Tracking Oracle Database Binaries files changes

The Linux Audit system provides a way to determine the violator of the security policy and the actions they performed such as tracking malicious changes on the oracle executable.

Using Linux Audit system we can basically do the following activities :

  • Watching file access
  • Monitoring system calls
  • Recording commands run by a user
  • Recording security events

In this short blog post i will show how we can easily use it to catch changes in “./bin” directory.

Test ENV : OEL 6.6  / UEK 4.1

Just add a rule to “/etc/audit/audit.rules” and that’s it :

-w /app/home18c/bin -p wa -k oracle_bin

  • w — write access to a file or a directory.
  • a — change in the file’s or directory’s attribute.

Then restart auditd :

  • service auditd restart

Let’s test it :

  • touch /app/home18c/bin/test_file
  • rm -f /app/home18c/bin/test_file
  • chmod o+r /app/home18c/bin/lsnrctl

Extract from  “/var/log/audit/audit.log”

Capture

Using “ausearch -k oracle_bin”

Capture 02

That’s it 😀

 

REF :

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing

 

2 thoughts on “Tracking Oracle Database Binaries files changes

  1. I can’t believe that It is so easy. I wrote a complicated stap script before to log all the chmod command/systemcall for a specific file:

    probe syscall.chmod {
    if(isinstr(path, “setasmgid”)){
    printf(“%d %s performed chmod against %s\n”,pid(), execname(), argstr)
    }
    }
    probe syscall.fchmodat {
    if (isinstr(pathname, “setasmgid”)){
    printf(“%d %s performed chmod against %s\n”,pid(), execname(), argstr)
    }
    }

    It likes a *stupid* script compared to the native audit method.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s