[20180130]監測linux檔案操作.txt

--//前幾天做[20180125]環境變數TNS_ADMIN與RAC.txt,連結:http://blog.itpub.net/267265/viewspace-2150539/
--//我一直認為使用者遠端連線資料庫,應該是監聽程式監測使用者連線,開啟sqlnet.ora檔案.然後開啟相應程式,再次開啟
--//sqlnet.ora檔案,實際上監聽程式根本不會讀取sqlnet.ora檔案.

--//以下是我的分析:

1.開啟檔案操作審計:

# auditctl -w /u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora -p r
# auditctl -l
LIST_RULES: exit,always watch=/u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora perm=r

# zdate
2018/01/30 16:03:01

2.透過遠端連線資料庫:
SCOTT@78> @ spid
SID SERIAL# PROCESS SERVER SPID PID P_SERIAL# C50
---------- ---------- ------------------------ --------- ------ ------- ---------- --------------------------------------------------
67 77 9424:10128 DEDICATED 63763 29 36 alter system kill session '67,77' immediate;

# ausearch -f /u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora -ts 16:03:00 | grep type=SYSCALL | tr ' ' '\n'
type=SYSCALL
msg=audit(1517299387.927:1170328):
arch=c000003e
syscall=2
success=yes
exit=6
a0=7fff19e7d1b0
a1=0
a2=1b6
a3=0
items=1
ppid=1
pid=63763 => 程式號
auid=0
uid=502
gid=502
euid=502
suid=502
fsuid=502
egid=502
sgid=502
fsgid=502
tty=(none)
ses=189968
comm="oracle"
exe="/u01/app/oracle/product/11.2.0.4/dbhome_1/bin/oracle"
key=(null)
type=SYSCALL
msg=audit(1517299387.928:1170329):
arch=c000003e
syscall=2
success=yes
exit=6
a0=7fff19e7d160
a1=0
a2=1b6
a3=0
items=1
ppid=1
pid=63763 => => 程式號
auid=0
uid=502
gid=502
euid=502
suid=502
fsuid=502
egid=502
sgid=502
fsgid=502
tty=(none)
ses=189968
comm="oracle"
exe="/u01/app/oracle/product/11.2.0.4/dbhome_1/bin/oracle"
key=(null)

--//可以發現是相應程式訪問/u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora.

3.重啟監聽看看:
$ zdate ; lsnrctl stop ; lsnrctl start
2018/01/30 16:09:53
.... 太長截斷.

# ps -ef | grep tns[l]
oracle 63826 1 0 16:09 ? 00:00:00 /u01/app/oracle/product/11.2.0.4/dbhome_1/bin/tnslsnr LISTENER -inherit

# ausearch -f /u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora -ts 16:09:53 |grep type=SYSCALL | tr ' ' '\n'
type=SYSCALL
msg=audit(1517299793.497:1170348):
arch=c000003e
syscall=2
success=yes
exit=5
a0=7fff4c2261f0
a1=0
a2=1b6
a3=0
items=1
ppid=24582
pid=63823
auid=0
uid=502
gid=502
euid=502
suid=502
fsuid=502
egid=502
sgid=502
fsgid=502
tty=pts1
ses=189968
comm="lsnrctl"
exe="/u01/app/oracle/product/11.2.0.4/dbhome_1/bin/lsnrctl"
key=(null)
type=SYSCALL
msg=audit(1517299795.673:1170349):
arch=c000003e
syscall=2
success=yes
exit=5
a0=7fff908f5080
a1=0
a2=1b6
a3=0
items=1
ppid=24582
pid=63824
auid=0
uid=502
gid=502
euid=502
suid=502
fsuid=502
egid=502
sgid=502
fsgid=502
tty=pts1
ses=189968
comm="lsnrctl"
exe="/u01/app/oracle/product/11.2.0.4/dbhome_1/bin/lsnrctl"
key=(null)
type=SYSCALL
msg=audit(1517299795.689:1170350):
arch=c000003e
syscall=2
success=yes
exit=4
a0=7fff095aa2b0
a1=0
a2=1b6
a3=0
items=1
ppid=1
pid=63826 => tnslsnr 程式號
auid=0
uid=502
gid=502
euid=502
suid=502
fsuid=502
egid=502
sgid=502
fsgid=502
tty=(none)
ses=189968
comm="tnslsnr"
exe="/u01/app/oracle/product/11.2.0.4/dbhome_1/bin/tnslsnr"
key=(null)

--//可以發現啟動監聽也會讀取/u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora.
--//僅僅做一些簡單分析.

4.收尾:

# auditctl -l
LIST_RULES: exit,always watch=/u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora perm=r
# auditctl -D
No rules
# auditctl -l
No rules

--//重啟審計,上面的定義審計就會刪除.因為開始第一條執行就是刪除.

# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

[20180130]監測linux檔案操作.txt

相關文章