对于在线交易系统,且Oracle用户在使用缺省的profile的情形下,多用户共享相同的数据库用户及密码,任意用户输入错误密码累计达到10次以上,其帐户会被自动锁定使得交易*临时终止将产生不小的损失。故有必要对那些失败的帐户登陆进行分析以预估是否存在恶意攻击等。Oracle提供了审计功能用于审计那些失败的Oracle用户登陆来进行风险评估。本文即是描述如何开启审计失败的用户登陆。本文不涉及审计的具体的描述信息,仅仅描述如何审计失败的用户登陆。详细完整的审计大家可以参考Oracle Database Security Guide。
1、帐户被锁定的情形
通常情况下,帐户可以由DBA手动锁定,也可能是由于错误的密码输入次数超出了profile中failed_login_attempts 次数的限制而被锁定。
-
a、手动锁定的情形
-
sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like'USR%';
-
USERNAME ACCOUNT_STATUS LOCK_DATE
-
------------------------------ -------------------------------- -----------------
-
USR2 OPEN
-
USR1 OPEN
-
sys@SYBO2SZ> alteruser usr1 account lock;
-
sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like'USR%';
-
USERNAME ACCOUNT_STATUS LOCK_DATE
-
------------------------------ -------------------------------- -----------------
-
USR2 OPEN
-
USR1 LOCKED 20131023 16:37:37
-
b、登陆失败超出的情形
-
sys@SYBO2SZ> selectname,lcount fromuser$ wherename='USR2';
-
NAME LCOUNT
-
------------------------------ ----------
-
USR2 10
-
sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like'USR%';
-
USERNAME ACCOUNT_STATUS LOCK_DATE
-
-------------- ------------------ -----------------
-
USR2 LOCKED(TIMED) 20131023 16:41:48 -->用户usr2登陆10次之后帐户被锁定,其状态不同于手动锁定的用户,为LOCKED(TIMED)
-
USR1 LOCKED 20131023 16:37:37
a、手动锁定的情形 sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like 'USR%'; USERNAME ACCOUNT_STATUS LOCK_DATE ------------------------------ -------------------------------- ----------------- USR2 OPEN USR1 OPEN sys@SYBO2SZ> alter user usr1 account lock; sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like 'USR%'; USERNAME ACCOUNT_STATUS LOCK_DATE ------------------------------ -------------------------------- ----------------- USR2 OPEN USR1 LOCKED 20131023 16:37:37 b、登陆失败超出的情形 sys@SYBO2SZ> select name,lcount from user$ where name='USR2'; NAME LCOUNT ------------------------------ ---------- USR2 10 sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like 'USR%'; USERNAME ACCOUNT_STATUS LOCK_DATE -------------- ------------------ ----------------- USR2 LOCKED(TIMED) 20131023 16:41:48 -->用户usr2登陆10次之后帐户被锁定,其状态不同于手动锁定的用户,为LOCKED(TIMED) USR1 LOCKED 20131023 16:37:37
2、如何开启审计失败的用户登陆
开启审计需要做如下设置
a、设置参数 audit_trail = { none | os | db [, extended] | xml [, extended] }
b、设置参数 audit_file_dest = '<os_dir>'
c、开启登陆失败审计 audit session whenever not successful;
d、执行下面的SQL来查看那些用户经历了登陆失败的情形
select userid, userhost, terminal, clientid from aud$ where returncode=1017;
关于参数audit_trail,
当值为DB时,非sys帐户的审计信息都会被记录到表SYS.AUD$,会占用system表空间,存在资源占用问题,当然也可将其部署到非系统表空间。sys帐户登陆成功与失败都会生成审计文件。
当值为OS时,所有的审计记录被写入到操作系统文件,对于高度安全的数据库,Oracle建议采用该设置,理由很简单,高度安全,写入DB的话,整个系统忙得不亦乐乎。
如果数据库处于只读模式且该参数值为DB时,Oracle 内部设置audit_trail为OS,细节可查看alert log。其余的几个值可参考Oracle Database Reference。
3、演示配置审计登陆失败(oracle 10g)
-
goex_admin@SYBO2SZ> select * from v$version where rownum<2;
-
BANNER
-
----------------------------------------------------------------
-
Oracle Database 10g Release 10.2.0.3.0 - 64bit Production
-
--Oracle 10g下当前数据库的配置,如下,也是缺省配置
-
