Tuesday, October 27, 2020

Reduce number of privileged access audit files for ASM with rsyslog on Linux

This post shows how to configure rsyslog on Linux (Red Hat Enterprise Linux 7/8) to redirect ASM audit message to OS log files.

If you are looking for the information for Solaris or AIX, please check out following posts


1. Configure rsyslog service as OS user root

Add following line to rsyslog configuration file /etc/rsyslog.conf
local1.info   /var/log/oracle/asm_audit.log

Make sure the directory /var/log/oracle exists, it can be created with mkdir
[root@host01]# mkdir /var/log/oracle

I prefer dedicated subdirectory (oracle) under /var/log to shared root directory /var/log because many system services and application save their log files directly under /var/log and I do not have to look for my log files among many other log files when save my log files in separated directory.

In the configuration, 'local1.info' is a selector. It has two parts, 'local1' is a facility and 'info' is a priority. Typically, we can use one of eight values local0 through local7 as facility and one of following values as priority,

    debug, info, notice, warning, err, crit, alert, emerg

The selector 'local1.info' will be needed for ASM instance configuration.

Find out entry (line) for /var/log/messages in file /etc/rsyslog.conf, it looks similar as following
*.info;mail.none;authpriv.none;cron.none    /var/log/messages

It direct rsyslog to log anything (except mail, authpriv and cron) of level info to file /var/log/messages, of course, ASM audit messages (with selector local1.info) are also logged into this file. In order to exclude it, add 'local1.none' to the entry as following
*.info;mail.none;authpriv.none;cron.none;local1.none    /var/log/messages

2. Configure logrotate to manage (rotate, compress, etc.) log files

The rsyslog service does not have same rotation facility as syslog. The Linux logrotate utility is used to manage the size and number of rsyslog log files. Create the file /etc/logrotate.d/asm_audit with the following content:
/var/log/oracle/asm_audit.log {
  weekly
  rotate 26
  compress
  copytruncate
  delaycompress
  notifempty
}

Here,

   /var/log/oracle/asm_audit.log - the log file which will be rotated and must be same as log file defined with selector 'local1.info' in rsyslog configuration file /etc/rsyslog.conf in step 1.
   weekly - the log file will be rotated weekly
   rotate 26 - the log file will be deleted after 26 weeks
   commpress - old versions of log files are compressed
   copytruncate - truncate the original log file in place after creating a copy
   delaycompress - postpone compression of the previous log file to the next rotation cycle
   notifempty - do not rotate the log if it is empty

3. Restart rsyslog service

On Red Hat Enterprise Linux (RHEL) 7 & 8 or Oracle Linux 7 & 8, run command systemctl restart rsyslog.service
[root@host01]# systemctl restart rsyslog.service

The command may be different on other Linux releases or distributions. For example, on RHEL 5/6 or Oracle Linux 5/6, following command is used,

   service rsyslog restart

4. Configure ASM instance

Set ASM initialization parameter audit_syslog_level
SQL> connect / as sysasm
Connected.
SQL>
SQL> alter system set audit_syslog_level='local1.info' scope=spfile;
System altered.

Optionally, set ASM initialization parameter audit_sys_operations
SQL> alter system set audit_sys_operations=TRUE scope=spfile;

Parameter AUDIT_SYSLOG_LEVEL setting (local1.info) allows SYS (when audit_sys_operations=TRUE) and standard OS audit records (with selector identifier 'local1.info') to be sent to the SYSLOG utility (rsyslog) and SYSLOG utility writes the records to the system audit log file selected by selector (local1.info).

Restart ASM instance as owner of Grid Infrastructure home (usually grid for cluster installation and oracle for standalone installation)
[oracle@host01]$ srvctl stop asm -force
[oracle@host01]$ srvctl start asm -force

Note: make sure all databases using ASM have been shut down successfully before restart ASM instance in case of database corruption.

5. Verify ASM audit records are created in /var/log/oracle/asm_audit.log

Verify that a privileged connection to ASM (e.g. SYSASM, SYSDBA, or SYSOPER connection) result in an entry created in /var/log/oracle/asm_audit.log similar to the following:
Oct 27 22:19:53 host01 journal: Oracle Audit[12125]: LENGTH : '260' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSASM' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[21] 'host01.lab.dbaplus.ca' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 27 22:19:59 host01 journal: Oracle Audit[12130]: LENGTH : '260' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[21] 'host01.lab.dbaplus.ca' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 27 22:20:03 host01 journal: Oracle Audit[12141]: LENGTH : '261' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[7] 'SYSOPER' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[21] 'host01.lab.dbaplus.ca' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'

6. Test log file rotation

Force log file rotation with command logrorate -f
[root@host01 /]# ls -l /var/log/oracle
total 12
-rw-------. 1 root root 9327 Oct 27 22:20 asm_audit.log
[root@host01 /]#
[root@host01 /]# logrotate -f /etc/logrotate.d/asm_audit
[root@host01 /]#
[root@host01 /]# ls -l /var/log/oracle
total 12
-rw-------. 1 root root    0 Oct 27 22:36 asm_audit.log
-rw-------. 1 root root 9327 Oct 27 22:36 asm_audit.log.1

One rotation (backup) log file asm_audit.log.1 is created.

Connect to ASM instance as SYSDBA to generate new audit records, and make sure log file asm_audit.log is not empty
SQL> connect / as sysdba
Connected.
SQL>exit

 
Force another log file rotation with command logrorate -f
[root@host01 /]# ls -l /var/log/oracle
total 16
-rw-------. 1 root root 2296 Oct 27 22:43 asm_audit.log
-rw-------. 1 root root 9327 Oct 27 22:36 asm_audit.log.1
[root@host01 /]#
[root@host01 /]# logrotate -f /etc/logrotate.d/asm_audit
[root@host01 /]#
[root@host01 /]# ls -l /var/log/oracle
total 8
-rw-------. 1 root root    0 Oct 27 22:44 asm_audit.log
-rw-------. 1 root root 2296 Oct 27 22:44 asm_audit.log.1
-rw-------. 1 root root  743 Oct 27 22:36 asm_audit.log.2.gz

The file asm_audit.log.1 is copied and compressed into file asm_audit.log.2.gz, file asm_audit.log is truncated after copied to file asm_audit.log.1.

So far, the configuration is completed. The ASM SYS and OS audit records will be written into rsyslog log file /var/log/oracle/asm_audit.log, and the log file will be rotated weekly and kept 26 weeks.

No comments: