8. Master domain zone
I will create sample record for my master zone in file master.example.net
[root@nsd named]# cat master.example.net
@ IN SOA nsd.example.net. root@nsd.example.net. (
2010072401 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS nsd.example.net.
@ IN MX 1 centos.example.net.
gw1 IN A 10.1.0.1
gw2 IN A 10.1.0.2
nsd IN A 10.1.0.5
centos IN A 10.1.0.10
As you can see I define one nameserver, one mail exchanger and four hosts
9. Reverse zone for network 10.1.0
@ IN SOA nsd.example.net. root@nsd.example.net. (
2010072401 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS nsd.example.net
1 IN PTR gw1.example.net.
2 IN PTR gw1.example.net.
5 IN PTR nsd.example.net.
10 IN PTR centos.example.net.
I have only four IP addresses. Do not forget the dot on the end of host names
10. Check the configuration
[root@nsd named]# service named configtest
master.example.net:1: no TTL specified; using SOA MINTTL instead
zone example.net/IN: loaded serial 2010072401
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
10.1.0.rev:1: no TTL specified; using SOA MINTTL instead
zone 0.1.10.IN-ADDR.ARPA/IN: loaded serial 2010072401
All seems OK, so its time to start the service and make some tests
11. Start and tests
[root@nsd named]# service named restart
Starting named: [ OK ]
[root@nsd named]# nslookup gw1
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: gw1.example.net
Address: 10.1.0.1
[root@nsd named]# nslookup gw1.example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: gw1.example.net
Address: 10.1.0.1
[root@nsd named]# nslookup 10.1.0.5
Server: 10.1.0.5
Address: 10.1.0.5#53
5.0.1.10.in-addr.arpa name = nsd.example.net.
[root@nsd named]# nslookup
> set q=ns
> example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
example.net nameserver = nsd.example.net.
> set q=mx
> example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
example.net mail exchanger = 1 centos.example.net.
> exit
At the end our nameserver is up and running and can server my domain and my IP range for my home network. For further information about parameters you see in usage in above files please refer official Bind documentation
DNS - make it sample and fast, part 2
6. Root servers
With one sample command I will create file for root server and will be sure this information is correct
[root@nsd chroot]# dig @e.root-servers.net . ns >/var/named/chroot/var/named/root.servers
And the content of the file is
[root@nsd chroot]# cat /var/named/chroot/var/named/root.servers
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @e.root-servers.net . ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35642
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS e.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4
a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 3600000 IN A 192.228.79.201
c.root-servers.net. 3600000 IN A 192.33.4.12
d.root-servers.net. 3600000 IN A 128.8.10.90
e.root-servers.net. 3600000 IN A 192.203.230.10
f.root-servers.net. 3600000 IN A 192.5.5.241
f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
g.root-servers.net. 3600000 IN A 192.112.36.4
h.root-servers.net. 3600000 IN A 128.63.2.53
h.root-servers.net. 3600000 IN AAAA 2001:500:1::803f:235
i.root-servers.net. 3600000 IN A 192.36.148.17
i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
j.root-servers.net. 3600000 IN A 192.58.128.30
;; Query time: 126 msec
;; SERVER: 192.203.230.10#53(192.203.230.10)
;; WHEN: Sat Jul 24 20:30:15 2010
;; MSG SIZE rcvd: 500
But I will check just on case if all is OK with the file
[root@nsd chroot]# service named configtest
_default/example.net/in: file not found
_default/localhost/in: file not found
_default/0.0.127.in-addr.arpa/in: file not found
_default/0.1.10.IN-ADDR.ARPA/in: file not found
zone example.net/IN: loading master file master.example.net: file not found
zone localhost/IN: loading master file master.localhost: file not found
zone 0.0.127.in-addr.arpa/IN: loading master file localhost.rev: file not found
zone 0.1.10.IN-ADDR.ARPA/IN: loading master file 10.1.0.rev: file not found
Aha, no more complains about missing root servers file
7. Local domain and host files. (RFC-1912)
Because I am lazy I will get the files directly from bind package examples
[root@nsd chroot]# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local /var/named/chroot/var/named/localhost.rev
[root@nsd chroot]# cp /usr/share/doc/bind-9.3.6/sample/var/named/localdomain.zone /var/named/chroot/var/named/master.locahost
And check what is the situation
[root@nsd chroot]# service named configtest
_default/example.net/in: file not found
_default/0.1.10.IN-ADDR.ARPA/in: file not found
zone example.net/IN: loading master file master.example.net: file not found
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.1.10.IN-ADDR.ARPA/IN: loading master file 10.1.0.rev: file not found
