Oracle審計失敗的用戶登陸(Oracle audit)
分類:編程 時間:2016-11-04
Oracle審計失敗的用戶登陸(Oracle audit)
對於在線交易系統,且Oracle用戶在使用缺省的profile的情形下,多用戶共享相同的數據庫用戶及密碼,任意用戶輸入錯誤密碼累計達到10次以上,其帳戶會被自動鎖定使得交易被迫臨時終止將產生不小的損失。故有必要對那些失敗的帳戶登陸進行分析以預估是否存在惡意攻擊等。Oracle提供了審計功能用於審計那些失敗的Oracle用戶登陸來進行風險評估。本文即是描述如何開啟審計失敗的用戶登陸。本文不涉及審計的具體的描述信息,僅僅描述如何審計失敗的用戶登陸。詳細完整的審計大家可以參考Oracle database Security Guide。
1、帳戶被鎖定的情形
通常情況下,帳戶可以由DBA手動鎖定,也可能是由於錯誤的密碼輸入次數超出了profile中failed_login_attempts 次數的限制而被鎖定。
[sql]
a、手動鎖定的情形
sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like 'USR%';
USERNAME ACCOUNT_STATUS LOCK_DATE
------------------------------ -------------------------------- -----------------
USR2 OPEN
USR1 OPEN
sys@SYBO2SZ> alter user usr1 account lock;
sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like 'USR%';
USERNAME ACCOUNT_STATUS LOCK_DATE
------------------------------ -------------------------------- -----------------
USR2 OPEN
USR1 LOCKED 20131023 16:37:37
b、登陸失敗超出的情形
sys@SYBO2SZ> select name,lcount from user$ where name='USR2';
NAME LCOUNT
------------------------------ ----------
USR2 10
sys@SYBO2SZ> select username,account_status,lock_date from dba_users where username like 'USR%';
USERNAME ACCOUNT_STATUS LOCK_DATE
-------------- ------------------ -----------------
USR2 LOCKED(TIMED) 20131023 16:41:48 -->用戶usr2登陸10次之後帳戶被鎖定,其狀態不同於手動鎖定的用戶,為LOCKED(TIMED)
USR1 LOCKED 20131023 16:37:37
2、如何開啟審計失敗的用戶登陸
開啟審計需要做如下設置
a、設置參數 audit_trail = { none | os | db [, extended] | xml [, extended] }
b、設置參數 audit_file_dest = '<os_dir>'
c、開啟登陸失敗審計 audit session whenever not successful;
d、執行下面的SQL來查看那些用戶經歷了登陸失敗的情形
select userid, userhost, terminal, clientid from aud$ where returncode=1017;
關於參數audit_trail,
當值為DB時,非sys帳戶的審計信息都會被記錄到表SYS.AUD$,會占用system表空間,存在資源占用問題,當然也可將其部署到非系統表空間。sys帳戶登陸成功與失敗都會生成審計文件。
當值為OS時,所有的審計記錄被寫入到操作系統文件,對於高度安全的數據庫,Oracle建議采用該設置,理由很簡單,高度安全,寫入DB的話,整個系統忙得不亦樂乎。
如果數據庫處於只讀模式且該參數值為DB時,Oracle 內部設置audit_trail為OS,細節可查看alert log。其余的幾個值可參考Oracle Database Reference。
3、演示配置審計登陸失敗(oracle 10g)
[sql]
goex_admin@SYBO2SZ> select * from v$version where rownum<2;
BANNER
----------------------------------------------------------------
Oracle Database 10g Release 10.2.0.3.0 - 64bit Production
--Oracle 10g下當前數據庫的配置,如下,也是缺省配置
goex_admin@SYBO2SZ> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /users/oracle/OraHome10g/rdbms
/audit
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string NONE
--下面修改存儲審計文件位置
goex_admin@SYBO2SZ> ho mkdir -p /u02/database/SYBO2SZ/audit
goex_admin@SYBO2SZ> alter system set audit_trail='DB' scope=spfile;
goex_admin@SYBO2SZ> alter system set audit_file_dest='/u02/database/SYBO2SZ/audit' scope=spfile;
goex_admin@SYBO2SZ> audit session whenever not successful;
goex_admin@SYBO2SZ> conn / as sysdba
sys@SYBO2SZ> shutdown immediate;
sys@SYBO2SZ> startup
sys@SYBO2SZ> ho ls /u02/database/SYBO2SZ/audit
