Category Archives: Security

AVCLI doubles audit trails, bug or feature?

I’ve start using the AV command line interface to administer AVDF. I use the tool fairly often to start, stop and monitor the audit trails. But recently I ran in a small issue after a typo. I just want to start the audit trail on the ADUMP directory of a database.

AVCLI> LIST TRAIL FOR SECURED TARGET TDB11A;
----------------------------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST   | LOCATION                            | STATUS  | REQUEST_STATUS | ERROR_MESSAGE                     |
==================================================================================================================================
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11A/adump  | STOPPED |                |                                   |
| TABLE            | urania | SYS.AUD$                            | STOPPED |                |                                   |
| TRANSACTION LOG  | urania |                                     | STOPPED |                |                                   |
----------------------------------------------------------------------------------------------------------------------------------

AVCLI> START COLLECTION FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY '/u00/app/oracle/admin/TDB11A/adump/';

Request submitted successfully.

After submitting the start command I’ve checked the status of the audit trails. As expected the audit trail has been started and is now waiting in IDLE state on audit files. But wait there are two audit trails on the same directory?! One of them does have a backslash.

AVCLI> LIST TRAIL FOR SECURED TARGET TDB11A;
--------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST   | LOCATION                            | STATUS  | REQUEST_STATUS | ERROR_MESSAGE |
==============================================================================================================
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11A/adump  | STOPPED |                |               |
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11A/adump/ | IDLE    |                |               |
| TABLE            | urania | SYS.AUD$                            | STOPPED |                |               |
| TRANSACTION LOG  | urania |                                     | STOPPED |                |               |
--------------------------------------------------------------------------------------------------------------

It is also possible to start both of them.

AVCLI> START COLLECTION FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY '/u00/app/oracle/admin/TDB11A/adump';

Request submitted successfully.

AVCLI> LIST TRAIL FOR SECURED TARGET TDB11A;
---------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST   | LOCATION                            | STATUS  | REQUEST_STATUS  | ERROR_MESSAGE |
===============================================================================================================
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11A/adump  | STOPPED | START REQUESTED |               |
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11A/adump/ | IDLE    |                 |               |
| TABLE            | urania | SYS.AUD$                            | STOPPED |                 |               |
| TRANSACTION LOG  | urania |                                     | STOPPED |                 |               |
---------------------------------------------------------------------------------------------------------------

4 ROW(s) selected.

The command completed successfully.

Since it does not make sense to have two audit trails on the same directory I tried to drop the second audit trail.

AVCLI> STOP COLLECTION FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY '/u00/app/oracle/admin/TDB11A/adump/';

Request submitted successfully.

AVCLI> DROP TRAIL FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY '/u00/app/oracle/admin/TDB11A/adump/';
ERROR:
OAV-3025: Audit DATA has been gathered FOR trail /u00/app/oracle/admin/TDB11A/adump/ OF TYPE DIRECTORY FOR secured target TDB11A. cannot DROP trail.
  • Why the heck I have a second audit trail?
  • Why it is not possible to remove it?

The answer to the second question is simple. Since both audit trails point to the same directory they also point somehow to the same audit data. In the current release 12.1.1 of Oracle Audit Vault and Database Firewall it is not possible to remove an audit trail if there were already collected audit data. Ok but why do I have a second audit trail to the same directory? The reason is not obvious but simply. Oracle did not implement a command to create new audit trails. Instead, they use the start command. If you execute

START COLLECTION FOR SECURED TARGET

and the requested audit trail does not yet exist, it will be created. Unfortunately this behavior is not mentioned in the AVCLI documentation. I could test this successfully for other trail types. In the case of directories, Oracle checks whether the directory exists and is accessible, but they do not normalize the path name. Which is why I end up with two similar audit trails.

Solution

For now there are only two possibilities. We either have to live with the second audit trail or we could try to manually drop the audit data related to this audit trail. But dropping means losing audit data, which is in most cases not feasible for production systems. I’ll provide a possible solution to drop trail data later on this blog. Oracle itself addressed this issue in a Bug 17544636 ONE CAN EASILY DUPLICATE AUDIT TRAILS WHEN USING AVCLI.

