Re: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *N

From: David Robillard <david.robillard_at_gmail.com>
Date: Tue, 22 Nov 2011 10:53:14 -0500
Message-ID: <CADH15GhWiLOgETTU3UENOSpfer5LXrQHBQvLLhrrT=nqiJ4+=A_at_mail.gmail.com>



Hello David,

>> Why don't you send the audit logs over to syslog? Once configured to
>> work with syslog, you can keep a local copy or have then sent over to
>> your central syslog server. Easy, clean and secure.
>>
>> <ShamelessPlug>
>> Maybe that could help?
>> http://itdavid.blogspot.com/2011/02/manage-oracle-11gr2-asm-and-rdbms-audit.html
>> </ShamelessPlug>
>
> I think this is the way to go. I have probably skimmed that section of
> the docs a half dozen times but obviously it never 'stuck;.

Good idea :) I just noticed that in my blog post, logrotate is configured to create the log file with owner "oracle" and group "oinstall". This is obviously not what you want to do in your case. So just change the /etc/logrotate.d/oracle.audit file by removing the "create 0640 oracle oinstall" line from the file and you should be good. You can test your logrotate configuration by running

sudo logrotate -d /etc/logrotate.conf

No changes will be made to your system, but if you have configuration errors, they will be printed out along with all what logrotate would do if it would normally execute.

> Also thanks to Paul D. who replied to me directly about the same method.
> Now on to talk to the sysadmins and get a thumbs up from them :)

Say, if your sysadmins need some help with syslog, you can point them to the SAGE booklet « Building a Logging Infrastructure » by Abe Singer and Tina Bird [1]. It's a bit old, but it was very usefull to my team when we built our own syslog infrastructure.

> Don we are on our way to locking oracle user and using sudo 100% of
> the time but not quite there yet.

That's another good idea, but it can be hard to pin-point exactly which set of commands the user needs. Beware that if you give certain commands that have escape keys, they can get a root shell. For example, don't give "sudo vi" but use "sudo sudoedit" and configure sudoedit(8) to use vi(1) or another editor.

HTH, David

[1] http://www.sage.org/pubs/12_logging/

--
David Robillard
http://www.linkedin.com/in/davidrobillard
http://itdavid.blogspot.com
--
http://www.freelists.org/webpage/oracle-l
Received on Tue Nov 22 2011 - 09:53:14 CST

Original text of this message