Hi,
There is two types of LOGIN_FAILED action for Oracle
ORA-28000: the account is locked --> Most of oracle database profile, if you try to login with wrong password, account will be locked after few tries.
ORA-01017 Invalid Username/Password --> This message shown if you enter wrong username or password.
You can create a group include those two error codes and recheck issue
Regards
------------------------------
Seyhan Tekelioglu
------------------------------
Original Message:
Sent: Thu May 30, 2019 11:05 AM
From: David Huckle
Subject: Invalid logon attempts Policy access rule
It seems that the Database Error Text.Error Code isn't collected in this scenario of failed connects to a standby DB (they are showing as N/A - at least for one Oracle instance anyway) so I'll look into identifying the Error Codes I do want to alert upon for each DBMS and add a policy rule with a group of these values. Many thanks.
------------------------------
David Huckle
Original Message:
Sent: Wed May 29, 2019 02:25 PM
From: Frank Bates
Subject: Invalid logon attempts Policy access rule
Consider looking at the 'Database Error Text' . 'Error Code' attribute to see what value are seen when connecting to a standby database versus what is seen connecting with invalid user id or password. Then add to the invalid login attempt rule the error code or group of error codes that indicate (or contra-indicate using NOT) invalid user id or password conditions.
Thanks!
Frank J Bates Jr
Database Risk Administration
Key Technology & Operations
Mailstop: OH-01-51-5970
4910 Tiedeman Road, Brooklyn, OH 44144-2338
Phone: (216) 471-2740
Frank_J_BatesJr@KeyBank.com
Use the red key.®
This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services from Key
send an e-mail to mailto:DNERequests@key.com with 'No Promotional E-mails' in the SUBJECT line.
Original Message------
Hello,
I have a question related to policy rules and failed logins.
One of our policy rules is to alert when 3 invalid login attempts have been made witihin a five minute time period. This is configured by specifying Excpt. Type LOGIN_FAILED.
I have noticed we are seeing a lot of these alerts produced for databases that have a high availability standby. In the case when a connection is attempted to the standby database, which is not in a state that can be connected to we see these messages. Does anyone know how we could configure the policy rule of only alert when the connect attempt has failed due to an invalid userid or password, rather than a database environment related issue ? Many thanks.
------------------------------
David H
------------------------------