Cool, so part of the files are in place and I can continue with configuration
With one sample command I will create file for root server and will be sure this information is correct
[root@nsd chroot]# dig @e.root-servers.net . ns >/var/named/chroot/var/named/root.servers
And the content of the file is
[root@nsd chroot]# cat /var/named/chroot/var/named/root.servers
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @e.root-servers.net . ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35642
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS e.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4
a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 3600000 IN A 192.228.79.201
c.root-servers.net. 3600000 IN A 192.33.4.12
d.root-servers.net. 3600000 IN A 128.8.10.90
e.root-servers.net. 3600000 IN A 192.203.230.10
f.root-servers.net. 3600000 IN A 192.5.5.241
f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
g.root-servers.net. 3600000 IN A 192.112.36.4
h.root-servers.net. 3600000 IN A 128.63.2.53
h.root-servers.net. 3600000 IN AAAA 2001:500:1::803f:235
i.root-servers.net. 3600000 IN A 192.36.148.17
i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
j.root-servers.net. 3600000 IN A 192.58.128.30
;; Query time: 126 msec
;; SERVER: 192.203.230.10#53(192.203.230.10)
;; WHEN: Sat Jul 24 20:30:15 2010
;; MSG SIZE rcvd: 500
But I will check just on case if all is OK with the file
[root@nsd chroot]# service named configtest
_default/example.net/in: file not found
_default/localhost/in: file not found
_default/0.0.127.in-addr.arpa/in: file not found
_default/0.1.10.IN-ADDR.ARPA/in: file not found
zone example.net/IN: loading master file master.example.net: file not found
zone localhost/IN: loading master file master.localhost: file not found
zone 0.0.127.in-addr.arpa/IN: loading master file localhost.rev: file not found
zone 0.1.10.IN-ADDR.ARPA/IN: loading master file 10.1.0.rev: file not found
Aha, no more complains about missing root servers file
7. Local domain and host files. (RFC-1912)
Because I am lazy I will get the files directly from bind package examples
[root@nsd chroot]# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local /var/named/chroot/var/named/localhost.rev
[root@nsd chroot]# cp /usr/share/doc/bind-9.3.6/sample/var/named/localdomain.zone /var/named/chroot/var/named/master.locahost
And check what is the situation
[root@nsd chroot]# service named configtest
_default/example.net/in: file not found
_default/0.1.10.IN-ADDR.ARPA/in: file not found
zone example.net/IN: loading master file master.example.net: file not found
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.1.10.IN-ADDR.ARPA/IN: loading master file 10.1.0.rev: file not found
Cool, so part of the files are in place and I can continue with configuration
DNS - make it sample and fast
1. Preamble
In this article will try to show how to make sample DNS server. Do not expect here to see master/slave architecture, DNSSEC, sophisticated settings and so on (maybe in some late article). DNS server will serve example.net domain which is free and everyone can use it locally. Examples are based on Bind v9 and RHEL/CentOS. If you use different distribution, please consult your manuals.
2. First lets check prerequisites
[root@nsd ~]# rpm -qa |grep bind
bind-utils-9.3.6-4.P1.el5_4.2
ypbind-1.19-12.el5
bind-libs-9.3.6-4.P1.el5_4.2
bind-chroot-9.3.6-4.P1.el5_4.2
bind-9.3.6-4.P1.el5_4.2
If you do not have it installed you can do it with command
[root@nsd ~]# yum install bind-chroot
I will use chroot environment to make server a little bit more secure. But this do not change so much examples below
3. Check the directory tree
[root@nsd ~]# grep -v ^# /etc/sysconfig/named
ROOTDIR=/var/named/chroot
[root@nsd ~]# cd /var/named/chroot/
[root@nsd chroot]# tree
.
|-- dev
| |-- null
| |-- random
| `-- zero
|-- etc
| |-- localtime
| `-- rndc.key
`-- var
|-- log
|-- named
| |-- data
| `-- slaves
|-- run
| `-- named
`-- tmp
10 directories, 5 files
4. Looks good so lets start with build our named.conf file
4.1. Options
options {
directory "/var/named";
allow-recursion {10.1.0.0/24;};
};
Base directory for files is set to be /var/named and access will be enabled from my local network IP range. Do not forget that the actual path is /var/named/chroot/var/named because of chroot environment
4.2. Root servers
zone "." {
type hint;
file "root.servers";
};
This is definition for servers, who will serve top level Internet zone . (dot)
4.3. Local host
zone "localhost" in{
type master;
file "master.localhost";
allow-update{none;};
};
zone "0.0.127.in-addr.arpa" in{
type master;
file "localhost.rev";
allow-update{none;};
};
Here is the definition for localhost zone and its corresponding reverse zone.