goex_admin@SYBO2SZ> show parameter audit
-
NAME TYPE VALUE
-
------------------------------------ ----------- ------------------------------
-
audit_file_dest string /users/oracle/OraHome10g/rdbms
-
/audit
-
audit_sys_operations boolean FALSE
-
audit_syslog_level string
-
audit_trail string NONE
-
--下面修改存储审计文件位置
-
goex_admin@SYBO2SZ> ho mkdir -p /u02/database/SYBO2SZ/audit
-
goex_admin@SYBO2SZ> alter system set audit_trail='DB' scope=spfile;
-
goex_admin@SYBO2SZ> alter system set audit_file_dest='/u02/database/SYBO2SZ/audit' scope=spfile;
-
goex_admin@SYBO2SZ> audit session whenever not successful;
-
goex_admin@SYBO2SZ> conn / as sysdba
-
sys@SYBO2SZ> shutdown immediate;
-
sys@SYBO2SZ> startup
-
sys@SYBO2SZ> ho ls /u02/database/SYBO2SZ/audit
-
C:\Users\robinson.cheng>sqlplus scott/wrongpwd@sybo2sz --尝试使用错误的密码从客户端来登陆
-
sys@SYBO2SZ> select userid, userhost, terminal from aud$ where returncode=1017;
-
USERID USERHOST TERMINAL
-
------------------------------ ------------------------------ ------------------------------
-
SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01
-
SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01
-
SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01
-
USR2 SZDB pts/1
-
USR2 SZDB pts/1
-
--有关具体的审计生成的OS文件参考接下来的演示
goex_admin@SYBO2SZ> select * from v$version where rownum<2; BANNER ---------------------------------------------------------------- Oracle Database 10g Release 10.2.0.3.0 - 64bit Production --Oracle 10g下当前数据库的配置,如下,也是缺省配置 goex_admin@SYBO2SZ> show parameter audit NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_file_dest string /users/oracle/OraHome10g/rdbms /audit audit_sys_operations boolean FALSE audit_syslog_level string audit_trail string NONE --下面修改存储审计文件位置 goex_admin@SYBO2SZ> ho mkdir -p /u02/database/SYBO2SZ/audit goex_admin@SYBO2SZ> alter system set audit_trail='DB' scope=spfile; goex_admin@SYBO2SZ> alter system set audit_file_dest='/u02/database/SYBO2SZ/audit' scope=spfile; goex_admin@SYBO2SZ> audit session whenever not successful; goex_admin@SYBO2SZ> conn / as sysdba sys@SYBO2SZ> shutdown immediate; sys@SYBO2SZ> startup sys@SYBO2SZ> ho ls /u02/database/SYBO2SZ/audit C:\Users\robinson.cheng>sqlplus scott/wrongpwd@sybo2sz --尝试使用错误的密码从客户端来登陆 sys@SYBO2SZ> select userid, userhost, terminal from aud$ where returncode=1017; USERID USERHOST TERMINAL ------------------------------ ------------------------------ ------------------------------ SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01 SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01 SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01 USR2 SZDB pts/1 USR2 SZDB pts/1 --有关具体的审计生成的OS文件参考接下来的演示
4、演示配置审计登陆失败(oracle 11g)
-
--Oracle 11g下,缺省已经开启了审计功能,也就是说如果审计失败的登陆帐户,无须单独执行audit session whenever not successful;
-
sys@USBO> select * from v$version where rownum<2;
-
BANNER
-
-------------------------------------------------------------------------------------------------------
-
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
-
sys@USBO> show parameter audit