Conclusion

It is a nice feature to easily create audit trails. But I except to better workaround simple user errors / typos :-)

References

Some links related to this post.

AVCLI Audit Vault command line interface

When I started to deal with Oracle Audit Vault and Database Firewall (AVDF), I have always worked with the Web console. Since a few weeks I regularly use the AVCLI and start to like it. It is a simple java based command line utility, from which you can access Audit Vault and Database Firewall servers. The look and feel of AVCLI is comparable with SQLPlus or RMAN utility and allows to configure and administer the Oracle AVDF server. The utility can be used interactive or with scripts. All you need to use it is JDK 1.6 or later and a supported platform. So far I could not find any information about supported operating systems, but I’m assuming that they are the same as for the vault audit agent. The MOS note 1536380.1 Oracle Audit Vault and Database Firewall 12.1 platform support list the latest informations. At the moment I’m using the AVCLI on Windows 7 and Oracle Enterprise Linux 5u8.

Download and Install

The AVCLI has to be downloaded from the AVCLI Web console. For this navigate to settings tab, in the system menu click manage and click the Download Command Line Utility Button to download and save the avcli.jar.
AVCLI_Download
To install it just run java with the following parameters:

java -jar avcli.jar -d INSTALLATIONPATH

First Steps

A user account with the AV_ADMIN role is required to use the AVCLI and connect to the AVDF server. On my test and engineering system still using AVADMIN.

Log in and show the help:

oracle@melete2:/var/lib/oracle/dbfw/ [dbfwdb] avcli

AVCLI : Release 12.1.1.1.0 - Production on Fri Oct 18 10:28:16 UTC 2013

Copyright (c) 1996, 2013 Oracle.  All Rights Reserved.

AVCLI> connect avadmin/manager;
Connected.
AVCLI> help;
 ---------------------------------------------------------------------
 For detailed help, see HELP [command] e.g., HELP REGISTER SECURED TARGET    
 
 Secured Target Management:
   * REGISTER SECURED TARGET [secured target name] OF SECURED TARGET TYPE
        [secured target type name] AT [location] [AUTHENTICATED BY
        [username/password]]
   * ALTER SECURED TARGET [secured target name] SET [options]
   * ALTER SECURED TARGET [secured target name] ADD ADDRESS [ip:port]
   * ALTER SECURED TARGET [secured target name] DROP ADDRESS [ip:port]
   * LIST ATTRIBUTE FOR SECURED TARGET [secured target name]
   * LIST METRICS FOR SECURED TARGET [secured target name]
   * LIST SECURED TARGET
   * LIST SECURED TARGET TYPE
   * LIST ADDRESS FOR SECURED TARGET [secured target name]
   * DROP SECURED TARGET [secured target name]
 
 Host Management:
   * REGISTER HOST [hostname] [WITH IP [ip address]]
   * ALTER HOST [hostname] SET [options]
   * ACTIVATE HOST [hostname]
   * DEACTIVATE HOST [hostname]
   * LIST HOST
   * DROP HOST [hostname]
 
 Trail Management:
   * START COLLECTION FOR SECURED TARGET [options]
   * STOP COLLECTION FOR SECURED TARGET [options]
   * LIST TRAIL FOR SECURED TARGET [secured target name]
   * DROP TRAIL FOR SECURED TARGET [options]
 
 Security Management:
   * GRANT ADMIN TO [username]
   * REVOKE ADMIN FROM [username]
   * GRANT SUPERADMIN TO [username]
   * REVOKE SUPERADMIN FROM [username]
   * GRANT ACCESS ON SECURED TARGET [secured target name] TO [username]
   * GRANT ACCESS ON SECURED TARGET GROUP [secured target group name]
        TO [username]
   * REVOKE ACCESS ON SECURED TARGET [secured target name] FROM [username]
   * REVOKE ACCESS ON SECURED TARGET GROUP [secured target group name]
        FROM [username]
 
 Plugin Management:
   * DEPLOY PLUGIN [plugin archive]
   * UNDEPLOY PLUGIN [plugin id]
   * LIST PLUGIN FOR SECURED TARGET TYPE [secured target type name]
 
