acfsutil sec realm audit enable

Purpose

Enables auditing of a specific command rule or all command rules for files in an Oracle ACFS security realm.

Syntax and Description

acfsutil sec realm audit enable -h
acfsutil sec realm audit enable realm -m mount_point
     [-l commandrule,commandrule,...]
     [-a ] [-v [ -u] ]

acfsutil sec realm audit enable -h displays help text and exits.

Table 16-62 contains the options available with the acfsutil sec realm audit enable command.

If the acfsutil sec realm audit enable command is run multiple times, then the earlier configuration is not negated and the new settings are also applied. An exception to this behavior occurs when the command is run with the –v option and the specified command rule has auditing set for realm violations. In this case, the behavior is updated according to whether the –u flag was specified. For more information, see Example 16-56.

Multiple entries can be added in a comma-delimited list when listing command rules. Do not use spaces in the comma-delimited list. If spaces are added, then enclose the list in quotes.

If neither –a or –v are specified with the acfsutil sec realm audit enable command, the default is –v. Both –a and –v can be specified.

Only a security administrator can run this command. This command is authenticated using the Oracle ACFS security administrator password.

Examples

Example 16-54 shows how to enable auditing of the Oracle ACFS backup operators. Because these users are allowed access to files through the SYSTEM_Backup realm and are granted special privileges that give them access to all files on the file system, a security administrator may want to audit their actions. After the command is executed, any time a member of the SYSTEM_Backup realm opens a file an audit record is written to the Oracle ACFS Security audit trail on the file system.

Example 16-55 shows how to use the –u option to audit realm violations by users who are part of the realm. In this scenario sensitive human resources information is stored in HumanResources security realm and the hr group is allowed to access this information. However, a ruleset applied to the ALL command rule prevents access to this data from 6 PM to 8 AM. With this command, the security administrator could discover if any human resource employees are attempting to access sensitive data outside of the allowed time period. After this command is executed, only access violations by users who are members of the hr group are audited.

Example 16-56 shows multiple runs of the acfsutil sec realm audit enable command. After run 1, the OPEN (all violations) and WRITE (all violations) command rules are audited. After run 2, the OPEN (all violations), WRITE (all violations), and DELETEFILE (authorizations) command rules are audited. After run 3, the OPEN (authorizations and realm user violations), WRITE (all violations), DELETEFILE (authorizations), and TRUNCATE (authorizations and realm user violations) command rules are audited. After run 4, all violations are audited on all command rules. In addition, authorizations are audited for OPEN, DELETEFILE, and TRUNCATE.