-
NAME TYPE VALUE
-
------------------------------------ --------------------------------- ------------------------------
-
audit_file_dest string /u03/database/usbo/adump
-
audit_sys_operations boolean FALSE
-
audit_syslog_level string
-
audit_trail string DB
-
--下面是审计产生的文件
-
sys@USBO> ho ls -hltr /u03/database/usbo/adump |tail -2
-
-rw-r----- 1 oracle asmadmin 758 Oct 21 16:29 usbo_ora_4502_1.aud
-
-rw-r----- 1 oracle asmadmin 763 Oct 21 16:49 usbo_ora_5652_1.aud
-
--使用系统用户登陆
-
C:\Users\robinson.cheng>sqlplus sys/oracle@usbo as sysdba
-
sys@USBO> ho ls -hltr /u03/database/usbo/adump |tail -2
-
-rw-r----- 1 oracle asmadmin 763 Oct 21 16:49 usbo_ora_5652_1.aud
-
-rw-r----- 1 oracle asmadmin 773 Oct 22 15:41 usbo_ora_13497_1.aud
-
--系统用户登陆被审计,审计文件中给出了比较详细的描述
-
sys@USBO> ho more /u03/database/usbo/adump/usbo_ora_13497_1.aud
-
Audit file /u03/database/usbo/adump/usbo_ora_13497_1.aud
-
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
-
With the Partitioning, Real Application Clusters, OLAP, Data Mining
-
andReal Application Testing options
-
ORACLE_HOME = /u01/app/oracle/db_1
-
System name: Linux
-
Node name: linux1.orasrv.com
-
Release: 2.6.18-194.el5PAE
-
Version: #1 SMP Mon Mar 29 20:19:03 EDT 2010
-
Machine: i686
-
Instance name: usbo
-
Redo thread mounted by this instance: 1
-
Oracle process number: 31
-
Unix process pid: 13497, image: oracle@linux1.orasrv.com
-
Tue Oct 22 15:41:45 2013 +08:00
-
LENGTH : '180'
-
ACTION :[7] 'CONNECT'
-
DATABASEUSER:[3] 'sys'
-
PRIVILEGE :[6] 'SYSDBA'
-
CLIENT USER:[14] 'Robinson.Cheng'
-
CLIENT TERMINAL:[13] 'DEVELOPERPC01'
-
STATUS:[1] '0'---->登陆成功的状态码
-
DBID:[10] '3456778221'
-
C:\Users\robinson.cheng>sqlplus sys/wrongpwd@usbo as sysdba
-
[oracle@linux1 adump]$ more usbo_ora_13677_1.aud
-
Audit file /u03/database/usbo/adump/usbo_ora_13677_1.aud
-
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
-
With the Partitioning, Real Application Clusters, OLAP, Data Mining
-
andReal Application Testing options
-
ORACLE_HOME = /u01/app/oracle/db_1
-
System name: Linux
-
Node name: linux1.orasrv.com
-
Release: 2.6.18-194.el5PAE
-
Version: #1 SMP Mon Mar 29 20:19:03 EDT 2010
-
Machine: i686
-
Instance name: usbo
-
Redo thread mounted by this instance: 1
-
Oracle process number: 31
-
Unix process pid: 13677, image: oracle@linux1.orasrv.com
-
Tue Oct 22 15:44:59 2013 +08:00
-
LENGTH : '181'
-
ACTION :[7] 'CONNECT'
-
DATABASEUSER:[3] 'sys'
-
PRIVILEGE :[4] 'NONE'
-
CLIENT USER:[14] 'Robinson.Cheng'
-
CLIENT TERMINAL:[13] 'DEVELOPERPC01'
-
STATUS:[4] '1017'---->登陆失败的状态码1017
-
DBID:[10] '3456778221'
-
--下面使用普通的帐户登陆,没有相应的os审计文件,但是被添加到了表SYS.AUD$
-
C:\Users\robinson.cheng>sqlplus scott/tg@usbo
-
--Author : Leshami
-
--Blog : http://blog.csdn.net/leshami
-
sys@USBO> select sessionid,userid,userhost,comment$text,spare1,ntimestamp# from aud$ where returncode=1017;
-
SESSIONID USERID USERHOST COMMENT$TEXT SPARE1 NTIMESTAMP#
-
---------- ------ ------------------------- ---------------------------------------- ------------------ -------------------------------
