SSH sessions and automated CRON jobs that log in to your Oracle database are shown as failed logins
SSH sessions and automated CRON jobs that log in to
your Oracle database through SQLPLUS and RMAN with
/as sysdba show
as failed logins.
Oracle responds to these logins with the following error on such attempts, even if it is not shown on the screen.
ORA-01-17: invalid username/password; logon denied.
error triggers the failed login alert. For example, if the database
user WRONGLOGIN is a member of the DBA group, and logs as
WRONGLOGIN as sysdba, the database authentication of WRONGLOGIN
fails. This failure causes the ORA-01-17 error alert to trigger and
is reflected in the Guardium log. However, users with sysdba privileges
can connect to the database without database authentication so the
session is allowed to continue. Both events are captured and recorded.
Guardium collectors are affected.
Resolving the problem
You can amend the policy to include an allow action before the rule that alerts about failed logins. Create an exception rule in the policy with the following conditions.
Client IP=<Server IP> Source program = SQLPLUS DB user in trusted group OS user in group of Oracle DBAs Net protocol = BEQUEATH (if local BEQUEATH, not TCP)
This rule skips the failed login alerts that are caused by the ORA-01-17 error but are still logged. To filter the failed login alerts out of the reports, add these conditions to the end of the conditions list:
AND ( client IP<>server IP OR src prg <> SQLPLUS OR db user NOT IN group of trusted OR os user NOT IN group of oracle DBAs OR net protocol <>BEQUEATH (if this is local BEQUEATH, not TCP ) )