE TASKS (
       TASKNAME     VARCHAR2(40),
       DESCRIPTION  VARCHAR2(80)
  ALTER TABLE TASKS ADD (
       CONSTRAINT TASKS_PK PRIMARY KEY (TASKNAME));
  CREATE OR REPLACE TRIGGER TASKS_HISTSTMP
  BEFORE INSERT OR UPDATE OR DELETE ON TASKS
     BEGIN
       HISTORY.SET_OPERATION_TIME('TASKS');
     EXCEPTION
       WHEN OTHERS THEN
         ERROR.REPORT_AND_GO;
  END TASKS_HISTSTMP;
  CREATE OR REPLACE TRIGGER TASKS_WHIST
    AFTER INSERT OR UPDATE OR DELETE ON TASKS
    FOR EACH ROW
    BEGIN
  CASE
        WHEN INSERTING THEN
          UPDATE TASKS_HIST
             SET retiretime = HISTORY.GET_OPERATION_TIME
           WHERE createtime = (SELECT MAX(createtime)
                                 FROM TASKS_HIST
                                WHERE retiretime IS NULL AND TASKNAME=:NEW.TASKNAME)
             AND retiretime IS NULL AND TASKNAME=:NEW.TASKNAME;
          INSERT INTO TASKS_HIST (TASKNAME      ,DESCRIPTION      ,optype
                                  ,createtime                    
                                  ,us_id)
                 VALUES          (:NEW.TASKNAME ,:NEW.DESCRIPTION ,'I'
                                  ,HISTORY.GET_OPERATION_TIME    
                                  ,USER_SESSION.GET_USER_SESSIONS_ID);
        WHEN UPDATING THEN
          UPDATE TASKS_HIST
             SET retiretime = HISTORY.GET_OPERATION_TIME
           WHERE createtime = (SELECT MAX(createtime)
                                 FROM TASKS_HIST
                                WHERE TASKNAME=:OLD.TASKNAME) 
             AND TASKNAME=:OLD.TASKNAME;
          INSERT INTO TASKS_HIST (TASKNAME      ,DESCRIPTION      ,optype
                                  ,createtime
                                  ,us_id)
                 VALUES          (:NEW.TASKNAME ,:NEW.DESCRIPTION ,'U'
                                  ,HISTORY.GET_OPERATION_TIME
                                  ,USER_SESSION.GET_USER_SESSIONS_ID);
        ELSE
          UPDATE TASKS_HIST
             SET retiretime = HISTORY.GET_OPERATION_TIME
           WHERE createtime = (SELECT MAX(createtime)
                                 FROM TASKS_HIST
                                WHERE TASKNAME=:OLD.TASKNAME) 
             AND TASKNAME=:OLD.TASKNAME;
          INSERT INTO TASKS_HIST (TASKNAME      ,DESCRIPTION      ,optype
                                  ,createtime
                                  ,us_id)
                 VALUES          (:OLD.TASKNAME ,:OLD.DESCRIPTION ,'D'
                                  ,HISTORY.GET_OPERATION_TIME
                                  ,USER_SESSION.GET_USER_SESSIONS_ID);
      END CASE;
    EXCEPTION
      WHEN OTHERS THEN
        ERROR.REPORT_AND_GO;
  END TASKS_WHIST;
  CREATE TABLE TASKS_HIST (
       TASKNAME       VARCHAR2(40),
       DESCRIPTION    VARCHAR2(80),
       OPTYPE         VARCHAR2(1),
       CREATETIME     TIMESTAMP(6),
       RETIRETIME     TIMESTAMP(6),
       US_ID          NUMBER
  ALTER TABLE TASKS_HIST ADD (
       CONSTRAINT TASKS_HIST_PK PRIMARY KEY (TASKNAME, CREATETIME)
         );

  Frank,
  Thanks for your reply.
  I checked the site that you mentioned.
  I try the sample “demo with bundle. The sample worked.
  But it needed to start separately with the application.
  I do not know how to build a help system with the existed web application developed with Jdeveloper (It has two projects: model and user-view-control. It is deployed on Oracle Application server).
  Could you help me step by step to build the help system?