-
1470011 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 21-OCT-13 08.51.15.528497 AM
-
ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168
-
.7.133)(PORT=53432))
-
1480153 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 22-OCT-13 08.06.49.012661 AM
-
ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168
-
.7.133)(PORT=60613))
-
1480154 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 22-OCT-13 08.09.41.927143 AM
-
ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168
-
.7.133)(PORT=60622))
--Oracle 11g下,缺省已经开启了审计功能,也就是说如果审计失败的登陆帐户,无须单独执行audit session whenever not successful; sys@USBO> select * from v$version where rownum<2; BANNER ------------------------------------------------------------------------------------------------------- Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production sys@USBO> show parameter audit NAME TYPE VALUE ------------------------------------ --------------------------------- ------------------------------ audit_file_dest string /u03/database/usbo/adump audit_sys_operations boolean FALSE audit_syslog_level string audit_trail string DB --下面是审计产生的文件 sys@USBO> ho ls -hltr /u03/database/usbo/adump |tail -2 -rw-r----- 1 oracle asmadmin 758 Oct 21 16:29 usbo_ora_4502_1.aud -rw-r----- 1 oracle asmadmin 763 Oct 21 16:49 usbo_ora_5652_1.aud --使用系统用户登陆 C:\Users\robinson.cheng>sqlplus sys/oracle@usbo as sysdba sys@USBO> ho ls -hltr /u03/database/usbo/adump |tail -2 -rw-r----- 1 oracle asmadmin 763 Oct 21 16:49 usbo_ora_5652_1.aud -rw-r----- 1 oracle asmadmin 773 Oct 22 15:41 usbo_ora_13497_1.aud --系统用户登陆被审计,审计文件中给出了比较详细的描述 sys@USBO> ho more /u03/database/usbo/adump/usbo_ora_13497_1.aud Audit file /u03/database/usbo/adump/usbo_ora_13497_1.aud Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production With the Partitioning, Real Application Clusters, OLAP, Data Mining and Real Application Testing options ORACLE_HOME = /u01/app/oracle/db_1 System name: Linux Node name: linux1.orasrv.com Release: 2.6.18-194.el5PAE Version: #1 SMP Mon Mar 29 20:19:03 EDT 2010 Machine: i686 Instance name: usbo Redo thread mounted by this instance: 1 Oracle process number: 31 Unix process pid: 13497, image: oracle@linux1.orasrv.com Tue Oct 22 15:41:45 2013 +08:00 LENGTH : '180' ACTION :[7] 'CONNECT' DATABASE USER:[3] 'sys' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[14] 'Robinson.Cheng' CLIENT TERMINAL:[13] 'DEVELOPERPC01' STATUS:[1] '0' ---->登陆成功的状态码 DBID:[10] '3456778221' C:\Users\robinson.cheng>sqlplus sys/wrongpwd@usbo as sysdba [oracle@linux1 adump]$ more usbo_ora_13677_1.aud Audit file /u03/database/usbo/adump/usbo_ora_13677_1.aud Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production With the Partitioning, Real Application Clusters, OLAP, Data Mining and Real Application Testing options ORACLE_HOME = /u01/app/oracle/db_1 System name: Linux Node name: linux1.orasrv.com Release: 2.6.18-194.el5PAE Version: #1 SMP Mon Mar 29 20:19:03 EDT 2010 Machine: i686 Instance name: