RE: tracing oracle filesystem access

• From: "Thomas Jeff" <jeff.thomas@xxxxxxxxxxx>
• To: <oracle-l@xxxxxxxxxxxxx>
• Date: Wed, 11 Jan 2006 14:22:55 -0500

Oh boy.   I blanched and cringed when I read: '*' and JAVASYSPRIV.  
 
From an O/S level, I don't know how you can do this.    

In the database, perhaps you can check dependencies:

select owner, name, type from dba_dependencies where referenced_name =
'UTL_FILE'

And find out how extensively UTL_FILE is used -- perhaps simple code
inspection will suffice
provided the # of packages referencing UTL_FILE are low.

As for JAVASYSPRIVS, you might have a bigger issue:  what about other
permissions that may
be needed, such as lang.runtimePermission or net.Socketpermission, and
so forth?

Jeff T.



-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Pakhutkin, Maxim
(Max)
Sent: Wednesday, January 11, 2006 1:28 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: tracing oracle filesystem access

Sorry, didn't explain myself properly.

The utl_file_dir is currently set to be '*'. Some users have
JAVASYSPRIV. I would like to restrict that as much as possible. To do
this I would like to identify any and all directories and files the
database processes access over a period of time. That way I will have a
certain degree of confidence that my restriction will not break existing
functionality.

I hope this is a better explanation. 

Max.


-----Original Message-----
From: Thomas Jeff [mailto:jeff.thomas@xxxxxxxxxxx]
Sent: Wednesday, January 11, 2006 1:22 PM
To: Pakhutkin, Maxim (Max); oracle-l@xxxxxxxxxxxxx
Subject: RE: tracing oracle filesystem access


Unless I'm missing something, can't you just do a show parameter
utl_file_dir in the respective databases to list all directories
accessible?
 
As for java, something like this:
 
SELECT kind, grantee, type_schema, type_name, name, action, enabled FROM
dba_java_policy

Look for a TYPE_NAME = java.io.Filepermission



________________________________

From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Pakhutkin, Maxim
(Max)
Sent: Wednesday, January 11, 2006 1:08 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: tracing oracle filesystem access


Does anyone know of a way to trace/audit which files and directories
oracle accesses either via PL/SQL (utl_file_dir) and java? I'm trying to
restrict java access and pl/sql access to the filesystem, but would like
to be able to monitor existing access patterns to make sure I will not
break any functionality when I apply the restriction. 
 
The only way I can think of is by monitoring server processes with
truss, but that would be pretty cumbersome. The other way is to somehow
put a wrapper around sys.utl_file (but what about java?).
 
Thanks in advance.
 
Max Pakhutkin 
 
--
//www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l

Other related posts:

• » tracing oracle filesystem access
• » RE: tracing oracle filesystem access
• » RE: tracing oracle filesystem access
• » RE: tracing oracle filesystem access
• » Re: tracing oracle filesystem access
• » Re: tracing oracle filesystem access
• » Re: tracing oracle filesystem access
• » RE: tracing oracle filesystem access

1. Home
2. oracle-l
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---