Our IT auditor wants to save our audit log files to OS which can be protected by root so that oracle-dba (sys) can not tamper it. Then the auditor wanted to send it to our central audit log server on another machine.
I found this link in google:
The link mentioned 3rd party software like Kiwi and Spunk. Is this needed to send audit log to syslog?
Thanks a lot,
Our IT auditor wants to save our audit log files to OS which can be protected by root so that oracle-dba (sys) can not tamper it.
For an Oracle process, such as a database process, to write to o/s file, it needs specific file permissions to perform that I/O to that file. When a DBA uses a ssh or telnet session, that too is an Oracle o/s process. It will have the same file permissions as the database process. So how is the kernel suppose to protect the o/s file against the DBA's process, and allow access to the database process, when both processes are from the same o/s user?
Something is needed to prevent that - that turns the I/O call to the audit file into an I/O call to software, where that software writes the data to another destination.
Simple example. Audit file is created by this software as a Unix pipe. Oracle writes audit text lines to this pipe (which it sees as a file). The software reads the data from the pipe and writes it to another destination (such as syslog). As this software can run as another o/s user, it cannot be subverted by the DBA.
Problem though is - how do you prevent the DBA from "spamming" this manually in order to subvert what is audited and hide illegal activity amongst invalid and made up auditing?
The real answer to this is not to write audit log to somewhere else. It is looking at proper security options like Database Vault. And not expecting these proper options to be free and easy.
Your IT auditor wants security? Then that needs to be paid for. In cold hard cash.
>It is looking at proper security options like Database Vault.
OR Audit Vault ?
Hemant K Chitale
Thanks Billy/Hemant for the very clear explanation
So with that all being said, how did you handle this issue in your company? (The securing of audit logs).
We have bought Database Vault but it does not secure database syslogs only app user tables. In which the sys can not select the tables belonging to app users.
Can you explain further if we need to implement syslogs when it can still be tampered by oracle dba?
Or is database vault enough? And how do we protect SYS.AUD$ using Database Vault?
The docs said:
About the Syslog Audit Trail
A potential security vulnerability for the operating system audit trail is that a privileged user, such as a database administrator, can modify or delete database audit records.To minimize this risk, you can use a syslog audit trail. Syslog is a standard protocol on UNIX-based systems for logging information from different components of a network. Applications call the
syslog()function to log information to the syslog daemon, which then determines where to log the information. You can configure syslog to log information to a file or to a dedicated host by editing the
syslog.conffile. You can also configure syslog to alert a specified set of users when information is logged.
Because applications, such as an Oracle process, use the
syslog()function to log information to the syslog daemon, a privileged user would not have permissions to the file system where syslog messages are logged. For this reason, audit records stored using a syslog audit trail can be more secure than audit records stored using an operating system audit trail. In addition to restricting permissions to a file system for a privileged user, for a syslog audit trail to be secure, neither privileged users nor the Oracle process should have
rootaccess to the system where the audit records are written.
You should have a strong understanding of how to work with
syslogauditing. See the following references for more information about syslog:
>What caution do I have to make?
> Paragraph 2 said it is more secure and can not be accessed by privileged users such as oracle.
Kindly validate please....thanks.
You'd need to know syslog or talk to your Unix administrator about syslog. He needs to configure syslog and provide you with a syslog service facility name that you'd use to configure oracle's writes to syslog. syslog is protected by root so the oracle dba cannot modify syslog entries.
Hemant K Chitale