 SMTP Server Integration:
   * REGISTER SMTP SERVER AT [host[:port]] SENDER ID [sender id]
        SENDER EMAIL [sender e-mail]
        [AUTHENTICATED BY [username]/[password]]
   * ALTER SMTP SERVER [options]
   * ALTER SMTP SERVER SECURE MODE ON PROTOCOL [SSL | TLS]
        [TRUSTSTORE [truststore]]
   * ALTER SMTP SERVER SECURE MODE OFF
   * ALTER SMTP SERVER ENABLE
   * ALTER SMTP SERVER DISABLE
   * TEST SMTP SERVER SEND EMAIL TO [e-mail address]
   * LIST ATTRIBUTE OF SMTP SERVER
   * DROP SMTP SERVER
 
 Server Management:
   * ALTER SYSTEM SET [options]
   * SHOW CERTIFICATE FOR SERVER
 
 Firewall Management:
   * REGISTER FIREWALL [firewall name] WITH IP [ip address]
   * LIST FIREWALL
   * REBOOT FIREWALL [firewall name]
   * POWEROFF FIREWALL [firewall name]
   * DROP FIREWALL [firewall name]
   * ALTER FIREWALL [firewall name] SET [options]
   * SHOW STATUS FOR FIREWALL [firewall name] [WITH DIAGNOSTICS]
   * CREATE RESILIENT PAIR FOR FIREWALL PRIMARY [ primary firewall]
        SECONDARY [secondary firewall]
   * SWAP RESILIENT PAIR HAVING FIREWALL [firewall name]
   * DROP RESILIENT PAIR HAVING FIREWALL [firewall name]
 
 Enforcement Point Management:
   * CREATE ENFORCEMENT POINT [enforcement point name] FOR
        SECURED TARGET [secured target name] USING FIREWALL
        [firewall name] TRAFFIC SOURCE [traffic source name]
        WITH MODE [mode name DPE/DAM]
   * LIST ENFORCEMENT POINT FOR FIREWALL [firewall name]
   * LIST ENFORCEMENT POINT FOR SECURED TARGET [secured target name]
   * START ENFORCEMENT POINT [enforcement point name]
   * STOP ENFORCEMENT POINT [enforcement point name]
   * ALTER ENFORCEMENT POINT [enforcement point name] SET [options]
   * DROP ENFORCEMENT POINT [enforcement point name]
 
 Miscellaneous:
   * CONNECT [username/password]
   * QUIT
   * HELP

List the secured targets:

AVCLI> LIST SECURED TARGET;
---------------------------------------------------------------------------------------------------------------------------------
| NAME   | DESCRIPTION                                             | LOCATION                               | SECUREDTARGETTYPE |
=================================================================================================================================
| TDB11  | Oracle 11.2.0.3.0 Test Database (Use to be 12.1.0.1 DB) | jdbc:oracle:thin:@//urania:1521/TDB11  | Oracle Database   |
| TDB11A | Oracle 11.2.0.3.0 Test Database                         | jdbc:oracle:thin:@//urania:1521/TDB11A | Oracle Database   |
---------------------------------------------------------------------------------------------------------------------------------

2 row(s) selected.

The command completed successfully.

List status of audit trails for a secure target:

AVCLI> LIST TRAIL FOR SECURED TARGET TDB11;
----------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST   | LOCATION                          | STATUS      | REQUEST_STATUS | ERROR_MESSAGE |
================================================================================================================
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11/adump | UNREACHABLE |                |               |
| TABLE            | urania | SYS.AUD$                          | UNREACHABLE |                |               |
| TRANSACTION LOG  | urania |                                   | UNREACHABLE |                |               |
----------------------------------------------------------------------------------------------------------------

3 row(s) selected.

The command completed successfully.

Start collection of an audit trail. This requires to specify the agent host and the trail location. Below you see how to start the audit trail for database table SYS.AUD$ and the redo collector.

AVCLI> START COLLECTION FOR SECURED TARGET TDB11 USING HOST urania FROM TABLE 'SYS.AUD$';

Request submitted successfully.

AVCLI> START COLLECTION FOR SECURED TARGET TDB11 USING HOST urania FROM TRANSACTION LOG;

Request submitted successfully.