C:\Users\robinson.cheng>sqlplus scott/wrongpwd@sybo2sz --嘗試使用錯誤的密碼從客戶端來登陸
sys@SYBO2SZ> select userid, userhost, terminal from aud$ where returncode=1017;
USERID USERHOST TERMINAL
------------------------------ ------------------------------ ------------------------------
SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01
SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01
SCOTT TRADESZ\DEVELOPERPC01 DEVELOPERPC01
USR2 SZDB pts/1
USR2 SZDB pts/1
--有關具體的審計生成的OS文件參考接下來的演示
4、演示配置審計登陸失敗(oracle 11g)
[sql]
--Oracle 11g下,缺省已經開啟了審計功能,也就是說如果審計失敗的登陸帳戶,無須單獨執行audit session whenever not successful;
sys@USBO> select * from v$version where rownum<2;
BANNER
-------------------------------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
sys@USBO> show parameter audit
NAME TYPE VALUE
------------------------------------ --------------------------------- ------------------------------
audit_file_dest string /u03/database/usbo/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
--下面是審計產生的文件
sys@USBO> ho ls -hltr /u03/database/usbo/adump |tail -2
-rw-r----- 1 oracle asmadmin 758 Oct 21 16:29 usbo_ora_4502_1.aud
-rw-r----- 1 oracle asmadmin 763 Oct 21 16:49 usbo_ora_5652_1.aud
--使用系統用戶登陸
C:\Users\robinson.cheng>sqlplus sys/oracle@usbo as sysdba
sys@USBO> ho ls -hltr /u03/database/usbo/adump |tail -2
-rw-r----- 1 oracle asmadmin 763 Oct 21 16:49 usbo_ora_5652_1.aud
-rw-r----- 1 oracle asmadmin 773 Oct 22 15:41 usbo_ora_13497_1.aud
--系統用戶登陸被審計,審計文件中給出了比較詳細的描述
sys@USBO> ho more /u03/database/usbo/adump/usbo_ora_13497_1.aud
Audit file /u03/database/usbo/adump/usbo_ora_13497_1.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, Real Application Clusters, OLAP, Data Mining
and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/db_1
System name: linux
Node name: linux1.orasrv.com
Release: 2.6.18-194.el5PAE
Version: #1 SMP Mon Mar 29 20:19:03 EDT 2010
Machine: i686
Instance name: usbo
Redo thread mounted by this instance: 1
Oracle process number: 31
Unix process pid: 13497, image: [email protected]
Tue Oct 22 15:41:45 2013 +08:00
LENGTH : '180'
ACTION :[7] 'CONNECT'
DATABASE USER:[3] 'sys'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[14] 'Robinson.Cheng'
CLIENT TERMINAL:[13] 'DEVELOPERPC01'
STATUS:[1] '0' ---->登陸成功的狀態碼
DBID:[10] '3456778221'
C:\Users\robinson.cheng>sqlplus sys/wrongpwd@usbo as sysdba
[oracle@linux1 adump]$ more usbo_ora_13677_1.aud
Audit file /u03/database/usbo/adump/usbo_ora_13677_1.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, Real Application Clusters, OLAP, Data Mining
and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/db_1
System name: Linux
Node name: linux1.orasrv.com
Release: 2.6.18-194.el5PAE
Version: #1 SMP Mon Mar 29 20:19:03 EDT 2010
Machine: i686
Instance name: usbo
Redo thread mounted by this instance: 1
Oracle process number: 31
