Closing DBA session in AFTER LOGON trigger
574639May 3 2007 — edited May 4 2007Hello *,
this is my first question here and my first piece of code in oracle so please don't laugh ;-)
I'm trying to create an AFTER LOGON trigger which disconnects a user if he/she tries to log in from an incorrect host.
What should happen?
User tries to connect.
If he/she is permitted, a record is added to a table.
If not, a record is added to another table and the user is disconnected using RAISE_APPLICATION_ERROR().
After a number of issues I've got it working, except ... I have the feeling that RAISE_APPLICATION_ERROR() doesn't effect users with DBA privileges.
Finally, I'm testing it with one ordinary user - DEF.
The main idea is to disallow connections from user ABC which has DBA privileges.
Tests using DEF are successful but when ABC tries to log in from an incorrect host, a record is added in pcbaudit_failed_logins but the user is not disconnected.
The database is 9.2.0.8.0 and I'm prepared to post RDA report if it is required.
Thank you for your help in advance - I hope I was kind enough :P
Here's the code for the trigger:
DROP TABLE pcbaudit_users;
CREATE TABLE pcbaudit_users (username VARCHAR2(32) NOT NULL, host VARCHAR2(64) NOT NULL);
CREATE INDEX idx_pcbaudit_users_username ON pcbaudit_users(username);
CREATE INDEX idx_pcbaudit_users_host ON pcbaudit_users(host);
DROP TABLE pcbaudit_logins;
CREATE TABLE pcbaudit_logins (username VARCHAR2(32), ip_address VARCHAR2(15), host VARCHAR2(64), ts DATE);
DROP TABLE pcbaudit_failed_logins;
CREATE TABLE pcbaudit_failed_logins (username VARCHAR2(32), ip_address VARCHAR2(15), host VARCHAR2(64), ts DATE);
CREATE OR REPLACE PUBLIC SYNONYM pcbaudit_users FOR sys.pcbaudit_users;
CREATE OR REPLACE PUBLIC SYNONYM pcbaudit_logins FOR sys.pcbaudit_logins;
CREATE OR REPLACE PUBLIC SYNONYM pcbaudit_failed_logins FOR sys.pcbaudit_failed_logins;
GRANT SELECT ON sys.pcbaudit_users TO public;
GRANT INSERT ON sys.pcbaudit_logins TO public;
GRANT INSERT ON sys.pcbaudit_failed_logins TO public;
INSERT INTO pcbaudit_users VALUES ('SYS', '%');
INSERT INTO pcbaudit_users VALUES ('SYSTEM', '%');
INSERT INTO pcbaudit_users VALUES ('ABC', '%');
INSERT INTO pcbaudit_users VALUES ('DEF', '%');
COMMIT;
CREATE OR REPLACE
TRIGGER logon_pcbaudit_trigger AFTER LOGON ON DATABASE
DECLARE
v_username VARCHAR2(32); /* variable that will hold current username */
v_host VARCHAR2(4000); /* variable that will hold current host */
v_allowed NUMBER(1) := 0;
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
SELECT UPPER(USER), /* current user */
UPPER(SYS_CONTEXT('USERENV', 'HOST')) /* current user host */
INTO v_username,
v_host
FROM dual;
/* debug */
-- DBMS_OUTPUT.PUT_LINE(v_username || '@' || v_host);
SELECT 1
INTO v_allowed
FROM pcbaudit_users
WHERE UPPER(username) = v_username
AND (
UPPER(REPLACE(v_host, CHR(0), '')) LIKE UPPER(host) ESCAPE '!' /* fuck that shit! Something appends CHR(0) to its host... */
OR
v_host IS NULL /* fuck that shit! Some hosts are NULLs! */
);
/* write log (user has logged in!) */
INSERT
INTO pcbaudit_logins
(username, ip_address, host, ts)
VALUES
(v_username, SYS_CONTEXT('USERENV', 'IP_ADDRESS'), v_host, SYSDATE);
COMMIT;
EXCEPTION
WHEN NO_DATA_FOUND THEN /* occurs when no matches were found; i.e. current username is not permitted to login from the current host */
/* log the failed attempt */
INSERT
INTO pcbaudit_failed_logins
(username, ip_address, host, ts)
VALUES
(v_username, SYS_CONTEXT('USERENV', 'IP_ADDRESS'), v_host, SYSDATE);
COMMIT;
/* disconnect user */
RAISE_APPLICATION_ERROR(-20001, v_username || '@' || v_host || ' is not allowed to connect.');
WHEN OTHERS THEN
NULL; /* in this case, NULL is better than an error - if an error occurs, user will not be able to login. */
END;