AVCLI> LIST TRAIL FOR SECURED TARGET TDB11;
----------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST   | LOCATION                          | STATUS      | REQUEST_STATUS | ERROR_MESSAGE |
================================================================================================================
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11/adump | UNREACHABLE |                |               |
| TABLE            | urania | SYS.AUD$                          | IDLE        |                |               |
| TRANSACTION LOG  | urania |                                   | COLLECTING  |                |               |
----------------------------------------------------------------------------------------------------------------

3 row(s) selected.

The command completed successfully.

Run Scripts

Scripts can be executed directly as command line parameter when starting AVCLI or interactively when using the AVCLI.

Start a script from the command line with specifying the user and script name.

oracle@melete2:~/ [dbfwdb] avcli -u avadmin -f report_av_status.av

AVCLI : Release 12.1.1.1.0 - Production on Fri Oct 18 10:40:04 UTC 2013

Copyright (c) 1996, 2013 Oracle.  All Rights Reserved.

Enter password for 'avadmin':        

Connected to:
Oracle Audit Vault Server - Version : 12.1.1.1.0

AVCLI>
---------------------------------------------------------------------------------------------------------------------------------
| NAME   | DESCRIPTION                                             | LOCATION                               | SECUREDTARGETTYPE |
=================================================================================================================================
| TDB11  | Oracle 11.2.0.3.0 Test Database (Use to be 12.1.0.1 DB) | jdbc:oracle:thin:@//urania:1521/TDB11  | Oracle Database   |
| TDB11A | Oracle 11.2.0.3.0 Test Database                         | jdbc:oracle:thin:@//urania:1521/TDB11A | Oracle Database   |
---------------------------------------------------------------------------------------------------------------------------------

2 row(s) selected.

The command completed successfully.

AVCLI>
----------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST   | LOCATION                          | STATUS      | REQUEST_STATUS | ERROR_MESSAGE |
================================================================================================================
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11/adump | UNREACHABLE |                |               |
| TABLE            | urania | SYS.AUD$                          | IDLE        |                |               |
| TRANSACTION LOG  | urania |                                   | COLLECTING  |                |               |
----------------------------------------------------------------------------------------------------------------

3 row(s) selected.

The command completed successfully.

AVCLI>

Or with username/password in the script.

oracle@melete2:~/ [dbfwdb] avcli -f start_trails_TDB11.av

AVCLI : Release 12.1.1.1.0 - Production on Fri Oct 18 10:46:45 UTC 2013

Copyright (c) 1996, 2013 Oracle.  All Rights Reserved.

AVCLI> Connected.
AVCLI> AVCLI>
Request submitted successfully.

AVCLI>
Request submitted successfully.

AVCLI>
Request submitted successfully.

AVCLI>

oracle@melete2:~/ [dbfwdb] cat start_trails_TDB11.av
connect avadmin/manager;

START COLLECTION FOR SECURED TARGET TDB11 USING HOST urania FROM TABLE 'SYS.AUD$';
START COLLECTION FOR SECURED TARGET TDB11 USING HOST urania FROM TRANSACTION LOG;
START COLLECTION FOR SECURED TARGET TDB11 USING HOST urania FROM DIRECTORY '/u00/app/oracle/admin/TDB11/adump';

The downside is that the password is stored in the script or it must be entered interactively.

Conclusion

Is a nice little tool that is worth looking at more closely. In addition to the automation of administrative tasks it is a handy day to day tool for the AV administrator with a bit room for improvement. :-) Ok would be helpful, if there is an alternative for username/passwords to automatically execute scripts without storing the passwords in cleartext. Why not have something similar to secure external password store or the emcli function to store credentials?

A few possible use cases for AVCLI:

  • Provision new secure targets and audit trails
  • Automating administration tasks
  • Alternative administration interface
  • Automatic start of audit collection with system oder database startup

References

Some links related to this post.

Oracle released CPU / PSU October 2013

As announced yesterday in my post Oracle CPU / PSU Pre-Release Announcement October 2013, Oracle has now released the last Critical Patch Updates for 2013. Overall this CPU contains 126 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database it contains only 2 security fixes with a rather medium CVSS rating. Although the Core RDBMS is affected, it is probably not necessary to run a fire drill. If you have planned to patch anyway, it makes sense to consider the latest PSU or SRU. And if you plan to install Oracle 11.2.0.4.0 patch set, this critical patch update can even be skip, since there is no PSU or SPU for 11.2.0.4 available. According to the patch read-me, it seems that CVE-2013-5771 is fixed in 11.2.0.4. But I can’t confirm this, because I could not find a Bug-ID to compare.