• Ifweb60 processes run as local system account on w2k- how do i change?

  i am running forms 6i on an 2000 box using
  the forms servlet config and oc4j with 9ias.
  this runs fine except that the ifweb60 processes
  are owned by the local system account. this in
  turn means i can't map the forms60_path to a
  network drive because i can't give network
  privileges to a local system account. so,
  how do i change the account that spawns the
  ifweb60 processes?
  thanks,
  marta

  Never mind, resolved this myself by using the netbios name to substitute the value I need on each individual domain.
  $domain = Get-ADDomain | Select-Object -expandproperty netbiosname 
  Set-Location "dc=$domain,dc=dom,dc=co,dc=uk'
  Sets location as:
  PS AD:\dc=a,dc=dom,dc=co,dc=uk>
  ON another domain same script results
  PS AD:\dc=b,dc=dom,dc=co,dc=uk>
  Exactly what I needed!

• How to make every account in the system login automatically?

  How to make every account in the system login automatically when Mac OS X startup?
  Thanks!

  I can see one way to do it. You'll need to install a script in each user account, and have it set as a login item for each user. Let's imagine you have three user accounts. Each user in Mac OS X has a UID number. Normally your first user has the UID of 501, the second one will be 502 and so on...
  You can determine the UID by running the following AppleScript while logged in on each user:
  do shell script ("ID")
  This'll return a long block of text, but right at the start you'll see the UID number. Let's assume your three users have the UIDs 501, 502 and 503. We begin with 501.
  Create the following script and save it as an application while logged in as 501. Note that the password you're entering is the password for UID 502. Also note that the forum system is creating line breaks where there shouldn't be any. The long "do shell script" line should be one line.
  delay 5 --This delay allows time for login to complete, but it may not be necessary.
  try
  do shell script "/System/Library/CoreServices/Menu\\ Extras/User.menu/Contents/Resources/CGSession -switchToUserID 502"
  delay 5 --This delay could be shorter or longer, depending on how fast your machine is.
  tell application "System Events"
  keystroke "password for 502" --the password for UID 502
  keystroke return
  delay 1
  end tell
  on error
  display dialog "Unable to switch user."
  end try
  Open System Preferences, go to Accounts, click "login items" and drag your script (saved as an application) to the login items window.
  You basically repeat this process for each user account, modifying the script so it switches to the next user.
  This isn't ideal, because your passwords will be stored in the scripts, and each user could open the scripts and learn the passwords of the other users on that machine.
  I picked some of this up from a discussion over at the Macworld forums:
  http://hints.macworld.com/article.php?story=20031102031045417
  Message was edited by: The Preacher
  Message was edited by: The Preacher
  Message was edited by: The Preacher

• How to exclude user account for auditing.

  I would like to know how to exclude user account from the audit policy, such as below.
  AUDIT SELECT TABLE BY ACCESS WHENEVER NOT SUCCESSFUL ;
  thanks in advance.
  May

  Security team request to reduce the amount of the audit data based on the user account. Can I use FGA to implement it?possible as it lets you specify the conditions necessary for an audit record to be generated:
  FGA policies are programatically bound to the object (table, view) by using the 'dbms_fga' package. It allows you to create any desired condition,
  for example: Audit an event only when the following conditions are true:
  A table is accessed between 6 p.m. and 6 a.m. and on Saturday and Sunday.
  An IP address from outside the corporate network is used.
  A specific column has been selected or updated.
  A specific value for this column has been used.
  more detail available on Oracle by example
  http://www.oracle.com/technetwork/articles/idm/fga-otn-082646.html

• How do I enable "Audit user account logons" using PowerShell, to improve security?

  With successful hacking attacks more often employing valid Active Directory user credentials, it is quite helpful when administrators can
  easily poll user logon events. Rather than query
  every domain computer for its logon events, one can alter the Default Domain Controller Policy GPO to enable "Audit user account logons" (Success and Failure) then merely poll
  only the domain controller -- quite efficient. PowerShell helpfully has its Group Policy Module, including the following two cmdlets.
  1) Get-GPO "Default Domain Controllers Policy" will retrieve the top-level GPO object, but how do I enable that specific setting?
  2) Set-GPRegistryValue might be the right tool, but I cannot find any documentation on the values I need to supply to its parameters (-Name -Key -ValueName -Type -Value) to enable "Audit user account logons" -- both Successes and Failures.
  One can manually modify this setting using the Group Policy Management console GUI on the domain controller, but I am trying to upgrade my professional work habits to use stored scripts, rather than unrecorded point & clicks, so that my actions are repeatable
  and documented.
  Any pointers to documentation or an example would be welcome. I originally posted this question in the TechNet PowerShell Forum this afternoon, but someone recommended I copy it to the TechNet Group Policy Forum.
  Jeffrey - New Orleans MCITP Enterprise Administrator, Virtualization Administrator