4.4. My zone
zone "example.net" in{
type master;
file "data/master.example.net";
};
I will not allow any slaves, because this will be the only DNS in to the network
4.5 My reverse zone
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
};
I will manage locally 10.1.0 network
5. Create file named.conf and check configuration
[root@nsd chroot]# vi etc/named.conf
[root@nsd chroot]# service named configtest
_default/example.net/in: file not found
_default/localhost/in: file not found
_default/0.0.127.in-addr.arpa/in: file not found
_default/0.1.10.IN-ADDR.ARPA/in: file not found
zone example.net/IN: loading master file master.example.net: file not found
zone localhost/IN: loading master file master.localhost: file not found
zone 0.0.127.in-addr.arpa/IN: loading master file localhost.rev: file not found
zone 0.1.10.IN-ADDR.ARPA/IN: loading master file 10.1.0.rev: file not found
As it is expected zone files do not exist, but I will create them soon. Do not forget the actual place of config file is in chroot-ed environment i.e. /var/named/chroot/etc and not in /etc
Audit - something you have, something you do not know, part 2
5. Add some monitored files and directories
I will add monitoring of /var/run directory for read and write actions, /etc/rc.d/init.d for write and execution and /etc/shadow file for attribute change and write
[root@centos ~]# auditctl -w /etc/shadow -p wa -k shadow-file
[root@centos ~]# auditctl -w /var/run/ -p rw -k var-run-pids
[root@centos ~]# auditctl -w /etc/rc.d/init.d -p xw -k init-scripts
and check just in case the rules i define
[root@centos ~]# auditctl -l
LIST_RULES: exit,always dir=/var/run (0x8) perm=rw key=var-run-pids
LIST_RULES: exit,always watch=/etc/shadow perm=wa key=shadow-file
LIST_RULES: exit,always dir=/etc/rc.d/init.d (0x10) perm=wx key=init-scripts
6. Do some actions which will activate some audit trails
6.1. Create user (do change) in /etc/shadow file
[root@centos ~]# useradd test
[root@centos ~]# id test
uid=501(test) gid=501(test) groups=501(test)
[root@centos ~]# passwd test
Changing password for user test.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
.
6.2. Start httpd daemon to get trails for execution in /etc/rc.d/init.d and write in /var/run
[root@centos ~]# /etc/rc.d./init.d/httpd restart
Stopping httpd: [FAILED]
Starting httpd: [ OK ]
7. Checks of audit logs
7.1. General check
[root@centos ~]# tail -20 /var/log/audit/audit.log
type=CONFIG_CHANGE msg=audit(1279423171.091:97): auid=0 ses=1 op="updated rules" path="/etc/shadow" key="shadow-file" list=4 res=1
type=SYSCALL msg=audit(1279423171.091:98): arch=40000003 syscall=38 success=yes exit=0 a0=b21317 a1=b211d6 a2=b235e4 a3=0 items=5 ppid=1921 pid=2034 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd" key="shadow-file"
type=CWD msg=audit(1279423171.091:98): cwd="/root"
type=PATH msg=audit(1279423171.091:98): item=0 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=1 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=2 name="/etc/nshadow" inode=229819 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=3 name="/etc/shadow" inode=230260 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=4 name="/etc/shadow" inode=229819 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=USER_CHAUTHTOK msg=audit(1279423171.103:99): user pid=2034 uid=0 auid=0 msg='PAM: chauthtok acct="test" : exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_CHAUTHTOK msg=audit(1279423171.106:100): user pid=2034 uid=0 auid=0 msg='op=change password id=501 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=SYSCALL msg=audit(1279423197.516:101): arch=40000003 syscall=10 success=no exit=-2 a0=bfde9f8a a1=0 a2=805287c a3=bfde8594 items=1 ppid=2040 pid=2043 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/bin/rm" key="var-run-pids"
type=CWD msg=audit(1279423197.516:101): cwd="/"
type=PATH msg=audit(1279423197.516:101): item=0 name="/var/run/httpd.pid" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1279423197.536:102): arch=40000003 syscall=10 success=no exit=-2 a0=bfd3bf8a a1=0 a2=805287c a3=bfd3bd24 items=1 ppid=2040 pid=2044 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/bin/rm" key="var-run-pids"
type=CWD msg=audit(1279423197.536:102): cwd="/"
type=PATH msg=audit(1279423197.536:102): item=0 name="/var/run/httpd.pid" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1279423199.900:103): arch=40000003 syscall=5 success=yes exit=15 a0=82c4aa0 a1=8241 a2=1a4 a3=8241 items=2 ppid=1 pid=2048 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" key="var-run-pids"
type=CWD msg=audit(1279423199.900:103): cwd="/"
type=PATH msg=audit(1279423199.900:103): item=0 name="/etc/httpd/run/" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423199.900:103): item=1 name="/etc/httpd/run/httpd.pid" inode=426093 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
