CRITICAL: NUMBER OF FAILED LOGIN ATTEMPTS EXCEEDS THRESHOLD VALUE
Auditing, ORA-28001, Oracle Enterprise Manager
How to trace failed login attempts.
GOAL
How to trace failed login attempts using audit.
SYMPTOMS
The following incident is being reported
Host=dbpilot.net
Target type=Database Instance
Target name=oradb
Categories=Security
Message=Number of failed login attempts exceeds threshold value.
Severity=Critical
Event reported time=Jul 13, 2020 10:26:55 AM MSK
Operating System=Linux
Platform=x86_64
Associated Incident Id=127157
Associated Incident Status=New
Associated Incident Owner=
Associated Incident Acknowledged By Owner=No
Associated Incident Priority=None
Associated Incident Escalation Level=0
Event Type=Metric Alert
Event name=audit_failed_logins2:failed_login_count
Total Occurrences=307539
Occurrences in this event=720
First Occurred in this event=Jul 13, 2020 9:57:01 AM MSK
Last Occurred in this event=Jul 13, 2020 10:26:51 AM MSK
Metric Group=Failed Logins
Metric=Failed Login Count
Metric value=720
Key Value=
Rule Name=ROOT_NOTIFICATION_RULE,ALL TARGET EVENTS
Rule Owner=SYSMAN
Update Details:
Number of failed login attempts exceeds threshold value.
Target type=Database Instance
Target name=oradb
Categories=Security
Message=Number of failed login attempts exceeds threshold value.
Severity=Critical
Event reported time=Jul 13, 2020 10:26:55 AM MSK
Operating System=Linux
Platform=x86_64
Associated Incident Id=127157
Associated Incident Status=New
Associated Incident Owner=
Associated Incident Acknowledged By Owner=No
Associated Incident Priority=None
Associated Incident Escalation Level=0
Event Type=Metric Alert
Event name=audit_failed_logins2:failed_login_count
Total Occurrences=307539
Occurrences in this event=720
First Occurred in this event=Jul 13, 2020 9:57:01 AM MSK
Last Occurred in this event=Jul 13, 2020 10:26:51 AM MSK
Metric Group=Failed Logins
Metric=Failed Login Count
Metric value=720
Key Value=
Rule Name=ROOT_NOTIFICATION_RULE,ALL TARGET EVENTS
Rule Owner=SYSMAN
Update Details:
Number of failed login attempts exceeds threshold value.
SOLUTION
How to trace failed login attempts using audit
1. Enable the audit. Database bounce is required.
-- Enable audit
ALTER SYSTEM SET AUDIT_TRAIL='DB' SCOPE=SPFILE;
-- Bounce the database
-- SHUTDOWN IMMEDIATE
-- STARTUP
-- Verify the audit is enabled
COL NAME FOR A15
COL VALUE FOR A10
SELECT NAME,DISPLAY_VALUE VALUE FROM V$PARAMETER WHERE NAME='audit_trail';
NAME VALUE
--------------- ----------
audit_trail DB
2. Activate the audit for failed logins attempts
AUDIT SESSION WHENEVER NOT SUCCESSFUL;
Audit succeeded.
3. Wait some time and check
-- Getting details for the last day
SET LINES 300
SET PAGES 999
COL INUM FOR 9999
COL OS_USERNAME FOR A10
COL USERNAME FOR A10
COL USERHOST FOR A25
COL ACTION_NAME FOR A10
COL OS_PROCESS FOR A10
COL TIMESTAMP FOR A20
SELECT INSTANCE_NUMBER INUM,
OS_USERNAME,
USERNAME,
USERHOST,
TO_CHAR(EXTENDED_TIMESTAMP,'DD-MON-YYYY HH24:MI:SS') TIMESTAMP,
ACTION_NAME,
OS_PROCESS,
RETURNCODE
FROM
DBA_AUDIT_SESSION
WHERE
EXTENDED_TIMESTAMP > (SYSDATE - 1) AND RETURNCODE > 0
ORDER BY EXTENDED_TIMESTAMP;
INUM OS_USERNAM USERNAME USERHOST TIMESTAMP ACTION_NAM OS_PROCESS RETURNCODE
----- ---------- ---------- ----------------------- -------------------- ---------- ---------- ----------
0 система SAP_DEV DBPILOT\S001AS-APPS 13-JUL-2020 15:52:32 LOGON 5265 28001
0 система SAP_DEV DBPILOT\S001AS-APPS 13-JUL-2020 15:52:32 LOGON 5267 28001
0 система SAP_DEV DBPILOT\S001AS-APPS 13-JUL-2020 15:52:42 LOGON 5278 28001
0 система SAP_DEV DBPILOT\S001AS-APPS 13-JUL-2020 15:52:42 LOGON 5282 28001
0 система SAP_DEV DBPILOT\S001AS-APPS 13-JUL-2020 15:52:42 LOGON 5284 28001
0 система SAP_DEV DBPILOT\S001AS-APPS 13-JUL-2020 15:52:42 LOGON 5286 28001
0 система SAP_DEV DBPILOT\S001AS-APPS 13-JUL-2020 15:52:52 LOGON 5301 28001
0 система SAP_DEV DBPILOT\S001AS-APPS 13-JUL-2020 15:52:52 LOGON 5307 28001
0 система SAP_DEV DBPILOT\S001AS-APPS 13-JUL-2020 15:52:52 LOGON 5313 28001
0 система SAP_DEV DBPILOT\S001AS-APPS 13-JUL-2020 15:52:52 LOGON 5319 28001
32718 rows selected.
The query output provides all the necessary information to identify a problematic database account.
In this demo, the SAP_DEV database user attempted to log on to the database from the host DBPILOT\S001AS-APPS but failed with ORA-28001.
SQL> !oerr ora 28001
28001, 00000, "the password has expired"
// *Cause: The user's account has expired and the password needs to be
// changed
// *Action: change the password or contact the DBA
//
4. Now, deactivate the audit for failed logins attempts
NOAUDIT SESSION WHENEVER NOT SUCCESSFUL;
Noaudit succeeded.
REFERENCES
Finding the source of failed login attempts. (Doc ID 352389.1)
How to find "Failed Login USERNAME" in OEM (Doc ID 2564866.1)
Written At
13 JUL 202019:00
Red Hat Release
7.x x64
Enterprise Manager
13.3.0.0.0
Database Release
11.2.0.4
Share
- Accounts
- Auditing
- AWR
- Bash Scripts
- Datapump
- Default Category
- Demos
- Directory Objects
- Environment Variables
- Initialization Parameters
- Iptables
- Java Program
- Memory Usage
- Metadata API
- Networker
- NLS Settings
- Optimizer Statistics
- ORA-00942
- ORA-01031
- ORA-01720
- ORA-28001
- ORA-31671
- Oracle Database
- Oracle Enterprise Manager
- Performance Tunning
- Postfix
- Privilegies
- Processes
- Queries
- Red Hat Enterprise Linux
- Redo Logs
- Session Tracing
- Sessions
- SQL Trace
- SQLPlus
- Statspack
- Tablespaces
- UTL_FILE
- UTL_FILE_DIR
- Wait Events
- Yum