This section discusses the basic operations to manage security for an Oracle ACFS file system on Linux.
The scenario in this section shows how to use Oracle ACFS security to ensure that only the maintenance user can access medical history files during the maintenance period. Oracle ACFS encryption is also enabled on the same file system.
In this scenario, the disk group on which the volume is created for the file system has compatibility attributes for ASM and ADVM set to 11.2.0.3 or higher. For information about disk group compatibility, refer to "Disk Group Compatibility".
For the examples in this section, various operating system users, operating system groups, and directories must exist.
The basic steps to manage security are:
Initialize security for Oracle ACFS.
Run the acfsutil sec init command to configure storage for security credentials and identify an operating system user as the first security administrator and the operating system security group. The security administrator must belong to the operating system group. This command must be run before any other security command and requires root or Windows Administrator privileges to run.
The acfsutil sec init command is only run once to set up Oracle ACFS security for each cluster and can be run from any node in the cluster. Other security commands can also be run from any node in a cluster. Security administrators are common for all Oracle ACFS file systems in a cluster.
For example, the following command initializes security for a cluster and creates the first security administrator (medHistAdmin1).
# /sbin/acfsutil sec init -u medHistAdmin1 -g medHistAdminGrp
The medHistAdmin1 security administrator must belong to the medHistAdminGrp operating system group. That group is identified as the security group for the security administrators.
When the root user or Windows Administrator user runs the command, the user assigns a security password to the security administrator. The first security administrator can change the password with the acfsutil sec admin password command. The valid password format is described in "acfsutil sec init". For information about acfsutil sec admin password, refer to "acfsutil sec admin password".
All acfsutil sec commands (other than acfsutil sec init) must be run by an Oracle ACFS security administrator and the administrator is prompted for the security administrator's password when each command is run.
When prompting for the security administrator's password, the following text displays: Realm management password
The password required is the Oracle ACFS security administrator's password, not the operating system password of the user.
Security administrators are allowed to browse all directories in an Oracle ACFS file system whether they have the underlying operating system permissions and whether any realm checks allow it. This functionality enables a security administrator to check the location of the files when securing them with Oracle ACFS security realms. However, a security administrator cannot view the contents of individual files without the appropriate operating system and security realm permissions.
For more information, refer to "acfsutil sec init" and "acfsutil sec admin password".
Add additional security administrators as necessary.
The first security administrator can add additional security administrators to administer Oracle ACFS security with the acfsutil sec admin add command.
For example, add a new security administrator medHistAdmin2.
$ /sbin/acfsutil sec admin add medHistAdmin2
The medHistAdmin2 user must belong to the operating system group (medHistAdminGrp) identified as the security administrator group with the acfsutil sec init command.
The medHistAdmin2 security administrator should change the assigned temporary security password with the acfsutil sec admin password command. The medHistAdmin2 administrator can add new security administrators.
For more information, refer to "acfsutil sec admin add" and "acfsutil sec admin password".
Prepare an Oracle ACFS file system for security.
Run the acfsutil sec prepare on an Oracle ACFS file system before adding any security realms.
For example, prepare the Oracle ACFS file system mounted on /acfsmounts/acfs1 for Oracle ACFS security.
$ /sbin/acfsutil sec prepare -m /acfsmounts/acfs1
By default, security is enabled for a file system after running this command. You can explicitly disable or enable security with the acfsutil sec disable or acfsutil sec enable commands. For more information, refer to "acfsutil sec disable" and "acfsutil sec enable".
This command automatically creates several security realms, such as the SYSTEM_BackupOperators security realm. Administrators can add users to the SYSTEM_BackupOperators realm which gives those users permissions to make backups of realm-secured files in the Oracle ACFS file system.
For more information, refer to "acfsutil sec prepare".
Provide encryption for this file system.
Encrypting the file system is optional, but is enabled in this scenario.
First, run the acfsutil encr init command to initialize encryption and create the storage necessary for the encryption keys. This command must be run one time for each cluster on which encryption is set up.
For example, the following command initializes encryption for a cluster.
# /sbin/acfsutil encr init
This command must be run before any other encryption command and requires root or administrator privileges to run. For more information, refer to "acfsutil encr init".
Next, run the acfsutil encr set command to set encryption for the Oracle ACFS file system.
For example, the following command sets encryption for the file system mounted on the /acfsmounts/acfs1 directory.
# /sbin/acfsutil encr set -m /acfsmounts/acfs1/
The acfsutil encr set command transparently generates a volume encryption key which is stored in the key store that was previously configured with the acfsutil encr init command. This command requires root or administrator privileges to run.
For more information, refer to "acfsutil encr init" and "acfsutil encr set".
Create a security realm on the file system.
Run the acfsutil sec realm create command to create a security realm for a file system.
For example, create a security realm named medHistRealm which contains medical records files with all files encrypted in the realm.
$ /sbin/acfsutil sec realm create medHistRealm -m /acfsmounts/acfs1/
-e on -a AES -k 128
The -e option specifies that all the files in the realm are encrypted with the AES algorithm and the key length set to 128 bits. The file system must first be prepared for encryption with the acfsutil encr init and acfsutil encr set commands. You do not have to enter the same value for the -k option with acfsutil sec realm create as you have entered with the acfsutil encr set command.