7.2. Check for trails of actions, related to shadow file
[root@centos ~]# ausearch -f /etc/shadow
----
time->Sun Jul 18 05:19:21 2010
type=PATH msg=audit(1279423161.665:95): item=4 name="/etc/shadow" inode=230260 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423161.665:95): item=3 name="/etc/shadow" inode=230225 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423161.665:95): item=2 name="/etc/shadow+" inode=230260 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423161.665:95): item=1 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423161.665:95): item=0 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279423161.665:95): cwd="/root"
type=SYSCALL msg=audit(1279423161.665:95): arch=40000003 syscall=38 success=yes exit=0 a0=bfc58c08 a1=80593a0 a2=bfc57b40 a3=0 items=5 ppid=1921 pid=2028 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="useradd" exe="/usr/sbin/useradd" key="shadow-file"
----
time->Sun Jul 18 05:19:31 2010
type=PATH msg=audit(1279423171.091:98): item=4 name="/etc/shadow" inode=229819 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=3 name="/etc/shadow" inode=230260 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=2 name="/etc/nshadow" inode=229819 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=1 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=0 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279423171.091:98): cwd="/root"
type=SYSCALL msg=audit(1279423171.091:98): arch=40000003 syscall=38 success=yes exit=0 a0=b21317 a1=b211d6 a2=b235e4 a3=0 items=5 ppid=1921 pid=2034 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd" key="shadow-file"
As you can see very clear here i have information about the userid, command, directory from where is executed command and of course timestamp of the action
7.3. From the log is visible run of httpd, create file, named /var/run/httpd.pid and i can use this file to reveal the action behind creation
[root@centos ~]# ausearch -f /var/run/httpd.pid
----
time->Sun Jul 18 05:19:57 2010
type=PATH msg=audit(1279423197.536:102): item=0 name="/var/run/httpd.pid" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279423197.536:102): cwd="/"
type=SYSCALL msg=audit(1279423197.536:102): arch=40000003 syscall=10 success=no exit=-2 a0=bfd3bf8a a1=0 a2=805287c a3=bfd3bd24 items=1 ppid=2040 pid=2044 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/bin/rm" key="var-run-pids"
----
time->Sun Jul 18 05:19:57 2010
type=PATH msg=audit(1279423197.516:101): item=0 name="/var/run/httpd.pid" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279423197.516:101): cwd="/"
type=SYSCALL msg=audit(1279423197.516:101): arch=40000003 syscall=10 success=no exit=-2 a0=bfde9f8a a1=0 a2=805287c a3=bfde8594 items=1 ppid=2040 pid=2043 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/bin/rm" key="var-run-pids"
7.4. Because of the way httpd run i see actual place of pid file is /etc/httpd/run/httpd.pid so lets check for this file too
[root@centos ~]# ausearch -f /etc/httpd/run/httpd.pid
----
time->Sun Jul 18 05:19:59 2010
type=PATH msg=audit(1279423199.900:103): item=1 name="/etc/httpd/run/httpd.pid" inode=426093 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423199.900:103): item=0 name="/etc/httpd/run/" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279423199.900:103): cwd="/"
type=SYSCALL msg=audit(1279423199.900:103): arch=40000003 syscall=5 success=yes exit=15 a0=82c4aa0 a1=8241 a2=1a4 a3=8241 items=2 ppid=1 pid=2048 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" key="var-run-pids"
7.5. Aha, so here is command to run /usr/sbin/httpd. I will check for run of some init script
[root@centos ~]# ausearch -k init-scripts
----
time->Sun Jul 18 05:34:19 2010
type=CONFIG_CHANGE msg=audit(1279424059.616:109): auid=0 op=add rule key="init-scripts" list=4 res=1
----
time->Sun Jul 18 05:35:33 2010
type=PATH msg=audit(1279424133.097:110): item=2 name=(null) inode=32807 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279424133.097:110): item=1 name=(null) inode=196644 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279424133.097:110): item=0 name="/etc/init.d/httpd" inode=230082 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279424133.097:110): cwd="/"
type=EXECVE msg=audit(1279424133.097:110): argc=2 a0="/bin/bash" a1="/etc/init.d/httpd"
type=EXECVE msg=audit(1279424133.097:110): argc=3 a0="/bin/bash" a1="/etc/init.d/httpd" a2="restart"
type=SYSCALL msg=audit(1279424133.097:110): arch=40000003 syscall=11 success=yes exit=0 a0=bfafde5a a1=bfafd558 a2=94a4858 a3=5 items=3 ppid=2190 pid=2195 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="httpd" exe="/bin/bash" key="init-scripts"
