David Litchfield's Weblog

Home
Archives
NGSSoftware
DatabaseSecurity.com


Greymatter Forums

July 2010
SMTWTFS
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Valid XHTML 1.0!

Powered By Greymatter

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.1
Home » Archives » July 2010 » Checking logons in Oracle in the absence of auditing

[Previous entry: "It's been a while..."]

07/01/2010: "Checking logons in Oracle in the absence of auditing"


So, it turns out SQL*Plus under 10g Release 1 executes "SELECT NULL FROM DUAL FOR UPDATE NOWAIT" when the user logs in and this creates a transaction which is in turn logged in the redologs which we can use to get logon times. What's more, a record of this transaction can also be found in the X$KTUQQRY in-memory table which we can query: SELECT DISTINCT LOGON_USER, COMMIT_TIMESTAMP FROM X$KTUQQRY. This will nicely show us who logged onto the system and when which, in the absence of auditing being enabled, is very useful during forensic investigations. Will need to investigate other versions of the Oracle client.