[20180130]监测linux文件操作.txt
--//前几天做[20180125]环境变量TNS_ADMIN与RAC.txt,链接:http://blog.itpub.net/267265/viewspace-2150539/
--//我一直认为用户远程连接数据库,应该是监听进程监测用户连接,打开sqlnet.ora文件.然后开启相应进程,再次打开
--//sqlnet.ora文件,实际上监听进程根本不会读取sqlnet.ora文件.
--//以下是我的分析:
1.开启文件操作审计:
# auditctl -w /u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora -p r
# auditctl -l
LIST_RULES: exit,always watch=/u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora perm=r
# zdate
2018/01/30 16:03:01
2.通过远程连接数据库:
SCOTT@78> @ spid
SID SERIAL# PROCESS SERVER SPID PID P_SERIAL# C50
---------- ---------- ------------------------ --------- ------ ------- ---------- --------------------------------------------------
67 77 9424:10128 DEDICATED 63763 29 36 alter system kill session '67,77' immediate;
# ausearch -f /u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora -ts 16:03:00 | grep type=SYSCALL | tr ' ' '\n'
type=SYSCALL
msg=audit(1517299387.927:1170328):
arch=c000003e
syscall=2
success=yes
exit=6
a0=7fff19e7d1b0
a1=0
a2=1b6
a3=0
items=1
ppid=1
pid=63763 => 进程号
auid=0
uid=502
gid=502
euid=502
suid=502
fsuid=502
egid=502
sgid=502
fsgid=502
tty=(none)
ses=189968
comm="oracle"
exe="/u01/app/oracle/product/11.2.0.4/dbhome_1/bin/oracle"
key=(null)
type=SYSCALL
msg=audit(1517299387.928:1170329):
arch=c000003e
syscall=2
success=yes
exit=6
a0=7fff19e7d160
a1=0
a2=1b6
a3=0
items=1
ppid=1
pid=63763 => => 进程号
auid=0
uid=502
gid=502
euid=502
suid=502
fsuid=502
egid=502
sgid=502
fsgid=502
tty=(none)
ses=189968
comm="oracle"
exe="/u01/app/oracle/product/11.2.0.4/dbhome_1/bin/oracle"
key=(null)
--//可以发现是相应进程访问/u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora.
3.重启监听看看:
$ zdate ; lsnrctl stop ; lsnrctl start
2018/01/30 16:09:53
.... 太长 截断.
# ps -ef | grep tns[l]
oracle 63826 1 0 16:09 ? 00:00:00 /u01/app/oracle/product/11.2.0.4/dbhome_1/bin/tnslsnr LISTENER -inherit
# ausearch -f /u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora -ts 16:09:53 |grep type=SYSCALL | tr ' ' '\n'
type=SYSCALL
msg=audit(1517299793.497:1170348):
arch=c000003e
syscall=2
success=yes
exit=5
a0=7fff4c2261f0
a1=0
a2=1b6
a3=0
items=1
ppid=24582
pid=63823
auid=0
uid=502
gid=502
euid=502
suid=502
fsuid=502
egid=502
sgid=502
fsgid=502
tty=pts1
ses=189968
comm="lsnrctl"
exe="/u01/app/oracle/product/11.2.0.4/dbhome_1/bin/lsnrctl"
key=(null)
type=SYSCALL
msg=audit(1517299795.673:1170349):
arch=c000003e
syscall=2
success=yes
exit=5
a0=7fff908f5080
a1=0
a2=1b6
a3=0
items=1
ppid=24582
pid=63824
auid=0
uid=502
gid=502
euid=502
suid=502
fsuid=502
egid=502
sgid=502
fsgid=502
tty=pts1
ses=189968
comm="lsnrctl"
exe="/u01/app/oracle/product/11.2.0.4/dbhome_1/bin/lsnrctl"
key=(null)
type=SYSCALL
msg=audit(1517299795.689:1170350):
arch=c000003e
syscall=2
success=yes
exit=4
a0=7fff095aa2b0
a1=0
a2=1b6
a3=0
items=1
ppid=1
pid=63826 => tnslsnr 进程号
auid=0
uid=502
gid=502
euid=502
suid=502
fsuid=502
egid=502
sgid=502
fsgid=502
tty=(none)
ses=189968
comm="tnslsnr"
exe="/u01/app/oracle/product/11.2.0.4/dbhome_1/bin/tnslsnr"
key=(null)
--//可以发现启动监听也会读取/u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora.
--//仅仅做一些简单分析.
4.收尾:
# auditctl -l
LIST_RULES: exit,always watch=/u01/app/oracle/product/11.2.0.4/dbhome_1/network/admin/sqlnet.ora perm=r
# auditctl -D
No rules
# auditctl -l
No rules
--//重启审计,上面的定义审计就会删除.因为开始第一条执行就是删除.
# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page