8. Est, voila, we reveal very detailed output from the actions, related to the areas/directories/files we think are sensitive and critical for our system
9. And at the end lets get summary report of audit sybsystem
[root@centos ~]# aureport
Summary Report
======================
Range of time in logs: 05/22/2010 11:01:19.717 - 07/18/2010 05:35:35.467
Selected time for report: 05/22/2010 11:01:19 - 07/18/2010 05:35:35.467
Number of changes in configuration: 56
Number of changes to accounts, groups, or roles: 21
Number of logins: 30
Number of failed logins: 21
Number of authentications: 12
Number of failed authentications: 1
Number of users: 1
Number of terminals: 11
Number of host names: 7
Number of executables: 12
Number of files: 45
Number of AVC's: 1
Number of MAC events: 1
Number of failed syscalls: 76
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 4
Number of process IDs: 123
Number of events: 540
Of course in this short article it is not possible to show all the options we can use for audit one Linux system. For more detailed information please refer your documentation
I will add monitoring of /var/run directory for read and write actions, /etc/rc.d/init.d for write and execution and /etc/shadow file for attribute change and write
[root@centos ~]# auditctl -w /etc/shadow -p wa -k shadow-file
[root@centos ~]# auditctl -w /var/run/ -p rw -k var-run-pids
[root@centos ~]# auditctl -w /etc/rc.d/init.d -p xw -k init-scripts
and check just in case the rules i define
[root@centos ~]# auditctl -l
LIST_RULES: exit,always dir=/var/run (0x8) perm=rw key=var-run-pids
LIST_RULES: exit,always watch=/etc/shadow perm=wa key=shadow-file
LIST_RULES: exit,always dir=/etc/rc.d/init.d (0x10) perm=wx key=init-scripts
6. Do some actions which will activate some audit trails
6.1. Create user (do change) in /etc/shadow file
[root@centos ~]# useradd test
[root@centos ~]# id test
uid=501(test) gid=501(test) groups=501(test)
[root@centos ~]# passwd test
Changing password for user test.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
.
6.2. Start httpd daemon to get trails for execution in /etc/rc.d/init.d and write in /var/run
[root@centos ~]# /etc/rc.d./init.d/httpd restart
Stopping httpd: [FAILED]
Starting httpd: [ OK ]
7. Checks of audit logs
7.1. General check
[root@centos ~]# tail -20 /var/log/audit/audit.log
type=CONFIG_CHANGE msg=audit(1279423171.091:97): auid=0 ses=1 op="updated rules" path="/etc/shadow" key="shadow-file" list=4 res=1
type=SYSCALL msg=audit(1279423171.091:98): arch=40000003 syscall=38 success=yes exit=0 a0=b21317 a1=b211d6 a2=b235e4 a3=0 items=5 ppid=1921 pid=2034 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd" key="shadow-file"
type=CWD msg=audit(1279423171.091:98): cwd="/root"
type=PATH msg=audit(1279423171.091:98): item=0 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=1 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=2 name="/etc/nshadow" inode=229819 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=3 name="/etc/shadow" inode=230260 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=4 name="/etc/shadow" inode=229819 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=USER_CHAUTHTOK msg=audit(1279423171.103:99): user pid=2034 uid=0 auid=0 msg='PAM: chauthtok acct="test" : exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_CHAUTHTOK msg=audit(1279423171.106:100): user pid=2034 uid=0 auid=0 msg='op=change password id=501 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=SYSCALL msg=audit(1279423197.516:101): arch=40000003 syscall=10 success=no exit=-2 a0=bfde9f8a a1=0 a2=805287c a3=bfde8594 items=1 ppid=2040 pid=2043 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/bin/rm" key="var-run-pids"
type=CWD msg=audit(1279423197.516:101): cwd="/"
type=PATH msg=audit(1279423197.516:101): item=0 name="/var/run/httpd.pid" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1279423197.536:102): arch=40000003 syscall=10 success=no exit=-2 a0=bfd3bf8a a1=0 a2=805287c a3=bfd3bd24 items=1 ppid=2040 pid=2044 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/bin/rm" key="var-run-pids"
type=CWD msg=audit(1279423197.536:102): cwd="/"
type=PATH msg=audit(1279423197.536:102): item=0 name="/var/run/httpd.pid" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1279423199.900:103): arch=40000003 syscall=5 success=yes exit=15 a0=82c4aa0 a1=8241 a2=1a4 a3=8241 items=2 ppid=1 pid=2048 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" key="var-run-pids"
type=CWD msg=audit(1279423199.900:103): cwd="/"
type=PATH msg=audit(1279423199.900:103): item=0 name="/etc/httpd/run/" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423199.900:103): item=1 name="/etc/httpd/run/httpd.pid" inode=426093 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
7.2. Check for trails of actions, related to shadow file