By the way, Oracle has changed a few thing in database security patching for 12c. They will not publish any separate security patch updates (SPU) anymore but solely patch set update (PSU)

CPU Release Dates

The next four Critical Patch Updates will be released at the following dates:

  • 14 January 2014
  • 15 April 2014
  • 15 July 2014
  • 14 October 2014

References

Links all around Critical Patch Update:

Changes in database security patching with 12c

During my preparation for the tests of October Critical Patch Updates (CPU), I stumbled over an interesting Oracle Support Document. I this document Oracle announced that there will nolonger be seperate SPU (Security Patch Update) respectively CPU (Critical Patch Update) for 12.1.0.1 and newer.

Excerpt from Oracle support document 1581950.1 Database Security Patching from 12.1.0.1 onwards:

Starting with Oracle Database version 12.1.0.1, Oracle will only provide Patch Set Update (PSU) patches to meet the Critical Patch Update (CPU) program requirements for security patching. SPU (Security Patch Update) patches will no longer be available. Oracle has moved to this simplified model due to the popularity of the PSU patches. PSUs are Oracle’s preferred proactive patching vehicle since their inception in 2009 [1].

In future it will be much easier to decide on CPU or PSU patches. :-) The downside is that testing becomes more complicated, since the PSU (Patch Set Updates) include security patches as well functional bug fixes.

References

Some links related CPU, SPU and PSU

Oracle CPU / PSU Pre-Release Announcement October 2013

Oracle has published the Pre-Release Announcement for the October CPU/SPU Patch. This Critical Patch Update contains 126 new security vulnerability fixes for several Oracle products. Despite the large amount of security fixes, it is a rather small update from the database point of view. There are only two security fix for the Oracle Database Server and no for client-only installations. But it does contain the fix for Oracle Database 12c Release 1.

The announced highest CVSS rating for databases is 5.5. Because the core RDBMS is affected, it will probably make sense to install this CPU an any database environment. But this has to be verified as soon as the CPU is officially released later this week.

More details about the patch will follow soon on the Oracle Security Pages.

Update agent.jar on audit vault server

As I wrote in my post Error installing Audit Vault Agent 12.1.1 on AIX, there is a Audit Vault Agent bug 17058352 on AIX. Unfortunately it hasn’t yet been fixed in the latest bundle patch for Oracle Audit Vault and Database Firewall. If you haven’t changed your default profile in /etc/profile on your AIX server, you will run into the same issues again when trying to update the agents according the patch readme. Rather than downloading and fixing the agent.jar on each AIX system, it is also possible to update the agent.jar on the Audit Vault server before updating and restarting the agents on the monitored servers.

For this just login to the Oracle Audit Vault and Database Firewall server as support and become oracle.

ssh support@melete2

su - root
su - oracle

Locate your agent.jar, backup it and unpack the agentctl

cd /var/lib/oracle/dbfw/av/jlib/
cp agent.jar agent.jar_backup_bugfix_17058352
jar -xf agent.jar bin/agentctl

Update the agentctl and add LOGNAME the the list of pass through variable on line 46.

43
44
45
46
# Passthrough env vars
# Note: we passthru any vars with "-" invalid character
#
passthru='^TZ$|^LANG$|^LC_|^JAVA_HOME$|^PATH$|^PS1$|^LOGNAME$|-'

Put the updated agentctl script back to the agent.jar and run a regular installation.

jar -uf agent.jar bin/agentctl

You now just can proceed with updating the agent on the AIX servers.

Update: ORA-00600 [kpdbModAdminPasswdInRoot: not CDB] when changing password of default account

As discussed in my post ORA-00600 [kpdbModAdminPasswdInRoot: not CDB] when changing password of default account There is an unpublished bug 16901482 which cause an ORA-00600 when trying to set a new password for an Oracle default account like DBSNMP, DIP or OUTLN.

On september 4th Oracle released the one-off patch 16901482 for this bug. A short test showed that the issue has been fixed with this patch. Unfortunately the patch is only available for Linux86-64.

