acfsutil sec prepare

Purpose

Prepares an Oracle ACFS file system for security features.

Syntax and Description

acfsutil sec prepare -h
acfsutil sec prepare [-u] -m mount_point

acfsutil sec prepare -h displays help text and exits.

Table 16-58 contains the options available with the acfsutil sec prepare command.


Table 16-58 Options for the acfsutil sec prepare command

Option Description

-m mount_point

Specifies the directory where the file system is mounted.

-u

Backs out security for the specified mount point.

This command removes security from in the file system and reverts the file system to the state before acfsutil sec prepare was run on the file system.

This command removes all realm-secured files and directories from the realms and then destroys all Oracle ACFS security rules, rule sets and realms from the file system. However, the .Security directory and its contents, including log files and the security metadata backup files, are not deleted.

If you want to remove encryption and security is being used, then this command must be run before encryption is backed out. To back out encryption, refer to "acfsutil encr set".


The acfsutil sec prepare command must be run before any of the realm management commands. This command prepares the specified Oracle ACFS file system for security and by default turns security on for the file system.

When running acfsutil sec prepare -u, ensure that no other Oracle ACFS security commands are run until acfsutil sec prepare has completed.

If auditing is initialized on a cluster, this command also enables an Oracle ACFS security auditing source on the file system. The actions performed when enabling this audit source are the same as those done when the acfsutil audit enable command is run directly. For more information, refer to "acfsutil audit enable".

This command creates the /mount_point/.Security, /mount_point/.Security/backup, and /mount_point/.Security/realm/logs directories where mount_point is the option specified in the command line.

This command creates the following system security realms:

  • SYSTEM_Logs

    This is a system-created realm to protect the Oracle ACFS security log files in the directory .Security/realm/logs/ directory.

  • SYSTEM_Audit

    This is a system-created realm to protect audit trail files. This realm is created if auditing has been initialized. If auditing has not been initialized, it is created when auditing is enabled for the security source through the acfsutil audit enable command. This realm secures the audit trail file so that the audit manager can read and write and the auditor can read the file, and no one else has access. This realm also protects the audit trail file so the audit manager cannot delete (without running the acfsutil audit purge command), truncate, overwrite, or chmod the file.

  • SYSTEM_SecurityMetadata

    This is a system-created realm to protect the Oracle ACFS metadata XML file in the directory .Security/backup/ directory.

  • SYSTEM_Antivirus

    This is a system-created realm that allows access for the antivirus software that is running on an Oracle ACFS file system. For every realm protected file or directory, the SYSTEM_Antivirus realm is evaluated when authorization checks are performed to determine if the SYSTEM_Antivirus realm allows access to the file or directory.

    To allow the antivirus process to access realm-protected files or directories, you must add the LocalSystem or SYSTEM group to the realm with the acfsutil sec realm add command, as shown in Example 16-52. If other antivirus processes are running as Administrator, then the user Administrator must be added to the SYSTEM_Antivirus realm to allow access to realm protected files and directories.

    If no Antivirus products have been installed, do not add any users or groups to the SYSTEM_Antivirus realm. Because users or groups added to the SYSTEM_Antivirus realm have READ and READDIR access, limit the users or groups added to this realm. You can restrict the time window when the users or groups of this realm can access the realm protected files or directories with time-based rules. You can also have application-based rules if you can identify the process name for the antivirus installation that scans the files.

    The SYSTEM_Antivirus realm can only perform the following operations on a file or directory: OPEN, READ, READDIR, and setting time attributes. To remove or delete files or directories, you may need to disable security to clean up the infected files.

    This realm is set up only for Windows systems.

  • SYSTEM_BackupOperators

    This is a system-created realm that enables you to authorize users that can back up realm-secured files and directories. You can add users, groups, rule sets, and command rules to this realm to provide fine-grain authorization for backing up realm-secured files and directories. A user must be added to this realm to back up realm-secured files and directories.

    Use caution when adding groups to this system realm. After you add a group to this system realm, all the users of the added group are able to override the realm protections to access files.

To access files in the system security realms, the user should be assigned as a security administrator with the acfsutil sec admin add command.

You can add users, groups, rule sets, and command rules to system-created realms with the acfsutil sec realm add command, the same as for user-created realms. However, adding files and directories to system realms is not recommended. You can use the acfsutil sec realm delete command to delete objects from the system-created realms.

System-created security realms cannot be removed by a security administrator with the acfsutil sec admin destroy command. These realms are only removed when security is backed out of a file system when executing the acfsutil sec prepare command with the -u option.

The acfsutil sec prepare –u command is not allowed if any snapshots exist in the file system.

Only a security administrator can run the acfsutil sec prepare command.

Examples

The following example shows the use of the acfsutil sec prepare command.

Example 16-51 Using the acfsutil sec prepare command

$ /sbin/acfsutil sec prepare -m /acfsmounts/acfs1