[root@centos ~]# ausearch -f /etc/shadow
----
time->Sun Jul 18 05:19:21 2010
type=PATH msg=audit(1279423161.665:95): item=4 name="/etc/shadow" inode=230260 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423161.665:95): item=3 name="/etc/shadow" inode=230225 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423161.665:95): item=2 name="/etc/shadow+" inode=230260 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423161.665:95): item=1 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423161.665:95): item=0 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279423161.665:95): cwd="/root"
type=SYSCALL msg=audit(1279423161.665:95): arch=40000003 syscall=38 success=yes exit=0 a0=bfc58c08 a1=80593a0 a2=bfc57b40 a3=0 items=5 ppid=1921 pid=2028 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="useradd" exe="/usr/sbin/useradd" key="shadow-file"
----
time->Sun Jul 18 05:19:31 2010
type=PATH msg=audit(1279423171.091:98): item=4 name="/etc/shadow" inode=229819 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=3 name="/etc/shadow" inode=230260 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=2 name="/etc/nshadow" inode=229819 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=1 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423171.091:98): item=0 name="/etc/" inode=229377 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279423171.091:98): cwd="/root"
type=SYSCALL msg=audit(1279423171.091:98): arch=40000003 syscall=38 success=yes exit=0 a0=b21317 a1=b211d6 a2=b235e4 a3=0 items=5 ppid=1921 pid=2034 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd" key="shadow-file"
As you can see very clear here i have information about the userid, command, directory from where is executed command and of course timestamp of the action
7.3. From the log is visible run of httpd, create file, named /var/run/httpd.pid and i can use this file to reveal the action behind creation
[root@centos ~]# ausearch -f /var/run/httpd.pid
----
time->Sun Jul 18 05:19:57 2010
type=PATH msg=audit(1279423197.536:102): item=0 name="/var/run/httpd.pid" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279423197.536:102): cwd="/"
type=SYSCALL msg=audit(1279423197.536:102): arch=40000003 syscall=10 success=no exit=-2 a0=bfd3bf8a a1=0 a2=805287c a3=bfd3bd24 items=1 ppid=2040 pid=2044 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/bin/rm" key="var-run-pids"
----
time->Sun Jul 18 05:19:57 2010
type=PATH msg=audit(1279423197.516:101): item=0 name="/var/run/httpd.pid" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279423197.516:101): cwd="/"
type=SYSCALL msg=audit(1279423197.516:101): arch=40000003 syscall=10 success=no exit=-2 a0=bfde9f8a a1=0 a2=805287c a3=bfde8594 items=1 ppid=2040 pid=2043 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/bin/rm" key="var-run-pids"
7.4. Because of the way httpd run i see actual place of pid file is /etc/httpd/run/httpd.pid so lets check for this file too
[root@centos ~]# ausearch -f /etc/httpd/run/httpd.pid
----
time->Sun Jul 18 05:19:59 2010
type=PATH msg=audit(1279423199.900:103): item=1 name="/etc/httpd/run/httpd.pid" inode=426093 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279423199.900:103): item=0 name="/etc/httpd/run/" inode=426024 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279423199.900:103): cwd="/"
type=SYSCALL msg=audit(1279423199.900:103): arch=40000003 syscall=5 success=yes exit=15 a0=82c4aa0 a1=8241 a2=1a4 a3=8241 items=2 ppid=1 pid=2048 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" key="var-run-pids"
7.5. Aha, so here is command to run /usr/sbin/httpd. I will check for run of some init script
[root@centos ~]# ausearch -k init-scripts
----
time->Sun Jul 18 05:34:19 2010
type=CONFIG_CHANGE msg=audit(1279424059.616:109): auid=0 op=add rule key="init-scripts" list=4 res=1
----
time->Sun Jul 18 05:35:33 2010
type=PATH msg=audit(1279424133.097:110): item=2 name=(null) inode=32807 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279424133.097:110): item=1 name=(null) inode=196644 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1279424133.097:110): item=0 name="/etc/init.d/httpd" inode=230082 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1279424133.097:110): cwd="/"
type=EXECVE msg=audit(1279424133.097:110): argc=2 a0="/bin/bash" a1="/etc/init.d/httpd"
type=EXECVE msg=audit(1279424133.097:110): argc=3 a0="/bin/bash" a1="/etc/init.d/httpd" a2="restart"
type=SYSCALL msg=audit(1279424133.097:110): arch=40000003 syscall=11 success=yes exit=0 a0=bfafde5a a1=bfafd558 a2=94a4858 a3=5 items=3 ppid=2190 pid=2195 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="httpd" exe="/bin/bash" key="init-scripts"
8. Est, voila, we reveal very detailed output from the actions, related to the areas/directories/files we think are sensitive and critical for our system
