Re: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *N

  • From: David Robillard <david.robillard@xxxxxxxxx>
  • To: David Mann <dmann99@xxxxxxxxx>
  • Date: Tue, 22 Nov 2011 10:53:14 -0500

Hello David,

>> Why don't you send the audit logs over to syslog? Once configured to
>> work with syslog, you can keep a local copy or have then sent over to
>> your central syslog server. Easy, clean and secure.
>>
>> <ShamelessPlug>
>> Maybe that could help?
>> http://itdavid.blogspot.com/2011/02/manage-oracle-11gr2-asm-and-rdbms-audit.html
>> </ShamelessPlug>
>
> I think this is the way to go. I have probably skimmed that section of
> the docs a half dozen times but obviously it never 'stuck;.

Good idea :) I just noticed that in my blog post, logrotate is
configured to create the log file with owner "oracle" and group
"oinstall". This is obviously not what you want to do in your case. So
just change the /etc/logrotate.d/oracle.audit file by removing the
"create 0640 oracle oinstall" line from the file and you should be
good. You can test your logrotate configuration by running

sudo logrotate -d /etc/logrotate.conf

No changes will be made to your system, but if you have configuration
errors, they will be printed out along with all what logrotate would
do if it would normally execute.

> Also thanks to Paul D. who replied to me directly about the same method.
> Now on to talk to the sysadmins and get a thumbs up from them :)

Say, if your sysadmins need some help with syslog, you can point them
to the SAGE booklet « Building a Logging Infrastructure » by Abe
Singer and Tina Bird [1]. It's a bit old, but it was very usefull to
my team when we built our own syslog infrastructure.

> Don we are on our way to locking oracle user and using sudo 100% of
> the time but not quite there yet.

That's another good idea, but it can be hard to pin-point exactly
which set of commands the user needs. Beware that if you give certain
commands that have escape keys, they can get a root shell. For
example, don't give "sudo vi" but use "sudo sudoedit" and configure
sudoedit(8) to use vi(1) or another editor.

HTH,

David

[1] http://www.sage.org/pubs/12_logging/

--
David Robillard
http://www.linkedin.com/in/davidrobillard
http://itdavid.blogspot.com
--
//www.freelists.org/webpage/oracle-l

Other related posts:

  • » Re: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *N - David Robillard
  1. Home
  2. oracle-l
  3. Archive
  4. 11-2011