Oracle AUD审计 找出锁定用户的客户端IP

问题描述:运用AUD审计找出锁定用户的客户端IP

 

1.查询被锁用户

SELECT USERNAME, ACCOUNT_STATUS, LOCK_DATE FROM DBA_USERS WHERE ACCOUNT_STATUS = 'LOCKED(TIMED)';
SELECT USERNAME, ACCOUNT_STATUS, LOCK_DATE FROM DBA_USERS WHERE ACCOUNT_STATUS = 'LOCKED';

USERNAME               ACCOUNT_STATUS            LOCK_DATE
------------------------------ -------------------------------- ---------
TEST01                   LOCKED                20-AUG-21

 

2.备份审计表

select count(*) from aud$;
  COUNT(*)
----------
  21419082

create table audit_20210823 TABLESPACE DATA_AUDI as select * from sys.aud$;
truncate table sys.aud$;

 

3.检查审计功能

show parameter audit_trail

NAME                     TYPE     VALUE
------------------------------------ ----------- ------------------------------
audit_trail                 string     DB
如果没开启就是NONE,改参数,重启实例生效;
alter system set audit_trail=db scope=spfile;

 

4.开启对锁定用户的审计功能

--对目标用户登陆失败进行审计
AUDIT SESSION BY A_MKU_XH  WHENEVER NOT SUCCESSFUL;

 

5.检查审计日志

复制代码
alter session set nls_date_format='YYYYMMDD HH24:MI:SS';
SELECT A.TIMESTAMP, A.RETURNCODE FROM DBA_AUDIT_SESSION A WHERE A.USERNAME = 'TEST01' ORDER BY 1;
       TIMESTAMP    RETURNCODE
109    2021/8/20 13:58:17    28000
110    2021/8/20 14:00:38    28000
71    2021/8/20 13:41:46    1017
72    2021/8/20 13:41:56    1017
73    2021/8/20 13:42:06    1017
68    2021/8/20 13:41:16    1017
69    2021/8/20 13:41:26    1017

可以看出从16:33:25开始,对用户解锁,接着连续10次的1017密码错误,随后继续28000用户被锁。

01017, 00000, “invalid username/password; logon denied”
28000, 00000, “the account is locked”

从COMMENT$TEXT 连接串找到客户端IP,通知用户使用人处理;
SELECT A.COMMENT$TEXT FROM SYS.AUD$ A WHERE USERID = 'TEST01';
       COMMENT$TEXT
14    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=63364))
15    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=63365))

27    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=55396))
28    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=55397))
29    
30    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.163.1)(PORT=55409))
复制代码

 

6.关闭审计

NOAUDIT CONNECT TEST01;

如果想对所有用户开启登陆失败审计,则用下面的命令:
AUDIT SESSION WHENEVER NOT SUCCESSFUL;
NOAUDIT CONNECT; --关闭审计

 

posted @   我爱睡莲  阅读(361)  评论(0编辑  收藏  举报
相关博文:
· ORA-09925:Unable to create audit trail file 数据库启动失败
· MySQL匿名空用户名处理
· 查询AD 账号锁定
· 解决Oracle用户被锁定的方法
· Oracle数据库限制指定IP可以访问
阅读排行:
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· DeepSeek在M芯片Mac上本地化部署
点击右上角即可分享
微信分享提示