Solved

How to audit password change of users

Posted on 2011-03-17
18
1,032 Views
Last Modified: 2012-05-11
i want to audit password change of a user.if any user changes their password With privileges or without privileges .i am using 11g client.can any one  tell me how to do this?
0
Comment
Question by:Cha1tu
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 73

Expert Comment

by:sdstuber
Comment Utility
>>>if any user changes their password With privileges or without privileges


what do you mean by this?  how can you change passwords without having privileges to do so?

everyone has implicit  privilege to change their own password
0
 
LVL 34

Expert Comment

by:johnsone
Comment Utility
I'm not sure what you mean by capturing password changes without privileges.

You could capture users and when they change their passwords with a password verify function.  An example is below.  If you have users where you wouldn't want to log their changes, leave them out of the anonymous block at the end that alters the profile.
--Create a table to hold the log
CREATE TABLE PW_CHANGE_LOG
( USERNAME VARCHAR2(100),
  CHANGE_DATE DATE)
TABLESPACE USERS;

--Create a function to log the change
CREATE OR REPLACE FUNCTION password_change_log (
  username varchar2,
  password varchar2,
  old_password varchar2
) RETURN boolean
IS
BEGIN
  INSERT INTO PW_CHANGE_LOG VALUES (USERNAME, SYSDATE);
  RETURN(TRUE);
END;
/

--Create a profile that will call the function
CREATE PROFILE LOG_PW_CHANGE;
ALTER PROFILE LOG_PW_CHANGE LIMIT PASSWORD_VERIFY_FUNCTION PASSWORD_CHANGE_LOG;

--Assign all users to the profile
BEGIN
  FOR C1 IN (SELECT USERNAME FROM DBA_USERS) LOOP
    BEGIN
      EXECUTE IMMEDIATE 'ALTER USER ' || C1.USERNAME || ' PROFILE LOG_PW_CHANGE';
    EXCEPTION
      WHEN OTHERS THEN
        NULL;
    END;
  END LOOP;
END;
/

Open in new window

0
 
LVL 2

Author Comment

by:Cha1tu
Comment Utility
Actually you know what nobody can’t change password of others without privileges I agree with you.

But here I want to audit the password changes.

Like if I created one user I will give temporary password for that user. Once the user is login then it will ask for password reset.

I want to know which user is changing their password and what is the time of that .Generally if I put password expiration for 90 days. It will prompt to change password then the user can change their password.

I want to see how many users in the database changing their passwords. And also if the user has DBA privileges they can change the password of any user right? I want to see that password change also.
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
Comment Utility
I'm on mobile and can't confirm this but there is a change date.  I don't think it care 'who' changed it.

Going from memory see if it is the CDATE column in the user$ view.
0
 
LVL 73

Expert Comment

by:sdstuber
Comment Utility
as a privilege user "audit alter user"


you can see alter user commands in the audit view  dba_audit_trail
you won't see the exact command though
0
 
LVL 73

Expert Comment

by:sdstuber
Comment Utility
combine the audit user results from dba_audit_trail with the PTIME column from sys.user$
0
 
LVL 2

Author Comment

by:Cha1tu
Comment Utility

@sdstuber:

"combine the audit user results from dba_audit_trail with the PTIME column from sys.user$"


can you clarify that with statements.i am not able to get it
0
 
LVL 73

Accepted Solution

by:
sdstuber earned 500 total points
Comment Utility
something like this...

SELECT username,
       timestamp,
       obj_name,
       action_name
  FROM dba_audit_trail dat, sys.user$ u
 WHERE dat.action_name = 'ALTER USER'
   AND u.name = dat.obj_name
   AND u.ptime = dat.timestamp;
0
 
LVL 34

Expert Comment

by:johnsone
Comment Utility
You could also modify the verification function to trap the logged in user.  Then it would be kept in one place.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:Cha1tu
Comment Utility
@sdstuber: when i query these are the results

SQL> SELECT username,
  2         timestamp,
  3         obj_name,
  4         action_name
  5    FROM dba_audit_trail dat, sys.user$ u
  6   WHERE dat.action_name = 'ALTER USER'
  7     AND u.name = dat.obj_name
  8     AND u.ptime = dat.timestamp;

no rows selected


what it means ,can you calrify this ,Thank You
0
 
LVL 73

Expert Comment

by:sdstuber
Comment Utility
did you enable auditting for the alter user command?

did you alter any users after enabling auditting?

check your audit_trail value in v$parameter,  are your audits written to an OS file instead of the DB?
0
 
LVL 2

Author Comment

by:Cha1tu
Comment Utility
I set the parameters like this

SQL> show parameter audit;

NAME                                        TYPE                VALUE
----------------------------------- ----------- ------------------------------
audit_file_dest                      string         F:\ORACLE_11G\RDBMS\AUDIT
audit_sys_operations          boolean      TRUE
audit_trail                             string          DB, EXTENDED


i am not sure about the alter user command.weather i use this r not.can you tell how to check that?
0
 
LVL 2

Author Comment

by:Cha1tu
Comment Utility


i try this ,is this correct?
SQL> audit alter user;

Audit succeeded.

SQL> audit alter user WHENEVER SUCCESSFUL;

Audit succeeded.

SQL> audit alter user WHENEVER NOT SUCCESSFUL;

Audit succeeded.
0
 
LVL 73

Assisted Solution

by:sdstuber
sdstuber earned 500 total points
Comment Utility
look in  DBA_PRIV_AUDIT_OPTS

you should see something like this

<null>  <null>   ALTER USER      BY ACCESS      BY ACCESS

if you didn't then you didn't run "audit alter user"
0
 
LVL 2

Author Comment

by:Cha1tu
Comment Utility
yes i am able to see

<null>  <null>   ALTER USER      BY ACCESS      BY ACCESS
still it is giving results like this

SQL> SELECT username,
  2         timestamp,
  3         obj_name,
  4         action_name
  5    FROM dba_audit_trail dat, sys.user$ u
  6   WHERE dat.action_name = 'ALTER USER'
  7     AND u.name = dat.obj_name
  8     AND u.ptime = dat.timestamp;

no rows selected


0
 
LVL 73

Expert Comment

by:sdstuber
Comment Utility
have you altered any user since you turned auditting on?

0
 
LVL 2

Author Comment

by:Cha1tu
Comment Utility
i don;t know that.right now i can see that.
0
 
LVL 73

Expert Comment

by:sdstuber
Comment Utility
>>> i don;t know that.right now i can see that.


auditting can only track actions that occur after you turn auditting on.

if you alter a user now, you should see something show up in dba_audit_trail  
if nobody ever issues an alter user command the auditting is irrelevant because there will be nothing to audit.


if you feel the query I gave you is giving the wrong results
then don't use the join, just query the dba_audit_trail view itself with only the action_name filter and see what is returned.  If nothing, then nobody has tried an alter.


0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Subquery in Oracle: Sub queries are one of advance queries in oracle. Types of advance queries: •      Sub Queries •      Hierarchical Queries •      Set Operators Sub queries are know as the query called from another query or another subquery. It can …
Working with Network Access Control Lists in Oracle 11g (part 2) Part 1: http://www.e-e.com/A_8429.html Previously, I introduced the basics of network ACL's including how to create, delete and modify entries to allow and deny access.  For many…
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
This video shows how to copy an entire tablespace from one database to another database using Transportable Tablespace functionality.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now