9. And at the end lets get summary report of audit sybsystem
[root@centos ~]# aureport
Summary Report
======================
Range of time in logs: 05/22/2010 11:01:19.717 - 07/18/2010 05:35:35.467
Selected time for report: 05/22/2010 11:01:19 - 07/18/2010 05:35:35.467
Number of changes in configuration: 56
Number of changes to accounts, groups, or roles: 21
Number of logins: 30
Number of failed logins: 21
Number of authentications: 12
Number of failed authentications: 1
Number of users: 1
Number of terminals: 11
Number of host names: 7
Number of executables: 12
Number of files: 45
Number of AVC's: 1
Number of MAC events: 1
Number of failed syscalls: 76
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 4
Number of process IDs: 123
Number of events: 540
Of course in this short article it is not possible to show all the options we can use for audit one Linux system. For more detailed information please refer your documentation
Audit - something you have, something you do not know, part 1
Audit subsystem is installed usually on each Linux, but very often not used. In this article will try to show you what you can do with it. Be aware here will be used CentOS/RHEL, so the commands and files in your Linux may differ and you should consult documentation
1. Instalation. Lets check if the package is installed (usually it is)
[root@centos ~]# rpm -q audit
audit-1.7.17-3.el5
In this case the package is installed, but if you do not have it you can install with command
you install audit
Here are prerequisites for the package (nothing unusual)
[root@centos ~]# rpm -qR audit
/bin/bash
/bin/sh
/bin/sh
/bin/sh
audit-libs = 1.7.17-3.el5
chkconfig
config(audit) = 1.7.17-3.el5
coreutils
libaudit.so.0
libauparse.so.0
libc.so.6
libc.so.6(GLIBC_2.0)
libc.so.6(GLIBC_2.1)
libc.so.6(GLIBC_2.1.3)
libc.so.6(GLIBC_2.2)
libc.so.6(GLIBC_2.3)
libc.so.6(GLIBC_2.3.2)
libc.so.6(GLIBC_2.3.4)
libc.so.6(GLIBC_2.4)
libm.so.6
libm.so.6(GLIBC_2.0)
libnsl.so.1
libpthread.so.0
libpthread.so.0(GLIBC_2.0)
libpthread.so.0(GLIBC_2.1)
libpthread.so.0(GLIBC_2.3.2)
librt.so.1
libwrap.so.0
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rtld(GNU_HASH)
2. Next step is to check if audit daemon is started
[root@centos ~]# service auditd status
auditd (pid 1432) is running...
if it is not you can start it with
[root@centos ~]# service auditd start
Starting auditd:
[ OK ]
3. Configuration. One important point is to decide do you want to monitor system call or not. I will set to yes setting in file /etc/sysconfig/auditd will add line (or change if its exist)
AUDITD_DISABLE_CONTEXTS="no"
and restart the daemon
Next we should set where will be located audit log file. This is done in /etc/audit/auditd.conf with parameter log_file in format
log_file = /path/file
for example in my config this is
[root@centos ~]# grep ^log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
In some high security environments you will want to create dedicated filesystem for audit log files and you should care if this filesystem become full. This is done by parameter in /etc/audit/auditd.conf file
disk_full_action
This parameter can have values: ignore, syslog, exec, suspend, single, and halt
ignore - do nothing
syslog - write warning to syslog
exec /path/to/script - execute script
suspend - stop audit daemon for writing to disk
single - put server in single user mode
halt - shutdown the server
Of course there are many other parameters,but i just touch the most important (in my understanding)
4. Check the current situation
4.1. List current rules
[root@centos ~]# auditctl -l
No rules
4.2. Check current status
[root@centos ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=2062 rate_limit=0 backlog_limit=320 lost=0 backlog=0
1. Instalation. Lets check if the package is installed (usually it is)
[root@centos ~]# rpm -q audit
audit-1.7.17-3.el5
In this case the package is installed, but if you do not have it you can install with command
you install audit
Here are prerequisites for the package (nothing unusual)
[root@centos ~]# rpm -qR audit
/bin/bash
/bin/sh
/bin/sh
/bin/sh
audit-libs = 1.7.17-3.el5
chkconfig
config(audit) = 1.7.17-3.el5
coreutils
libaudit.so.0
libauparse.so.0
libc.so.6
libc.so.6(GLIBC_2.0)
libc.so.6(GLIBC_2.1)
libc.so.6(GLIBC_2.1.3)
libc.so.6(GLIBC_2.2)
libc.so.6(GLIBC_2.3)
libc.so.6(GLIBC_2.3.2)
libc.so.6(GLIBC_2.3.4)
libc.so.6(GLIBC_2.4)
libm.so.6
libm.so.6(GLIBC_2.0)
libnsl.so.1
libpthread.so.0
libpthread.so.0(GLIBC_2.0)
libpthread.so.0(GLIBC_2.1)
libpthread.so.0(GLIBC_2.3.2)
librt.so.1
libwrap.so.0
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rtld(GNU_HASH)
2. Next step is to check if audit daemon is started
[root@centos ~]# service auditd status
auditd (pid 1432) is running...
