Re: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *NIX...

From: David Robillard <david.robillard_at_gmail.com>
Date: Sat, 19 Nov 2011 11:48:03 -0500
Message-ID: <CADH15GjvbMB7VuT7zm5QD1BeOYQ4ULOKqhZEoBCiqsCSyzDNWA_at_mail.gmail.com>

Hello David,

Why don't you send the audit logs over to syslog? Once configured to work with syslog, you can keep a local copy or have then sent over to your central syslog server. Easy, clean and secure.

<ShamelessPlug>
Maybe that could help?
http://itdavid.blogspot.com/2011/02/manage-oracle-11gr2-asm-and-rdbms-audit.html </ShamelessPlug>

HTH, David

--
David Robillard
http://www.linkedin.com/in/davidrobillard
http://itdavid.blogspot.com/



> I have been diving into auditing over the past few weeks and have

> worked out almost all the scenarios that we are interested in

> auditing. Most of the actions are related to user activity. We have

> one database where the customer wants all SYS activity audited as

> well. These are 10gR2 or later databases on Solaris and Linux.

>

> So I checked multiple blog posts, articles, and metalink docs and

> finally saw one that mentioned my concern... I was trying to figure

> out what can keep a SYS user from invoking say UTL_FILE and messing

> with a file that lives in AUDIT_FILE_DEST directory or just logging in

> as the oracle OS user and rm * in the AUDIT_FILE_DEST directory.

>

> From [ID 174340.1] "Audit SYS User Operations". : "The SYS audit

> records must go to OS files since the user SYS can delete his actions

> from AUD$, whereas if the files are written to the OS, they can be

> secured from the Oracle DBA by root (root must have some means to

> transfer the files to a secure location). It is not possible to

> configure that these records go into the AUD$ table."

>

> I can only think of one right now but it doesn't seem nearly secure

> enough. I guess I could have a sysadmin write a cron script to run as

> root and copy contents of the directory to a destination not

> acccessible by the oracle OS user. But what is the resolution of CRON?

> 1 minute? Of course would have to make sure we only copied the file

> once so if the source file was changed at a later date it could be

> detected.

>

> Can anyone suggest any other configurations or mechanisms can be set

> up to protect these files?

>

> Thanks,

> -Dave

--
http://www.freelists.org/webpage/oracle-l

Received on Sat Nov 19 2011 - 10:48:03 CST

This message: [ Message body ]
Next message: Radoulov, Dimitre: "Re: PDML and PQ tunning"
Previous message: Herring Dave - dherri: "RE: PDML and PQ tunning"
Maybe in reply to: David Mann: "Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *NIX..."
Next in thread: David Mann: "Re: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *NIX..."
Reply: David Mann: "Re: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *NIX..."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message