背景:因业务要求,DBA将oracle数据库应用账户(pdbadmin)修改为新的密码。然而,该pdbadmin对应了多个应用主机上的多个不同应用,由于应用运维用户对应用程序不熟悉,导致无法及时修改全部应用程序账号密码,应用程序账号一直尝试使用原来的旧密码去登陆数据库,导致oracle数据库的应用账号一直被锁:LOCKED(TIMED)。经查询审计表aud$,可以查到对应的主机名,但应用运维人员反馈主机名还是无法获取信息,需要提供ip地址。
以下提供方法获取ip地址。
开启登陆失败审计 audit session whenever not successful;
0.查看审计参数信息
SQL> showparameter audit
1.建表LOGON_TABLE
create tableLOGON_TABLE as
selectto_char(sysdate,'yyyy-mm-dd hh24:mi:ss') logon_time,
sys_context('USERENV','SESSION_USER')username,
sys_context('USERENV','HOST')host,
sys_context('USERENV','OS_USER')os_user,
sys_context('USERENV','IP_ADDRESS')ip_address
from dual
/
2.建触发器,每次登陆成功之后就把信息写入 LOGON_TABLE 表
create orreplace trigger tri_logon after logon on database
begin
insert into LOGON_TABLE
(logon_time,
username,
host,
os_user,
ip_address
) values
( to_char(sysdate,'yyyy-mm-dd hh24:mi:ss'),
sys_context('USERENV', 'SESSION_USER'),
sys_context('USERENV','HOST'),
sys_context('USERENV','OS_USER'),
sys_context('USERENV','IP_ADDRESS'));
end;
/
3.此时可以查看到该表中信息。
col LOGON_TIMEfor a30
col USERNAMEfor a15
col HOST fora20
col OS_USERfor a15
col IP_ADDRESSfor a20
select * fromLOGON_TABLE where rownum<20 order by LOGON_TIME;
4.查看状态码为1017(错误密码)的审计信息
col USERID fora20
col USERHOSTfor a30
col TERMINALfor a30
col CLIENTIDfor a30
set linesize150 pagesize 100
select userid,userhost, terminal, clientid from aud$ where returncode=1017;
5.将LOGON_TABLE,aud$清空用以录入尝试使用错误密码登陆的审计信息
SQL>truncate table LOGON_TABLE;
Tabletruncated.
SQL>truncate table aud$;
Tabletruncated.
SQL> select* from LOGON_TABLE order by LOGON_TIME;
no rowsselected
SQL> selectuserid, userhost, terminal, clientid from aud$ where returncode=1017;
no rowsselected
6.重新查询aud$可以获取【错误密码】登陆的用户信息,可以知道主机名
col USERID for a10
col USERHOST for a30
col TERMINAL for a30
col CLIENTID for a30
select userid, userhost, terminal, clientid from aud$ where returncode=1017 orderby ntimestamp#;
select * fromLOGON_TABLE order by LOGON_TIME;
发现pdbadmin登陆失败的ip是172.17.102.223
