Posts

Showing posts from March, 2024

Oracle-DB: Monitor gradual password rollover usage

Image
As of Oracle DB release 19.12 it is possible to use the new and the previous password for user logon simultaneously for a limited period. For details see New features guide . This is a great and long-awaited feature that lowers the barriers to changing passwords with less operational risk. But there's an obstacle for practical use: You must be able to monitor the users who are within this rollover period and are still using the old password. The only way of monitoring the use of old passwords known to me so far is to: Use Unified Auditing Create a policy for the LOGON action Check for the keyword "VERIFIER=12C-OLD" in the column AUTHENTICATION_TYPE of the logon records in unified audit trail. The following SQL provides an overview over all the users who are currently within a password rollover period, combined with info about old password usage: SELECT u.Account_Status, u.Password_Change_Date, u.Profile, u.UserName, u.Last_Login, a.DBUserName, a....