Alter user – is password stored in audit trails

oraclepasswordSecurity

I was asked an interesting question the other day and I have not been able to find a definitive answer.

If one of my DBA's changes a password, will the password the password show up in plain text in the audit trails?

Eg. sys as sysdba changes the password of system.

ALTER USER system IDENTIFIED BY <password>

Oracle states that it will not if the user changes their own password, but says nothing about another account changing the password of another account.
The suspicion is that the password would show up in clear text in trails such as v$SQL.

This seems like an egregious oversight if Oracle didn't account for this but I cannot find anything to prove otherwise.

Best Answer

You could just try it out.

This is logged in locally sqlplus / as sysdba:

SQL> alter user mat identified by COOLPASSWORD ;

User altered.

SQL> select substr(sql_text,0,40) from v$sqlarea where lower(sql_text) like '%alter%' ;

SUBSTR(SQL_TEXT,0,40)
----------------------------------------
select substr(sql_text,0,40) from v$sqla

SQL> select substr(sql_text,0,40) from v$sql where lower(sql_text) like '%alter%' ;

SUBSTR(SQL_TEXT,0,40)
----------------------------------------
select substr(sql_text,0,40) from v$sql
select substr(sql_text,0,40) from v$sqla

The alter commands are not present in v$sql or v$sqlarea. I have sys operations auditing on that test database, and the audit file for the above password change contains:

<AuditRecord><Audit_Type>4</Audit_Type>...<OSPrivilege>SYSDBA</OSPrivilege>...
<Sql_Text>alter user mat identified by * </Sql_Text>
</AuditRecord>

That's a literal * in the XML file. The normal audit logs contain the same * instead of the password, including if I change another user's password (logged in as a normal DBA user).

Now if you use things like rlwrap to run sqlplus, or fancy GUI clients, the password may well stay in some command line history/buffer. But the database server can't do much about that.

Related Solutions

How to transfer data using expdp and impdp commands

impdp will create the user if it's not present yet, so you don't have to worry about it unless that's not what you want.

Do not run impdb or expdp as sysdba, only do that if Oracle support requests it in specific circumstances. Use an ordinary user for that - one that has been granted the dba role for instance. (There are the [IMPORT|EXPORT]_FULL_DATABASE privileges specifically for this type of thing, you'll need to grant access to the Oracle directory object(s) too.)

A full schema export (metadata and contents) would indeed look like:

expdp user/pass schemas=<schemaname> directory=dumpdir \
      dumpfile=<schemaname>.dmp \
      logfile=expdp_<schemaname>.log

If you want to import to a different user/schema (the target database can be the same as the source), you can use:

impdp user/pass schemas=schema1 directory=dumpdir \
      remap_schema=schema1:schema2 \
      dumpfile=schema1.dmp \
      logfile=impdp_schema2.log

If you don't want a complete import, you can set some filters both on data and metadata. See Filtering During Import Operations.

The Utilities Guide has all the details, I strongly recommend reading at least the overview part.

Windows – Oracle 12c SYSTEM user locked out

Ok, figured it out with the comments from my original question. Steps I used to connect to the correct instance and get the account unlocked and password reset.

Connect to the correct SID/instance off the top. Example:

c:\sqlplus SYSTEM/<Password>@<service name> --> this can be found in the tnsnames.ora file
I then verified I was in the correct instance:

SQL>select instance_name, status from v$instance;
From there I was able to unlock the user and reset their password:

SQL>alter user <USERNAME> account UNLOCK;

SQL>alter user <USERNAME> identified by <PASSWORD>;

My problem intially was that I was just trying to connect using sqlplus / as sysdba and it wasn't putting me in the correct instance.

Hopefully this will be helpful to other Oracle devs and rookie DBA's (I'm a rookie in this since we have a dev instance for some client work and it rarely gets touched).

Best Answer

Related Solutions

How to transfer data using expdp and impdp commands

Windows – Oracle 12c SYSTEM user locked out

Related Question