对于在线交易系统,且Oracle用户在使用缺省的profile的情形下,多用户共享相同的数据库用户及密码,任意用户输入错误密码累计达到10次以上,其帐户会被自动锁定使得交易被迫临时终止将产生不小的损失。故有必要对那些失败的帐户登陆进行分析以预估是否存在恶意攻击等。Oracle提供了审计功能用于审计那些失败的Oracle用户登陆来进行风险评估。本文即是描述如何开启审计失败的用户登陆。本文不涉及审计的具体的描述信息,仅仅描述如何审计失败的用户登陆。详细完整的审计大家可以参考Oracle Database Security Guide。
1、帐户被锁定的情形
通常情况下,帐户可以由DBA手动锁定,也可能是由于错误的密码输入次数超出了profile中failed_login_attempts 次数的限制而被锁定。
a、手动锁定的情形
sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like 'USR%';
USERNAME ACCOUNT_STATUS LOCK_DATE
------------------------------ -------------------------------- -----------------
USR2 OPEN
USR1 OPEN
sys@SYBO2SZ> alter user usr1 account lock;
sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like 'USR%';
USERNAME ACCOUNT_STATUS LOCK_DATE
------------------------------ -------------------------------- -----------------
USR2 OPEN
USR1 LOCKED 20131023 16:37:37
b、登陆失败超出的情形
sys@SYBO2SZ> select name,lcount from user$ where name='USR2';
NAME LCOUNT
------------------------------ ----------
USR2 10
sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like 'USR%';
USERNAME ACCOUNT_STATUS LOCK_DATE
-------------- ------------------ -----------------
USR2 LOCKED(TIMED) 20131023 16:41:48 -->用户usr2登陆10次之后帐户被锁定,其状态不同于手动锁定的用户,为LOCKED(TIMED)
USR1 LOCKED 20131023 16:37:37
2、如何开启审计失败的用户登陆
开启审计需要做如下设置
a、设置参数 audit_trail = { none | os | db [, extended] | xml [, extended] }
b、设置参数 audit_file_dest = '<os_dir>'
c、开启登陆失败审计 audit session whenever not successful;
d、执行下面的SQL来查看那些用户经历了登陆失败的情形
select userid, userhost, terminal, clientid from aud$ where returncode=1017;
关于参数audit_trail,
当值为DB时,非sys帐户的审计信息都会被记录到表SYS.AUD$,会占用system表空间,存在资源占用问题,当然也可将其部署到非系统表空间。sys帐户登陆成功与失败都会生成审计文件。
当值为OS时,所有的审计记录被写入到操作系统文件,对于高度安全的数据库,Oracle建议采用该设置,理由很简单,高度安全,写入DB的话,整个系统忙得不亦乐乎。
如果数据库处于只读模式且该参数值为DB时,Oracle 内部设置audit_trail为OS,细节可查看alert log。其余的几个值可参考Oracle Database Reference。
3、演示配置审计登陆失败(oracle 10g)
goex_admin@SYBO2SZ> select * from v$version where rownum<2;
BANNER
----------------------------------------------------------------
Oracle Database 10g Release 10.2.0.3.0 - 64bit Production
--Oracle 10g下当前数据库的配置,如下,也是缺省配置
goex_admin@SYBO2SZ> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /users/oracle/OraHome10g/rdbms
/audit
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string NONE
--下面修改存储审计文件位置
goex_admin@SYBO2SZ> ho mkdir -p /u02/database/SYBO2SZ/audit
goex_admin@SYBO2SZ> alter system set audit_trail='DB' scope=spfile;
goex_admin@SYBO2SZ> alter system set audit_file_dest='/u02/database/SYBO2SZ/audit' scope=spfile;
goex_admin@SYBO2SZ> audit session whenever not successful;
goex_admin@SYBO2SZ> conn / as sysdba
sys@SYBO2SZ> shutdown immediate;
sys@SYBO2SZ> startup
sys@SYBO2SZ> ho ls /u02/database/SYBO2SZ/audit
C:\Users\robinson.cheng>sqlplus scott/wrongpwd@sybo2sz --尝试使用错误的密码从客户端来登陆
sys@SYBO2SZ> select userid, userhost, terminal from aud$ where returncode=1017;
USERID USERHOST TERMINAL
------------------------------ ------------------------------ ------------------------------
SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01
SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01
SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01
USR2 SZDB pts/1
USR2 SZDB pts/1
--有关具体的审计生成的OS文件参考接下来的演示
