Purpose
Enables auditing of a specific command rule or all command rules for files in an Oracle ACFS security realm.
Syntax and Description
acfsutil sec realm audit enable -h acfsutil sec realm audit enable realm -m mount_point [-l commandrule,commandrule,...] [-a ] [-v [ -u] ]
acfsutil
sec
realm
audit
enable
-h
displays help text and exits.
Table 16-62 contains the options available with the acfsutil
sec
realm
audit
enable
command.
Table 16-62 Options for the acfsutil sec realm audit enable command
Option | Description |
---|---|
|
Specifies the security realm name. |
|
Specifies the directory where the file system is mounted. |
|
Specifies the command rules on which to enable auditing. If this option is not specified, then the list of all command rules is the default. For a list of command rules, refer to Table 16-60. To display a list of the command rules, use |
|
Specifies to audit realm authorizations. |
|
Specifies to audit realm violations. If |
If the acfsutil
sec
realm
audit
enable
command is run multiple times, then the earlier configuration is not negated and the new settings are also applied. An exception to this behavior occurs when the command is run with the –v
option and the specified command rule has auditing set for realm violations. In this case, the behavior is updated according to whether the –u
flag was specified. For more information, see Example 16-56.
Multiple entries can be added in a comma-delimited list when listing command rules. Do not use spaces in the comma-delimited list. If spaces are added, then enclose the list in quotes.
If neither –a
or –v
are specified with the acfsutil
sec
realm
audit
enable
command, the default is –v
. Both –a
and –v
can be specified.
Only a security administrator can run this command. This command is authenticated using the Oracle ACFS security administrator password.
Examples
Example 16-54 shows how to enable auditing of the Oracle ACFS backup operators. Because these users are allowed access to files through the SYSTEM_Backup
realm and are granted special privileges that give them access to all files on the file system, a security administrator may want to audit their actions. After the command is executed, any time a member of the SYSTEM_Backup
realm opens a file an audit record is written to the Oracle ACFS Security audit trail on the file system.
Example 16-54 Auditing Oracle ACFS security backup operators
$ /sbin/acfsutil sec realm audit enable SYSTEM_Backup –m /acfsmounts/acfs1 –l OPEN –a
Example 16-55 shows how to use the –u
option to audit realm violations by users who are part of the realm. In this scenario sensitive human resources information is stored in HumanResources
security realm and the hr
group is allowed to access this information. However, a ruleset applied to the ALL
command rule prevents access to this data from 6 PM to 8 AM. With this command, the security administrator could discover if any human resource employees are attempting to access sensitive data outside of the allowed time period. After this command is executed, only access violations by users who are members of the hr
group are audited.
Example 16-55 Auditing only security realm users
$ /sbin/acfsutil sec realm audit enable HumanResources –m /acfsmounts/acfs1 –l ALL –v –u
Example 16-56 shows multiple runs of the acfsutil
sec
realm
audit
enable
command. After run 1, the OPEN
(all violations) and WRITE
(all violations) command rules are audited. After run 2, the OPEN
(all violations), WRITE
(all violations), and DELETEFILE
(authorizations) command rules are audited. After run 3, the OPEN
(authorizations and realm user violations), WRITE
(all violations), DELETEFILE
(authorizations), and TRUNCATE
(authorizations and realm user violations) command rules are audited. After run 4, all violations are audited on all command rules. In addition, authorizations are audited for OPEN
, DELETEFILE
, and TRUNCATE
.
Example 16-56 Running acfsutil sec realm audit enable multiple times
$ echo run 1 $ /sbin/acfsutil sec realm audit enable mySecureRealm –m /acfsmounts/acfs1 –l OPEN,WRITE –v $ echo run 2 $ /sbin/acfsutil sec realm audit enable mySecureRealm –m /acfsmounts/acfs1 –l DELETEFILE –a $ echo run 3 $ /sbin/acfsutil sec realm audit enable mySecureRealm -m /acfsmounts/acfs1 –l OPEN,TRUNCATE –a –v -u $ echo run 4 $ /sbin/acfsutil sec realm audit enable mySecureRealm –m /acfsmounts/acfs1 –v