usbo Redo thread mounted by this instance: 1 Oracle process number: 31 Unix process pid: 13677, image: oracle@linux1.orasrv.com Tue Oct 22 15:44:59 2013 +08:00 LENGTH : '181' ACTION :[7] 'CONNECT' DATABASE USER:[3] 'sys' PRIVILEGE :[4] 'NONE' CLIENT USER:[14] 'Robinson.Cheng' CLIENT TERMINAL:[13] 'DEVELOPERPC01' STATUS:[4] '1017' ---->登陆失败的状态码1017 DBID:[10] '3456778221' --下面使用普通的帐户登陆,没有相应的os审计文件,但是被添加到了表SYS.AUD$ C:\Users\robinson.cheng>sqlplus scott/tg@usbo --Author : Leshami --Blog : http://blog.csdn.net/leshami sys@USBO> select sessionid,userid,userhost,comment$text,spare1,ntimestamp# from aud$ where returncode=1017; SESSIONID USERID USERHOST COMMENT$TEXT SPARE1 NTIMESTAMP# ---------- ------ ------------------------- ---------------------------------------- ------------------ ------------------------------- 1470011 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 21-OCT-13 08.51.15.528497 AM ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168 .7.133)(PORT=53432)) 1480153 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 22-OCT-13 08.06.49.012661 AM ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168 .7.133)(PORT=60613)) 1480154 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 22-OCT-13 08.09.41.927143 AM ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168 .7.133)(PORT=60622))
5、使用过程分析失败登陆的审计记录
-
CREATEORREPLACEPROCEDURE auditlogin (since VARCHAR2, times PLS_INTEGER)
-
IS
-
user_id VARCHAR2 (20);
-
CURSOR c1
-
IS
-
SELECT userid, COUNT (*)
-
FROM sys.aud$
-
WHERE returncode = '1017'AND ntimestamp# >= TO_DATE (since, 'yyyy-mm-dd')
-
GROUPBY userid;
-
CURSOR c2
-
IS
-
SELECT userhost, terminal, TO_CHAR (ntimestamp#, 'YYYY-MM-DD:HH24:MI:SS')
-
FROM sys.aud$
-
WHERE returncode = '1017'AND ntimestamp# >= TO_DATE (since, 'yyyy-mm-dd') AND userid = user_id;
-
ct PLS_INTEGER;
-
v_userhost VARCHAR2 (40);
-
v_terminal VARCHAR (40);
-
v_date VARCHAR2 (40);
-
BEGIN
-
OPEN c1;
-
DBMS_OUTPUT.enable (1024000);
-
LOOP
-
FETCH c1
-
INTO user_id, ct;
-
EXIT WHEN c1%NOTFOUND;
-
IF (ct >= times)
-
THEN
-
DBMS_OUTPUT.put_line ('USER BROKEN ALARM:' || user_id);
-
OPEN c2;
-
LOOP
-
FETCH c2
-
INTO v_userhost, v_terminal, v_date;
-
DBMS_OUTPUT.put_line (CHR (9) || 'HOST:' || v_userhost || ',TERM:' || v_terminal || ',TIME:' || v_date);
-
EXIT WHEN c2%NOTFOUND;
-
END LOOP;
-
CLOSE c2;
-
END IF;
-
END LOOP;
-
CLOSE c1;
-
END;
-
/
-
sys@USBO> exec auditlogin('2013-10-22',2);
-
USER BROKEN ALARM:SCOTT
-
HOST:TRADESZ\DEVELOPERPC01,TERM:DEVELOPERPC01,TIME:2013-10-22:08:06:49
-
HOST:TRADESZ\DEVELOPERPC01,TERM:DEVELOPERPC01,TIME:2013-10-22:08:09:41
-
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:08:58:34
-
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:08:58:34
-
USER BROKEN ALARM:USR1
-
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:09:01:36
-
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:09:11:13
-
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:09:11:13
本文转自东方之子736651CTO博客,原文链接: http://blog.51cto.com/ecloud/1336746,如需转载请自行联系原作者