4、演示配置审计登陆失败(oracle 11g)
--Oracle 11g下,缺省已经开启了审计功能,也就是说如果审计失败的登陆帐户,无须单独执行audit session whenever not successful;
sys@USBO> select * from v$version where rownum<2;
BANNER
-------------------------------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
sys@USBO> show parameter audit
NAME TYPE VALUE
------------------------------------ --------------------------------- ------------------------------
audit_file_dest string /u03/database/usbo/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
--下面是审计产生的文件
sys@USBO> ho ls -hltr /u03/database/usbo/adump |tail -2
-rw-r----- 1 oracle asmadmin 758 Oct 21 16:29 usbo_ora_4502_1.aud
-rw-r----- 1 oracle asmadmin 763 Oct 21 16:49 usbo_ora_5652_1.aud
--使用系统用户登陆
C:\Users\robinson.cheng>sqlplus sys/oracle@usbo as sysdba
sys@USBO> ho ls -hltr /u03/database/usbo/adump |tail -2
-rw-r----- 1 oracle asmadmin 763 Oct 21 16:49 usbo_ora_5652_1.aud
-rw-r----- 1 oracle asmadmin 773 Oct 22 15:41 usbo_ora_13497_1.aud
--系统用户登陆被审计,审计文件中给出了比较详细的描述
sys@USBO> ho more /u03/database/usbo/adump/usbo_ora_13497_1.aud
Audit file /u03/database/usbo/adump/usbo_ora_13497_1.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, Real Application Clusters, OLAP, Data Mining
and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/db_1
System name: Linux
Node name: linux1.orasrv.com
Release: 2.6.18-194.el5PAE
Version: #1 SMP Mon Mar 29 20:19:03 EDT 2010
Machine: i686
Instance name: usbo
Redo thread mounted by this instance: 1
Oracle process number: 31
Unix process pid: 13497, image: oracle@linux1.orasrv.com
Tue Oct 22 15:41:45 2013 +08:00
LENGTH : '180'
ACTION :[7] 'CONNECT'
DATABASE USER:[3] 'sys'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[14] 'Robinson.Cheng'
CLIENT TERMINAL:[13] 'DEVELOPERPC01'
STATUS:[1] '0' ---->登陆成功的状态码
DBID:[10] '3456778221'
C:\Users\robinson.cheng>sqlplus sys/wrongpwd@usbo as sysdba
[oracle@linux1 adump]$ more usbo_ora_13677_1.aud
Audit file /u03/database/usbo/adump/usbo_ora_13677_1.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, Real Application Clusters, OLAP, Data Mining
and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/db_1
System name: Linux
Node name: linux1.orasrv.com
Release: 2.6.18-194.el5PAE
Version: #1 SMP Mon Mar 29 20:19:03 EDT 2010
Machine: i686
Instance name: usbo
Redo thread mounted by this instance: 1
Oracle process number: 31
Unix process pid: 13677, image: oracle@linux1.orasrv.com
Tue Oct 22 15:44:59 2013 +08:00
LENGTH : '181'
ACTION :[7] 'CONNECT'
DATABASE USER:[3] 'sys'
PRIVILEGE :[4] 'NONE'
CLIENT USER:[14] 'Robinson.Cheng'
CLIENT TERMINAL:[13] 'DEVELOPERPC01'
STATUS:[4] '1017' ---->登陆失败的状态码1017
DBID:[10] '3456778221'
--下面使用普通的帐户登陆,没有相应的os审计文件,但是被添加到了表SYS.AUD$
C:\Users\robinson.cheng>sqlplus scott/tg@usbo
--Author : Leshami
--Blog : http://blog.csdn.net/leshami
sys@USBO> select sessionid,userid,userhost,comment$text,spare1,ntimestamp# from aud$ where returncode=1017;
SESSIONID USERID USERHOST COMMENT$TEXT SPARE1 NTIMESTAMP#
---------- ------ ------------------------- ---------------------------------------- ------------------ -------------------------------
1470011 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 21-OCT-13 08.51.15.528497 AM
ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168
.7.133)(PORT=53432))
1480153 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 22-OCT-13 08.06.49.012661 AM
ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168
.7.133)(PORT=60613))
1480154 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 22-OCT-13 08.09.41.927143 AM
ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168
.7.133)(PORT=60622))
5、使用过程分析失败登陆的审计记录
CREATE OR REPLACE PROCEDURE auditlogin (since VARCHAR2, times PLS_INTEGER)
IS
user_id VARCHAR2 (20);
CURSOR c1
IS
SELECT userid, COUNT (*)
FROM sys.aud$
WHERE returncode = '1017' AND ntimestamp# >= TO_DATE (since, 'yyyy-mm-dd')
GROUP BY userid;
CURSOR c2
IS
SELECT userhost, terminal, TO_CHAR (ntimestamp#, 'YYYY-MM-DD:HH24:MI:SS')
FROM sys.aud$
WHERE returncode = '1017' AND ntimestamp# >= TO_DATE (since, 'yyyy-mm-dd') AND userid = user_id;
ct PLS_INTEGER;
v_userhost VARCHAR2 (40);
v_terminal VARCHAR (40);
v_date VARCHAR2 (40);
BEGIN
OPEN c1;
DBMS_OUTPUT.enable (1024000);
LOOP
FETCH c1
INTO user_id, ct;
EXIT WHEN c1%NOTFOUND;
IF (ct >= times)
THEN
DBMS_OUTPUT.put_line ('USER BROKEN ALARM:' || user_id);
OPEN c2;
LOOP
FETCH c2
INTO v_userhost, v_terminal, v_date;
DBMS_OUTPUT.put_line (CHR (9) || 'HOST:' || v_userhost || ',TERM:' || v_terminal || ',TIME:' || v_date);
EXIT WHEN c2%NOTFOUND;
END LOOP;
CLOSE c2;
END IF;
END LOOP;
CLOSE c1;
END;
/
sys@USBO> exec auditlogin('2013-10-22',2);
USER BROKEN ALARM:SCOTT
HOST:TRADESZ\DEVELOPERPC01,TERM:DEVELOPERPC01,TIME:2013-10-22:08:06:49
HOST:TRADESZ\DEVELOPERPC01,TERM:DEVELOPERPC01,TIME:2013-10-22:08:09:41
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:08:58:34
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:08:58:34
USER BROKEN ALARM:USR1
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:09:01:36
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:09:11:13
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:09:11:13
更多参考
有关Oracle RAC请参考
使用crs_setperm修改RAC资源的所有者及权限
使用crs_profile管理RAC资源配置文件
RAC 数据库的启动与关闭
再说 Oracle RAC services
Services in Oracle Database 10g
Migrate datbase from single instance to Oracle RAC
Oracle RAC 连接到指定实例
Oracle RAC 负载均衡测试(结合服务器端与客户端)
Oracle RAC 服务器端连接负载均衡(Load Balance)
Oracle RAC 客户端连接负载均衡(Load Balance)
ORACLE RAC 下非缺省端口监听配置(listener.ora tnsnames.ora)
ORACLE RAC 监听配置 (listener.ora tnsnames.ora)
配置 RAC 负载均衡与故障转移
CRS-1006 , CRS-0215 故障一例
基于Linux (RHEL 5.5) 安装Oracle 10g RAC
使用 runcluvfy 校验Oracle RAC安装环境
有关Oracle 网络配置相关基础以及概念性的问题请参考:
配置非默认端口的动态服务注册
配置sqlnet.ora限制IP访问Oracle
Oracle 监听器日志配置与管理
设置 Oracle 监听器密码(LISTENER)
配置ORACLE 客户端连接到数据库
有关基于用户管理的备份和备份恢复的概念请参考
Oracle 冷备份
Oracle 热备份
Oracle 备份恢复概念
Oracle 实例恢复
Oracle 基于用户管理恢复的处理
SYSTEM 表空间管理及备份恢复
SYSAUX表空间管理及恢复
Oracle 基于备份控制文件的恢复(unsing backup controlfile)
有关RMAN的备份恢复与管理请参考
RMAN 概述及其体系结构
RMAN 配置、监控与管理
RMAN 备份详解
RMAN 还原与恢复
RMAN catalog 的创建和使用
基于catalog 创建RMAN存储脚本
基于catalog 的RMAN 备份与恢复
RMAN 备份路径困惑
使用RMAN实现异机备份恢复(WIN平台)
使用RMAN迁移文件系统数据库到ASM
linux 下RMAN备份shell脚本
使用RMAN迁移数据库到异机
有关ORACLE体系结构请参考
Oracle 表空间与数据文件
Oracle 密码文件
Oracle 参数文件
Oracle 联机重做日志文件(ONLINE LOG FILE)
Oracle 控制文件(CONTROLFILE)
Oracle 归档日志
Oracle 回滚(ROLLBACK)和撤销(UNDO)
Oracle 数据库实例启动关闭过程
Oracle 10g SGA 的自动化管理
Oracle 实例和Oracle数据库(Oracle体系结构)