RE: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *NIX...

From: Don Granaman <DonGranaman_at_solutionary.com>
Date: Wed, 23 Nov 2011 11:19:27 -0600
Message-ID: <FD98CB0EE75EEA438CAF4DA2E6071C420EAD4F9314_at_MAIL.solutionary.com>

Be aware that there are some potential "issues" with syslog. Here are a few:

If AUDIT_SYS_OPERATIONS=TRUE, then the audit records generated by this will be sent to syslog - unless AUDIT_TRAIL=XML. Then they are in XML files and not appended to syslog.

If AUDIT_SYS_OPERATIONS=TRUE (and AUDIT_TRAIL=OS or DB), then the audit records in syslog generated by AUDIT_SYS_OPERATIONS will break long chunks of SQL up into multiple pieces - and you will need to piece them back together. In OS or XML files, long SQL will be in one long section (as of 10.2.0.4 at least).

For standard audit trail records to be sent to syslog requires AUDIT_TRAIL=OS. EXTENDED is not available for OS, so you cannot get SQLTEXT or SQLBIND.

You *can* set AUDIT_SYSLOG_LEVEL=<something.useful> and [AUDIT_TRAIL=DB,EXTENDED or AUDIT_TRAIL=XML,EXTENDED] to send stuff subject to AUDIT_SYS_OPERATIONS to syslog and "standard audit trail" records to DB or XML. This would "protect" only the former from the DBA though.

-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of David Mann Sent: Monday, November 21, 2011 10:51 AM To: oracle-l_at_freelists.org
Subject: Re: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *NIX...

On Sat, Nov 19, 2011 at 11:48 AM, David Robillard <david.robillard_at_gmail.com> wrote:
> Hello David,
>
> Why don't you send the audit logs over to syslog? Once configured to
> work with syslog, you can keep a local copy or have then sent over to
> your central syslog server. Easy, clean and secure.
>
> <ShamelessPlug>
> Maybe that could help?
> http://itdavid.blogspot.com/2011/02/manage-oracle-11gr2-asm-and-rdbms-audit.html
> </ShamelessPlug>

I think this is the way to go. I have probably skimmed that section of the docs a half dozen times but obviously it never 'stuck;. Also thanks to Paul D. who replied to me directly about the same method. Now on to talk to the sysadmins and get a thumbs up from them :)

Don we are on our way to locking oracle user and using sudo 100% of the time but not quite there yet.

Tim I like your method for getting granularity better than 1 time/minute with cron... but I think still there is some exposure there ... if a malicious DBA is determined he could brute force rm* in that directory and possibly remove some files.

-Dave

-- 
Dave Mann
www.brainio.us
www.ba6.us - Database Stuff - http://www.ba6.us/rss.xml
--
http://www.freelists.org/webpage/oracle-l


--
http://www.freelists.org/webpage/oracle-l

Received on Wed Nov 23 2011 - 11:19:27 CST

This message: [ Message body ]
Next message: Storey, Robert (DCSO): "RE: Standby Database performance"
Previous message: Sven Aluoor: "Re: using different database (SID) in a subselect with SQL*Plus / Shell Scripts"
In reply to: David Mann: "Re: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *NIX..."
Next in thread: David Roberts: "Re: Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *NIX..."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message