For more information, refer to "acfsutil sec realm create".
Create security rules.
Run the acfsutil sec rule create command to create rules which determine access to the files and directories of a security realm.
For example, create rules that can enable the medMaintenance user to access medical records for the time period 10 PM to 2 AM for file maintenance. Also, create rules that can deny operations during the time period 8 AM to 9 AM and deny operations to the medBrowse user.
$ /sbin/acfsutil sec rule create medHistRule1a -m /acfsmounts/acfs1/
-t time 22:00:00,02:00:00 -o ALLOW
$ /sbin/acfsutil sec rule create medHistRule1b -m /acfsmounts/acfs1/
-t username medMaintenance -o ALLOW
$ /sbin/acfsutil sec rule create medHistRule1c -m /acfsmounts/acfs1/
-t time 08:00:00,09:00:00 -o DENY
$ /sbin/acfsutil sec rule create medHistRule1d -m /acfsmounts/acfs1/
-t username medBrowse -o DENY
You can edit rules with the acfsutil sec rule edit command.
For more information, refer to "acfsutil sec rule create" and "acfsutil sec rule edit".
Create security rule sets and add rules to rule sets.
Run the acfsutil sec ruleset create command to create rule sets to which rules can be added.
For example, create rule sets named medRuleSet1 and medRuleSet2 that include rules for operations on the files and directories of the security medHistRealm realm.
$ /sbin/acfsutil sec ruleset create medRuleSet1 -m /acfsmounts/acfs1/ $ /sbin/acfsutil sec ruleset create medRuleSet2 -m /acfsmounts/acfs1/
Add existing rules to the rule sets.
$ /sbin/acfsutil sec ruleset edit medRuleSet1 -m /acfsmounts/acfs1/
-a medHistRule1a,medHistRule1b -o ALL_TRUE
$ /sbin/acfsutil sec ruleset edit medRuleSet2 –m /acfsmounts/acfs1/
-a medHistRule1c,medHistRule1d -o ALL_TRUE
The ALL_TRUE option is the default action, but is added here to emphasize that both rules in each rule set must be true.
For more information, refer to "acfsutil sec ruleset create" and "acfsutil sec ruleset edit".
Add objects to a security realm.
Run the acfsutil sec realm add command to add objects, such as command rules, rule sets, and files, to a security realm. For example, add the medRuleSet1 and medRuleSet2 rule sets and all the files in the /acfsmounts/acfs1/medicalrecords directory to the medHistRealm.
When adding a rule set to a realm, the rule set is added with a command rule, such as DELETEFILE:medRuleSet1. Only one rule set can be included with each command rule. To display a list of the command rules, use acfsutil sec info with the -c option. Refer to "acfsutil sec info".
The following acfsutil sec realm add command enables the medMaintenance user to delete medical records during the time period 10 PM to 2 AM, but blocks writing to files during 8 AM to 9 AM.
$ /sbin/acfsutil sec realm add medHistRealm -m /acfsmounts/acfs1/
-l DELETEFILE:medRuleSet1
-f -r /acfsmounts/acfs1/medicalrecords
This acfsutil sec realm add command prevents the medBrowse user from writing or deleting medical records anytime.
$ /sbin/acfsutil sec realm add medHistRealm -m /acfsmounts/acfs1/
-l WRITE:medRuleSet2
-f -r /acfsmounts/acfs1/medicalrecords
This acfsutil sec realm add command adds backup operators to the SYSTEM_BackupOperators security realm that was automatically created with the acfsutil sec prepare command.
$ /sbin/acfsutil sec realm add SYSTEM_BackupOperators -m /acfsmounts/acfs1/
-G sysBackupGrp
Users that belong to the sysBackupGrp operating system group can now make backups of realm-secured files in the Oracle ACFS file system.
For more information, refer to "acfsutil sec realm add" and "acfsutil sec realm delete".
Display security information.
Run the acfsutil sec info command to display information for a security realm. For example, display security information for the medHistRealm realm.
$ /sbin/acfsutil sec info -m /acfsmounts/acfs1/ –n medHistRealm
To display the security realms to which a file or a directory belongs, run the acfsutil sec info file command. For example:
$ /sbin/acfsutil sec info file -m /acfsmounts/acfs1/
/acfsmounts/acfs1/medicalrecords
For more information, refer to "acfsutil sec info" and "acfsutil sec info file".
Save security metadata as a backup.
Run the acfsutil sec save command to save the security metadata of a file system.
For example, save the security metadata of the /acfsmounts/acfs1 file system to the acfs1_backup.xml file.
$ /sbin/acfsutil sec save –m /acfsmounts/acfs1
–p acfs1_backup.xml
The acfs1_backup.xml security metadata backup file is saved in the /acfsmounts/acfs1/.Security/backup/ directory. The saved XML file can be loaded with the acfsutil sec load command.
For more information, refer to "acfsutil sec save" and "acfsutil sec load".
You can run some acfsutil sec commands in a batch file with the acfsutil sec batch command. For example, you could create a batch file that contains a group of acfsutil sec rule and acfsutil sec ruleset commands. For more information, refer to "acfsutil sec batch".
Auditing and diagnostic data for Oracle ACFS security is saved to log files. For more information about Oracle ACFS security, including the log files, refer to "Oracle ACFS Security".