  Hi Jeffrey,
  >>One can manually modify this setting using the Group Policy Management console GUI on the domain controller, but I am trying to upgrade my professional work habits to use stored scripts, rather than unrecorded point & clicks, so that my actions
  are repeatable and documented.
  Before going further, although you have expressed that you don't want to use GPMC GUI to configure the audit setting, in fact, it's an easy and comparatively handy method to set the setting. Besides, based on the description, you
  want to use PowerShell to do this. However, as far as I know, PowerShell can configure registry-based policy settings and Group Policy Preferences Registry settings, but audit policy security settings are not registry keys.
  Nonetheless, if we really don't want to use GPMC console to do this, we can use Auditpol.exe to set the audit setting.
  Regarding this point, the following article can be referred to for more information.
  Auditpol
  https://technet.microsoft.com/en-in/library/cc731451.aspx
  Auditpol set
  https://technet.microsoft.com/en-in/library/cc755264.aspx
  In addition, regarding Group Policy Cmdlets in Windows PowerShell, the following article can be referred to for more information.
  Group Policy Cmdlets in Windows PowerShell
  https://technet.microsoft.com/en-us/library/ee461027.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• How do I have an exe in a logon script run as a different user (either a domain admin or even the local system account)

  So, I'm having some problems getting a logon script to work.  I need a way to deploy the agent that we use via login/startup scripts and what I have works fine if the user has admin rights, or if UAC is disabled.  I've tried to convert the .exe
  to an .msi to make it easier, but the .msi never works and it's only distributed as an .exe.  We deploy this to different clients, I can't disable UAC in their environment unless they specifically tell us to.  Can anyone think of a way around this? 
  I've been searching for days and I'm just lost.  If we could execute the file as the system account, or connect to shares using a startup script instead of logon, that would be perfect.  Basically what it does is check to see if the process for the
  agent is running (agentmon.exe) so we don't attempt to install it if it is already installed, if it's not, then it calls on a different agent installer depending on the IP address of the system (for clients that have more than one location).  Here's what
  I've got written that works for me in my test environment:
  Const strAgent1 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup1.exe"
  Const strAgent2 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup2.exe"
  Const strAgent3 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup3.exe"
  Const strFolder = "C:\Temp\"
  Const Overwrite = True
  dim objFSO, objNIC1, arrNIC, strIP, strMask, objShell, objWMIService
  dim
  'Checks for Kaseya agent process, AgentMon.exe, exits if running
  Set objWMIService = GetObject ("winmgmts:")
  Set proc = objWMIService.ExecQuery("select * from Win32_Process Where Name='agentmon.exe'")
  If proc.count > 0 Then
      WScript.Quit
  End If
  'Instantiate a NIC configuration object
  Set objNIC1 = GetObject("winmgmts:").InstancesOf("Win32_NetworkAdapterConfiguration")
  'Instantiate a shell object
  Set objShell = CreateObject("wscript.shell")
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  'Create Temp Dir if it doesn't exist
  If Not objFSO.FolderExists(strFolder) Then
      objFSO.CreateFolder strFolder
  End If
  For Each arrNIC in objNIC1
      if arrNIC.IPEnabled then
          StrIP = arrNIC.IPAddress(i)
          strMask = arrNIC.IPSubnet(i)
          Set WshNetwork = WScript.CreateObject("WScript.Network")
      end if
  next
  Function NetworkID(Address, Mask)
      Dim AddressOctets, MaskOctets, Result, N
      AddressOctets = Split(Address, ".")
      MaskOctets = Split(Mask, ".")
      ReDim Result(UBound(AddressOctets))
      For N = 0 To UBound(AddressOctets)
          Result(N) = AddressOctets(N) And MaskOctets(N)
      Next
      NetworkID = Join(Result, ".")
  End Function
  Select Case NetworkID(strIP,strMask)
      Case "192.168.0.0"
      ' Kaseya install commands for 192.168.0.0 subnet
      objFSO.CopyFile strAgent1, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup1.exe"
      Case "192.168.1.0"
      ' Kaseya install commands for 192.168.1.0 subnet
      objFSO.CopyFile strAgent2, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup2.exe"
      Case "192.168.2.0"
      ' Kaseya install commands for 192.168.2.0 subnet
      objFSO.CopyFile strAgent3, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup3.exe"
      Case Else
      ' Some sort of error checking. Maybe a BLAT SMTP command to send an email
  End Select
  Set objWMIService = Nothing
  Set objNIC1 = Nothing
  Set objShell = Nothing
  Set WshNetwork = Nothing
  Wscript.quit

  You need to read the documentation carefully:
  The Deploy Agents install package is created using a Configure Automatic Account Creation wizard. The wizard copies agent settings from an existing machine ID or machine ID template and generates an install package called
  KcsSetup.All settings and pending agent procedures from the machine ID you copy from—except the machine ID, group ID, and organization ID—are applied to every new machine ID created with the package.
  Including Credentials in Agent Install Packages
  If necessary, an agent install package can be created that includes an administrator
  credentialto access a customer network. Credentials are only necessary if users are installing
  packages on machines and do not have administrator access to their network. The administrator credential is encrypted, never available in clear text form, and bound to the install package.
  ¯\_(ツ)_/¯

• How can I create a Face Time account.  I have an Apple ID and password.  When I Google how to create an account all I get is what I need for the system

  I have a 13" MacPro.  How can I create a Face Time account.  I have an Apple ID and password.  When I Google how to create an account all I get is what I need for the system

  You don't need to create an account.   Your use your Apple ID to log into Facetime.
  If you haven't already you will need to download the Facetime App from the Mac App Store.
  https://itunes.apple.com/us/app/facetime/id414307850?mt=12&ls=1
  FaceTime for Mac: Troubleshooting FaceTime - Apple Support

• SYSTEM account gets locked automatically

  Hi,
  Recently I started the oem agent on one of the box. Since then, the system account gets locked frequently.
  Can you please guide how can I investigate on this ?
  Also, I checked the failed accounts in recent times and I can see someone is connecting from terminal "pts/4".
  Please help to resolve this asap.
  Regards,
  Harry

  Please specify your OS and DB versions.
  Can you please guide how can I investigate on this ?
  Also, I checked the failed accounts in recent times
  and I can see someone is connecting from terminal
  "pts/4".It means someone is trying to hack the system account. I assume you have configure audit options so you can log where this attempts come from. Even though you have already realized attacks come from pts/4 it will only have sense if you are able to discover in the few minutes what's the actual terminal attached from pts/4. On the other hand, it sounds to me that someone opened a session in a unix like box, and is able to see the os where the database resides. If this is the case, look for the output from the os command 'last' to find out further information about pts/4. If this hacker has reached the OS, it is a serious matter, it could quite easily get signed to the database if it is OS authenticated.
  ~ Madrid

• Cannot Retrieve referenced URL in wscript file from Local System Account, but not other accounts on the computer.

  Hello,
  I have a WScript File that includes an external resource (js file).
  It works on one computer and it does not work on another computer.
  If I run this file from a normal admin command prompt everything runs fine on both computers.
  If I run this file from the Local System account using PsExec it runs fine on one of the computers and throws an error "Cannot Retrieve referenced URL" on the other computer.
  The reason I want it to run from the Local System account is that it is executed from a Windows Service.
  Is there some setting or some way for the IE cache to get corrupt on the Local System account or something like that?

