Oracle AUD审计 找出锁定用户的客户端IP

Posted 我爱睡莲

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle AUD审计 找出锁定用户的客户端IP相关的知识,希望对你有一定的参考价值。

问题描述:运用AUD审计找出锁定用户的客户端IP

 

1.查询被锁用户

SELECT USERNAME, ACCOUNT_STATUS, LOCK_DATE FROM DBA_USERS WHERE ACCOUNT_STATUS = \'LOCKED(TIMED)\';
SELECT USERNAME, ACCOUNT_STATUS, LOCK_DATE FROM DBA_USERS WHERE ACCOUNT_STATUS = \'LOCKED\';

USERNAME               ACCOUNT_STATUS            LOCK_DATE
------------------------------ -------------------------------- ---------
TEST01                   LOCKED                20-AUG-21

 

2.备份审计表

select count(*) from aud$;
  COUNT(*)
----------
  21419082

create table audit_20210823 TABLESPACE DATA_AUDI as select * from sys.aud$;
truncate table sys.aud$;

 

3.检查审计功能

show parameter audit_trail

NAME                     TYPE     VALUE
------------------------------------ ----------- ------------------------------
audit_trail                 string     DB
如果没开启就是NONE,改参数,重启实例生效;
alter system set audit_trail=db scope=spfile;

 

4.开启对锁定用户的审计功能

--对目标用户登陆失败进行审计
AUDIT SESSION BY A_MKU_XH  WHENEVER NOT SUCCESSFUL;

 

5.检查审计日志

alter session set nls_date_format=\'YYYYMMDD HH24:MI:SS\';
SELECT A.TIMESTAMP, A.RETURNCODE FROM DBA_AUDIT_SESSION A WHERE A.USERNAME = \'TEST01\' ORDER BY 1;
       TIMESTAMP    RETURNCODE
109    2021/8/20 13:58:17    28000
110    2021/8/20 14:00:38    28000
71    2021/8/20 13:41:46    1017
72    2021/8/20 13:41:56    1017
73    2021/8/20 13:42:06    1017
68    2021/8/20 13:41:16    1017
69    2021/8/20 13:41:26    1017

可以看出从16:33:25开始,对用户解锁,接着连续10次的1017密码错误,随后继续28000用户被锁。

01017, 00000, “invalid username/password; logon denied”
28000, 00000, “the account is locked”

从COMMENT$TEXT 连接串找到客户端IP,通知用户使用人处理;
SELECT A.COMMENT$TEXT FROM SYS.AUD$ A WHERE USERID = \'TEST01\';
       COMMENT$TEXT
14    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=63364))
15    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=63365))

27    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=55396))
28    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=55397))
29    
30    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=55409))

 

6.关闭审计

NOAUDIT CONNECT TEST01;

如果想对所有用户开启登陆失败审计,则用下面的命令:
AUDIT SESSION WHENEVER NOT SUCCESSFUL;
NOAUDIT CONNECT; --关闭审计

 

以上是关于Oracle AUD审计 找出锁定用户的客户端IP的主要内容,如果未能解决你的问题,请参考以下文章

Oracle审计--AUD$占用空间较大处理方案

oracle的aud文件能删吗

Oracle审计表AUD$处理方法

Oracle 审计表AUD$迁移表空间及创建清理job

Oracle 审计功能

oracle审计AUD$过大导致的数据库登录异常