RE: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *NIX...

  • From: Don Granaman <DonGranaman@xxxxxxxxxxxxxxx>
  • To: "dmann99@xxxxxxxxx" <dmann99@xxxxxxxxx>, "oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 23 Nov 2011 11:19:27 -0600

Be aware that there are some potential "issues" with syslog.  Here are a few:

If AUDIT_SYS_OPERATIONS=TRUE, then the audit records generated by this will be 
sent to syslog - unless AUDIT_TRAIL=XML.  Then they are in XML files and not 
appended to syslog.

If AUDIT_SYS_OPERATIONS=TRUE (and AUDIT_TRAIL=OS or DB), then the audit records 
in syslog generated by AUDIT_SYS_OPERATIONS will break long chunks of SQL up 
into multiple pieces - and you will need to piece them back together. In OS or 
XML files, long SQL will be in one long section (as of 10.2.0.4 at least).

For standard audit trail records to be sent to syslog requires AUDIT_TRAIL=OS.  
EXTENDED is not available for OS, so you cannot get SQLTEXT or SQLBIND.


You *can* set AUDIT_SYSLOG_LEVEL=<something.useful> and 
[AUDIT_TRAIL=DB,EXTENDED or AUDIT_TRAIL=XML,EXTENDED] to send stuff subject to 
AUDIT_SYS_OPERATIONS to syslog and "standard audit trail" records to DB or XML. 
 This would "protect" only the former from the DBA though.


Don Granaman | Phone: 402-361-3073 | Cell: 402-960-6955 | Fax: 402-361-3173 | 
Solutionary | Relevant . Intelligent . Security

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of David Mann
Sent: Monday, November 21, 2011 10:51 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on 
*NIX...

On Sat, Nov 19, 2011 at 11:48 AM, David Robillard
<david.robillard@xxxxxxxxx> wrote:
> Hello David,
>
> Why don't you send the audit logs over to syslog? Once configured to
> work with syslog, you can keep a local copy or have then sent over to
> your central syslog server. Easy, clean and secure.
>
> <ShamelessPlug>
> Maybe that could help?
> http://itdavid.blogspot.com/2011/02/manage-oracle-11gr2-asm-and-rdbms-audit.html
> </ShamelessPlug>

I think this is the way to go. I have probably skimmed that section of
the docs a half dozen times but obviously it never 'stuck;. Also
thanks to Paul D. who replied to me directly about the same method.
Now on to talk to the sysadmins and get a thumbs up from them :)

Don we are on our way to locking oracle user and using sudo 100% of
the time but not quite there yet.

Tim I like your method for getting granularity better than 1
time/minute with cron... but I think still there is some exposure
there ... if a malicious DBA is determined he could brute force rm* in
that directory and possibly remove some files.

-Dave

-- 
Dave Mann
www.brainio.us
www.ba6.us - Database Stuff - http://www.ba6.us/rss.xml
--
//www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 11-2011