Oracle AUD审计 找出锁定用户的客户端IP

问题描述:运用AUD审计找出锁定用户的客户端IP

 

1.查询被锁用户

SELECT USERNAME, ACCOUNT_STATUS, LOCK_DATE FROM DBA_USERS WHERE ACCOUNT_STATUS = 'LOCKED(TIMED)';
SELECT USERNAME, ACCOUNT_STATUS, LOCK_DATE FROM DBA_USERS WHERE ACCOUNT_STATUS = 'LOCKED';

USERNAME               ACCOUNT_STATUS            LOCK_DATE
------------------------------ -------------------------------- ---------
TEST01                   LOCKED                20-AUG-21

 

2.备份审计表

select count(*) from aud$;
  COUNT(*)
----------
  21419082

create table audit_20210823 TABLESPACE DATA_AUDI as select * from sys.aud$;
truncate table sys.aud$;

 

3.检查审计功能

show parameter audit_trail

NAME                     TYPE     VALUE
------------------------------------ ----------- ------------------------------
audit_trail                 string     DB
如果没开启就是NONE,改参数,重启实例生效;
alter system set audit_trail=db scope=spfile;

 

4.开启对锁定用户的审计功能

--对目标用户登陆失败进行审计
AUDIT SESSION BY A_MKU_XH  WHENEVER NOT SUCCESSFUL;

 

5.检查审计日志

alter session set nls_date_format='YYYYMMDD HH24:MI:SS';
SELECT A.TIMESTAMP, A.RETURNCODE FROM DBA_AUDIT_SESSION A WHERE A.USERNAME = 'TEST01' ORDER BY 1;
       TIMESTAMP    RETURNCODE
109    2021/8/20 13:58:17    28000
110    2021/8/20 14:00:38    28000
71    2021/8/20 13:41:46    1017
72    2021/8/20 13:41:56    1017
73    2021/8/20 13:42:06    1017
68    2021/8/20 13:41:16    1017
69    2021/8/20 13:41:26    1017

可以看出从16:33:25开始,对用户解锁,接着连续10次的1017密码错误,随后继续28000用户被锁。

01017, 00000, “invalid username/password; logon denied”
28000, 00000, “the account is locked”

从COMMENT$TEXT 连接串找到客户端IP,通知用户使用人处理;
SELECT A.COMMENT$TEXT FROM SYS.AUD$ A WHERE USERID = 'TEST01';
       COMMENT$TEXT
14    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=63364))
15    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=63365))

27    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=55396))
28    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=55397))
29    
30    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=55409))

 

6.关闭审计

NOAUDIT CONNECT TEST01;

如果想对所有用户开启登陆失败审计,则用下面的命令:
AUDIT SESSION WHENEVER NOT SUCCESSFUL;
NOAUDIT CONNECT; --关闭审计

 

posted @ 2022-03-18 09:50  我爱睡莲  阅读(341)  评论(0编辑  收藏  举报