Unix process pid: 13677, image: [email protected]
Tue Oct 22 15:44:59 2013 +08:00
LENGTH : '181'
ACTION :[7] 'CONNECT'
DATABASE USER:[3] 'sys'
PRIVILEGE :[4] 'NONE'
CLIENT USER:[14] 'Robinson.Cheng'
CLIENT TERMINAL:[13] 'DEVELOPERPC01'
STATUS:[4] '1017' ---->登陸失敗的狀態碼1017
DBID:[10] '3456778221'
--下面使用普通的帳戶登陸,沒有相應的os審計文件,但是被添加到了表SYS.AUD$
C:\Users\robinson.cheng>sqlplus scott/tg@usbo
--Author : Leshami
--Blog : http://blog.csdn.net/leshami
sys@USBO> select sessionid,userid,userhost,comment$text,spare1,ntimestamp# from aud$ where returncode=1017;
SESSIONID USERID USERHOST COMMENT$TEXT SPARE1 NTIMESTAMP#
---------- ------ ------------------------- ---------------------------------------- ------------------ -------------------------------
1470011 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 21-OCT-13 08.51.15.528497 AM
ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168
.7.133)(PORT=53432))
1480153 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 22-OCT-13 08.06.49.012661 AM
ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168
.7.133)(PORT=60613))
1480154 SCOTT TRADESZ\DEVELOPERPC01 Authenticated by: DATABASE; Client addre Robinson.Cheng 22-OCT-13 08.09.41.927143 AM
ss: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168
.7.133)(PORT=60622))
5、使用過程分析失敗登陸的審計記錄
[sql]
CREATE OR REPLACE PROCEDURE auditlogin (since VARCHAR2, times PLS_INTEGER)
IS
user_id VARCHAR2 (20);
CURSOR c1
IS
SELECT userid, COUNT (*)
FROM sys.aud$
WHERE returncode = '1017' AND ntimestamp# >= TO_DATE (since, 'yyyy-mm-dd')
GROUP BY userid;
CURSOR c2
IS
SELECT userhost, terminal, TO_CHAR (ntimestamp#, 'YYYY-MM-DD:HH24:MI:SS')
FROM sys.aud$
WHERE returncode = '1017' AND ntimestamp# >= TO_DATE (since, 'yyyy-mm-dd') AND userid = user_id;
ct PLS_INTEGER;
v_userhost VARCHAR2 (40);
v_terminal VARCHAR (40);
v_date VARCHAR2 (40);
BEGIN
OPEN c1;
DBMS_OUTPUT.enable (1024000);
LOOP
FETCH c1
INTO user_id, ct;
EXIT WHEN c1%NOTFOUND;
IF (ct >= times)
THEN
DBMS_OUTPUT.put_line ('USER BROKEN ALARM:' || user_id);
OPEN c2;
LOOP
FETCH c2
INTO v_userhost, v_terminal, v_date;
DBMS_OUTPUT.put_line (CHR (9) || 'HOST:' || v_userhost || ',TERM:' || v_terminal || ',TIME:' || v_date);
EXIT WHEN c2%NOTFOUND;
END LOOP;
CLOSE c2;
END IF;
END LOOP;
CLOSE c1;
END;
/
sys@USBO> exec auditlogin('2013-10-22',2);
USER BROKEN ALARM:SCOTT
HOST:TRADESZ\DEVELOPERPC01,TERM:DEVELOPERPC01,TIME:2013-10-22:08:06:49
HOST:TRADESZ\DEVELOPERPC01,TERM:DEVELOPERPC01,TIME:2013-10-22:08:09:41
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:08:58:34
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:08:58:34
USER BROKEN ALARM:USR1
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:09:01:36
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:09:11:13
HOST:linux1.orasrv.com,TERM:pts/1,TIME:2013-10-23:09:11:13
Tags:
文章來源:
ads
ads