Simple offline patch installation according the patch README.

oracle@urania:~/16901482/ [TDB12] $cdh/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 12.1.0.1.0
Copyright (c) 2012, Oracle Corporation.  All rights reserved.

PREREQ session

Oracle Home       : /u00/app/oracle/product/12.1.0.1
Central Inventory : /u00/app/oraInventory
   from           : /u00/app/oracle/product/12.1.0.1/oraInst.loc
OPatch version    : 12.1.0.1.0
OUI version       : 12.1.0.1.0
Log file location : /u00/app/oracle/product/12.1.0.1/cfgtoollogs/opatch/opatch2013-09-09_17-06-52PM_1.log

Invoking prereq "checkconflictagainstohwithdetail"

Prereq "checkConflictAgainstOHWithDetail" passed.

OPatch succeeded.
oracle@urania:~/16901482/ [TDB12] $cdh/OPatch/opatch apply
Oracle Interim Patch Installer version 12.1.0.1.0
Copyright (c) 2012, Oracle Corporation.  All rights reserved.


Oracle Home       : /u00/app/oracle/product/12.1.0.1
Central Inventory : /u00/app/oraInventory
   from           : /u00/app/oracle/product/12.1.0.1/oraInst.loc
OPatch version    : 12.1.0.1.0
OUI version       : 12.1.0.1.0
Log file location : /u00/app/oracle/product/12.1.0.1/cfgtoollogs/opatch/16901482_Sep_09_2013_17_07_24/apply2013-09-09_17-07-23PM_1.log

Applying interim patch '16901482' to OH '/u00/app/oracle/product/12.1.0.1'
Verifying environment and performing prerequisite checks...
All checks passed.

Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/u00/app/oracle/product/12.1.0.1')


Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files...

Patching component oracle.rdbms, 12.1.0.1.0...

Verifying the update...
Patch 16901482 successfully applied
Log file location: /u00/app/oracle/product/12.1.0.1/cfgtoollogs/opatch/16901482_Sep_09_2013_17_07_24/apply2013-09-09_17-07-23PM_1.log

OPatch succeeded.
oracle@urania:~/16901482/ [TDB12] $cdh/OPatch/opatch lsinventory
Oracle Interim Patch Installer version 12.1.0.1.0
Copyright (c) 2012, Oracle Corporation.  All rights reserved.


Oracle Home       : /u00/app/oracle/product/12.1.0.1
Central Inventory : /u00/app/oraInventory
   from           : /u00/app/oracle/product/12.1.0.1/oraInst.loc
OPatch version    : 12.1.0.1.0
OUI version       : 12.1.0.1.0
Log file location : /u00/app/oracle/product/12.1.0.1/cfgtoollogs/opatch/opatch2013-09-09_17-08-09PM_1.log

Lsinventory Output file location : /u00/app/oracle/product/12.1.0.1/cfgtoollogs/opatch/lsinv/lsinventory2013-09-09_17-08-09PM.txt

--------------------------------------------------------------------------------
Installed Top-level Products (2):

Oracle Database 12c                                                  12.1.0.1.0
Oracle Database 12c Examples                                         12.1.0.1.0
There are 2 products installed in this Oracle Home.


Interim patches (1) :

Patch  16901482     : applied on Mon Sep 09 17:07:51 CEST 2013
Unique Patch ID:  16618513
   Created on 4 Sep 2013, 12:02:44 hrs PST8PDT
   Bugs fixed:
     16901482

--------------------------------------------------------------------------------

OPatch succeeded.

Simple test with DBNSMP user similar to the test in the initial post.

SQL> col username FOR a20
SQL> SELECT username,account_status,password_versions,ORACLE_MAINTAINED FROM dba_users
  2  WHERE username='DBSNMP';

USERNAME             ACCOUNT_STATUS                   PASSWORD_VER O
-------------------- -------------------------------- ------------ -
DBSNMP               EXPIRED                          10G 11G      Y

SQL> conn dbsnmp/dbsnmp
ERROR:
ORA-28001: the password has expired

Changing password FOR dbsnmp
NEW password:
Retype NEW password:
Password changed
Connected.
SQL> exit