  JRV,
  You are by far the worst 'support' person I've ever seen. If you aren't going to be thoughtful in providing support, don't pretend. If you're going to pretend, leave your condescension on the shelf. You have provided no thoughtfulness whatsoever to his issue,
  and have in no way improved the discourse. You are arrogant and condescending without exhibiting any intelligence whatsoever. I'm impressed Matt kept calm through your demeaning, counterproductive diatribes.
  Matt,
  First I'd check UAC settings, because I believe that can change how elevation works substantially.
  Second, I would check the versions of wscript.exe on both machines, both in System32 and SysWow, and I'd check for updates bypassing WSUS to make sure there's not something silly going on there (totally a shot in the dark, catch-all theory).
  Have you made any headway in the last few weeks?
  -John
  This is not a support forum and it is not for assistance in fixing broken configurations.  It is a scripting forum. The OP proved that the issue is not the script but the environment it is running in.  You should not get mad just because you are
  not getting satisfaction.
  ¯\_(ツ)_/¯

• How to create reconciliation account

  hi gurus,
  when iam trying to create a customer,system is asking reconciliation account.But,in the selection list,there are no entries found for reconciliation account..can u please tell me how to create reconciliation account,step by step..this is very urgent...
  Thanks in advance...
  Regards..
  Yogi..

  Hii
  system is giving this error as customer and vendor accounts are needed to update the GL account and the accounts are kind of subledger account,...
  so u need to create the sundry debtors or creditors account in FS00. here under description tab u need to select balance sheet account and under control tab select reconciliation account type as customer or vendor... whatever applicable..
  now give the same GL account number in customer or vendor master data in reconcilliation account number.
  so that through this recon. account is a GL account to which subsidiary ledgers (customer and vendor) are connected and updated..
  hope u got ur answer
  reward points
  sejal

• ALE Audit System

  Does ALE audit system work between a non-sap sending system and SAP as receiving system. If yes, then how is the "audit table" and "audit analysis program" step taken care of?

  Hi Helge,
  if you're using BPM in the XI
  this is what you could to:
  create a new processing code for inbound aleaudits
  and change a little the standard function module
  for inbound ale audits (the only change
  would be a table in which you'd map
  BPM names to just on partner profile)
  this way if you'd be using a new BPM
  you will only have to add one record to the table
  and the processing will always be done correctly
  with just one partner profile
  Regards,
  michal
  <a href="/people/michal.krawczyk2/blog/2005/06/28/xipi-faq-frequently-asked-questions">XI FAQ - Frequently Asked Questions</a>

• SharePoint Designer Workflow unnecessary set Modified By value as System Account.

  Hi Friends,
  I have created SharePoint Designer Workflow, it update other List Item as well same Item on Item Adding and Editing event.
  I have Developed workflow using System Account.
  While doing any change by general user in Workflow list it update Modified By value to System Account only.
  I want modified by value as General user only.
  Or No need to update modified and Modified by details.
  So please help me How I can resolve this issue.
  Thanks,
  Digambar Kashid 
  Thanks and Regards, Digambar Kashid

  Hi Digambar, that's by design, but here are some workarounds:
  http://blog.mmasood.com/2012/12/approval-worfklow-showing-system.html
  https://social.technet.microsoft.com/Forums/office/en-US/f3f9b1ff-9507-4471-935d-4ab8937839b6/oob-approval-workflow-makes-modify-by-field-as-system-account?forum=sharepointadminprevious
  cameron rautmann

• Changing OOTB "xelsysadm" system account ID

  Hi,
  My client requests the OOTB system account "xelsysadm" to be changed to another value (the reason being that "xelsysadm" is a well known string, and that the account may therefore be compromised). Anyway, is this even possible? If yes, how?
  Thanks !

  OIM 11g console does not allow changing "xelsysadm" ID, but I know it can be changed using the OIM 10g APIs. You may also change it directly in the USR table.
  Your next question may be - will it impact anything? Per my knowledge, you will have to change any other external client that uses "xelsysadm" ID. Other than that, I don't think this ID is hard-coded anywhere within OIM server.
  Gurus, please share your insights on this...

• How to change a account assignment in and cost distrubution on cost center

  Hi Expert
  Can any one let me know how to change the account assignment and cost distribution on the cost center.
  When I am going to change it I could see it is grayed out . Why it is so .Is there any configuration for this in view that
  no body can change the account assignment.
  Regards
  NTT

  Hi
  As per me system will  not allow to change you account assignment in Po
  for additional info check following link
  [Change of Account Assignment in PO while adopting released PR.;
  Regards
  kailas Ugale