Hello,
On Wednesday, November 19, 2014 05:38:24 AM Tilden Doran D wrote:
The User 345 is oracle user. Which is used for oracle related
activities in
the system.
The command which we issue is srvctl stop/start database. We always install
oracle and start manually for the first time.
As you mentioned, on reboot the system, it not generating too many logs. But
the problem is, we cannot reboot the system every time, which only
requires DB restart. Because application also be hosted in the same
system.
OK.
The Srvctl command internally starts the ohasd.bin.
So can we avoid it, I mean do we have an option to exclude the ohasd.bin by
using something like "-F exe!=ohasd.bin " or "-F path!= ...." . I
tried
both, it is not working.
These are not possible. I have lobbied for audit by executable for a couple of
years. We are close to having it ready to go into the upstream kernel. But its
not ready and can't be used.
Normally one could exclude by SE Linux label, but since your original post
showed unconfined_t, then that means there is no policy because the daemon did
not transition out of unconfined_t.
Because "-F UID!=345" will restrict all the logs.
The rule that I gave you would filter only the chmod syscall caused by anything
with uid = 345. I think that is about the most reasonable choice you have
short of doing some selinux policy work so we have something pid specific to
match against.
Can we restrict the log which is generated by that particular
process/application. ?
You could add a rule using the pid, but next restart you'll have to change the
rule to the new pid. And probably by the time you can type that rule in, the
daemon has already done all the chmod that its going to do.
Maybe if the event are localized to a specific directory, you can do something
like:
auditctl -A exit,never -F arch=b32 -S chmod -F uid=345 -F
dir=/opt/oracle_homes/oracle/
auditctl -A exit,never -F arch=b64 -S chmod -F uid=345 -F
dir=/opt/oracle_homes/oracle/
-Steve