if it is not you can start it with
[root@centos ~]# service auditd start
Starting auditd:
[ OK ]
3. Configuration. One important point is to decide do you want to monitor system call or not. I will set to yes setting in file /etc/sysconfig/auditd will add line (or change if its exist)
AUDITD_DISABLE_CONTEXTS="no"
and restart the daemon
Next we should set where will be located audit log file. This is done in /etc/audit/auditd.conf with parameter log_file in format
log_file = /path/file
for example in my config this is
[root@centos ~]# grep ^log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
In some high security environments you will want to create dedicated filesystem for audit log files and you should care if this filesystem become full. This is done by parameter in /etc/audit/auditd.conf file
disk_full_action
This parameter can have values: ignore, syslog, exec, suspend, single, and halt
ignore - do nothing
syslog - write warning to syslog
exec /path/to/script - execute script
suspend - stop audit daemon for writing to disk
single - put server in single user mode
halt - shutdown the server
Of course there are many other parameters,but i just touch the most important (in my understanding)
4. Check the current situation
4.1. List current rules
[root@centos ~]# auditctl -l
No rules
4.2. Check current status
[root@centos ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=2062 rate_limit=0 backlog_limit=320 lost=0 backlog=0
Oracle DB for system administrators, part9 (shell scripts) cont.
I decide to continue the serie with some ideas about the security. For the test purposes security is not so important, but for production and related (preproduction for example) this is considerable point.
On the previous post i use just plain command line and all the valued parameters as username and password are visible in command line:
[oracle@rh-or ~]$ sqlplus -S romeo/pass1234@orcl @date.sql "Today is "
So everyone who have access to the server can see them. If I try to use other technique to try to hide them with environment variable like this:
[oracle@rh-or ~]$ O_USER=romeo
[oracle@rh-or ~]$ O_PASS=pass1234
[oracle@rh-or ~]$ sqlplus -S $O_USER/$O_PASS@orcl @date.sql "Today is "
this will hide information from command line, but it is still visible via environment parameters of the process. For example in Solaris command pargs will provide such information
(https://unixswing.blogspot.com/2018/09/solaris-commands-for-process-management_22.html)
Lets rewrite the script with some inline code
sqlplus -S /nolog << EOD
connect romeo/pass1234@orcl
@date.sql
exit
EOD
The above script will expose in process list only fact of run sqlplus and nothing more. The rest of the information will be "entered" like in interactive session w/o any traces for other users.
Be aware that in the last line of code (word EOD) you should have no other symbols except mentioned word. Otherwise the script will not work on expected manner.
The rights of such script should be set to 700 to avoid disclosure of sensitive information to the extraneous. The only issue is you cant hide the information in script from the user will run it because in UNIX/Linux shells if you want to execute script you should have right to read it.
On the previous post i use just plain command line and all the valued parameters as username and password are visible in command line:
[oracle@rh-or ~]$ sqlplus -S romeo/pass1234@orcl @date.sql "Today is "
So everyone who have access to the server can see them. If I try to use other technique to try to hide them with environment variable like this:
[oracle@rh-or ~]$ O_USER=romeo
[oracle@rh-or ~]$ O_PASS=pass1234
[oracle@rh-or ~]$ sqlplus -S $O_USER/$O_PASS@orcl @date.sql "Today is "
this will hide information from command line, but it is still visible via environment parameters of the process. For example in Solaris command pargs will provide such information
(https://unixswing.blogspot.com/2018/09/solaris-commands-for-process-management_22.html)
Lets rewrite the script with some inline code
sqlplus -S /nolog << EOD
connect romeo/pass1234@orcl
@date.sql
exit
EOD
The above script will expose in process list only fact of run sqlplus and nothing more. The rest of the information will be "entered" like in interactive session w/o any traces for other users.
Be aware that in the last line of code (word EOD) you should have no other symbols except mentioned word. Otherwise the script will not work on expected manner.
The rights of such script should be set to 700 to avoid disclosure of sensitive information to the extraneous. The only issue is you cant hide the information in script from the user will run it because in UNIX/Linux shells if you want to execute script you should have right to read it.
Subscribe to:
Posts (Atom)