Oracle-DB: Monitor gradual password rollover usage

As of Oracle DB release 19.12 it is possible to use the new and the previous password for user logon simultaneously for a limited period.
For details see New features guide.

This is a great and long-awaited feature that lowers the barriers to changing passwords with less operational risk.

But there's an obstacle for practical use:
You must be able to monitor the users who are within this rollover period and are still using the old password.

The only way of monitoring the use of old passwords known to me so far is to:
  • Use Unified Auditing
  • Create a policy for the LOGON action
  • Check for the keyword "VERIFIER=12C-OLD" in the column AUTHENTICATION_TYPE of the logon records in unified audit trail.
The following SQL provides an overview over all the users who are currently within a password rollover period, combined with info about old password usage: 
SELECT u.Account_Status, u.Password_Change_Date, u.Profile, u.UserName, u.Last_Login,
       a.DBUserName, a.Logon_Count, a.Min_TS, a.Max_TS, a.OS_UserName_Cnt, a.Min_OS_UserName,
       a.UserHost_Cnt, a.Min_UserHost, a.Terminal_Cnt, a.Min_Terminal,
       a.Instance_ID_Cnt, a.Min_Instance_ID, a.External_UserID_Cnt, a.Min_External_UserID,
       a.Global_UserID_Cnt, a.Min_Global_UserID, a.Client_Program_Name_Cnt, a.Min_Client_Program_Name,
       a.DBLink_Info_Cnt, a.Min_DBLink_Info,
       u.Password_Change_Date + NUMTODSINTERVAL(pr.Limit, 'DAY') Rollover_Expiration_Date,
       u.Password_Change_Date + NUMTODSINTERVAL(pr.Limit, 'DAY')-SYSDATE Remaining_Days_for_Rollover
FROM   DBA_Users u
LEFT OUTER JOIN (SELECT Profile,
                        /* support both seconds and days representation, see Doc ID 2815172.1 */
                        CASE WHEN REGEXP_LIKE(Limit, '^[0-9]+$') AND TO_NUMBER(Limit) > 60 THEN
                          TO_CHAR(TO_NUMBER(Limit)/86400)
                        ELSE Limit END AS Limit
                 FROM   DBA_Profiles
                 WHERE Resource_Name = 'PASSWORD_ROLLOVER_TIME'
                ) pr ON pr.Profile = u.Profile
LEFT OUTER JOIN (
                 SELECT NVL(DBProxy_Username, DBUserName) UserName, DBUserName, COUNT(*) Logon_Count,
                        MIN(Event_Timestamp) Min_TS, MAX(Event_Timestamp) Max_TS,
                        COUNT(DISTINCT OS_UserName         ) OS_UserName_Cnt,          MIN(OS_UserName         ) Min_OS_UserName,
                        COUNT(DISTINCT UserHost            ) UserHost_Cnt,             MIN(UserHost            ) Min_UserHost,
                        COUNT(DISTINCT Terminal            ) Terminal_Cnt,             MIN(Terminal            ) Min_Terminal,
                        COUNT(DISTINCT Instance_ID         ) Instance_ID_Cnt,          MIN(Instance_ID         ) Min_Instance_ID,
                        COUNT(DISTINCT External_UserID     ) External_UserID_Cnt,      MIN(External_UserID     ) Min_External_UserID,
                        COUNT(DISTINCT Global_UserID       ) Global_UserID_Cnt,        MIN(Global_UserID       ) Min_Global_UserID,
                        COUNT(DISTINCT Client_Program_Name ) Client_Program_Name_Cnt,  MIN(Client_Program_Name ) Min_Client_Program_Name,
                        COUNT(DISTINCT DBLink_Info         ) DBLink_Info_Cnt,          MIN(DBLink_Info         ) Min_DBLink_Info
                 FROM   Unified_Audit_Trail
                 WHERE  Action_Name = 'LOGON'
                 AND    Authentication_Type LIKE '%VERIFIER=12C-OLD%'
                 GROUP BY DBUserName, DBProxy_Username
                ) a ON a.UserName = u.UserName
WHERE  u.Account_Status LIKE '%ROLLOVER%'
;


A bit more convenient you may get this info using the analysis tool Panorama.
Click at the number in column "Logons with old password" gives the ability to quickly evaluate the individual unified audit trail records for logons with old password for that user.

Comments

Post a Comment

Popular posts from this blog

Oracle-DB: How to check for appropriate sequence caching

Image
A common pitfall while using sequences in Oracle-DB is forgetting to define sequence caching. The default for sequences is cache size = 0. That means, every sequence.nextval operation triggers a single write operation on dictionary table sys.SEQ$. Especially if frequently calling sequence.nextval uncached sequences may cause significant performance degradation. Frequently calling sequence.nextval in parallel sessions may lead to ramdom lock scenarios in library cache. Setting a cache size for a sequence may heavy increase performance of nextval-operations. There's a minimal memory overhead for caching a sequence because all that's needed is a counter to increase in SGA memory and a upper limit. If this limit is reached with the counter, the upper limit is increased by cache size and the new upper limit is written down once to SEQ$. The possible drawback for sequence caching is that you loose all your values between the current value and the highest cached value if yo...
Read more

Common pitfalls using SQL*Net via Firewalls

It's very common that firewalls are terminating idle TCP sessions after a limited time, often after approximately one hour. Possible problem If you have a long running SQL or PL/SQL program and the firewall terminates your apparently idle TCP session this may lead to the following scenario: the database is not able to send result to client. After reaching the TCP-timeout the database server terminates the DB-Session the client program stays in socket read forever waiting for the database response Oracle's full solution: SQLNET.EXPIRE_TIME=x in sqlnet.ora Oracle's solution for this problem is setting parameter SQLNET.EXPIRE_TIME=x in sqlnet.ora where x are the minutes between keep alive packets on idle sessions that inform the firewall that this session is always alive. SQLNET.EXPIRE_TIME hast to be set in the sqlnet.ora of your RDBMS' ORACLE_HOME. Normally $ORACLE_HOME/network/admin. If you have a grid infrastructure setting SQLNET.EXPIRE_TIME in sqlnet...
Read more

Oracle-DB: Identify excessive logon/logoff operations with short-running sessions

Image
Creating and destroying database sessions in loop may lead to significant database load. This blog post contains more about quantifying this load. Applications should use connection pooling at client or database side to prevent excessive session creation. But how can I identify the client processes causing this sessions? Scan DBA_Audit_Trail to identify context info If auditing logon/logoff-operations is activated for your database, scan DBA_Audit_Trail. You can do this by 2 was: Alternative 1: Use my tool "Panorama" to evaluate audit trail Panorama is available here. Go to menu "DBA general" / "Audit Trail": Select start and end time for selection Filter column "Action" for "LOGON" Set "Grouping" to "Minute" Execute selection via button "Show audit trail" Add columns of your choice to diagram by context menu (right mouse button) This way you can identify the machine, DB-user ...
Read more