I am not an Oracle DBA, and I am not getting an answer from our Oracle DBAs on site with this problem. I would like to know if anyone has had a similar problem with Oracle on zLinux multiple authentications to itself?
We have several servers using oracle, however two of the dozen plus servers have a high volume of authentications. Every day I run a cron job that captures a summary of audit activity including authentications (aureport) on each of our servers. The average server has about 10 -25 authentications per day except two oracle servers. These two servers have over 2,300 authentications. The next step, I looked at why by looking for a pattern and found that the oracle user account access itself (points to its own IP address) 9 times every five minutes. It is like the Oracle application is ssh to the server IP address instead of the other server in the rack or some other reason. #> aureport -au (returns): # date time acct host term exe success event . . . . . . . . 35. 05/03/2011 00:21:01 oracle <server IP address> ? /usr/sbin/sshd yes 2221509 36. 05/03/2011 00:21:01 oracle <server IP address> ? /usr/sbin/sshd yes 2221519 37. 05/03/2011 00:21:01 oracle <server IP address> ? /usr/sbin/sshd yes 2221529 38. 05/03/2011 00:21:02 oracle <server IP address> ? /usr/sbin/sshd yes 2221561 39. 05/03/2011 00:21:02 oracle <server IP address> ? /usr/sbin/sshd yes 2221571 40. 05/03/2011 00:21:02 oracle <server IP address> ? /usr/sbin/sshd yes 2221581 41. 05/03/2011 00:21:03 oracle <server IP address> ? /usr/sbin/sshd yes 2221591 42. 05/03/2011 00:21:03 oracle <server IP address> ? /usr/sbin/sshd yes 2221601 43. 05/03/2011 00:21:03 oracle <server IP address> ? /usr/sbin/sshd yes 2221611 . . . . . . . . Here is a copy of the last event 2221611 in detail (ausearch -a 2221611): time->Tue May 3 00:21:03 2011 type=USER_AUTH msg=audit(1304396463.675:2221611): user pid=15285 uid=0 auid=4294967295 msg='op=pubkey_auth rport=7992 acct="oracle" exe="/usr/sbin/sshd" (hostname=?, addr=<server IP address>, terminal=? res=success)' Is there a setting in Oracle that should be corrected? Can anyone point me to any doc I can share with my DBAs to help resolve this? Has anyone else seen a similar problem? Is there a way with audit to associate a PID with an event? James Chaplin Systems Programmer, MVS, zVM & zLinux ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
