Setting an access control list (ACL) for minimally-privileged users
To provide more secure access to target databases, create an access control list (ACL). For example, an ACL that enables a minimum-permission user to perform, via SSH, the OS-level operations used by the FortiDB OS-level pre-defined policies.
In general, you create a user, belonging to the nobody
group, on your target database machine. Then, use ACL to give that user only the specific permissions necessary to execute the OS-level pre-defined policies that you are interested in.
The following examples grant the SSH user read and execute permissions on the $ORACLE_HOME directory, which is required by some operating system vulnerability assessment (OSVA) pre-defined policies.
Example one: Set ACL on an Oracle 10g target server for OSVA ORCL 01.01
- Assume the SSH user is fortidb.
- To confirm permissions:
$setfacl -m user:fortidb:rwx,mask:rwx $ORACLE_HOME/cfgtoollogs/opatch/lsinv
$getfacl $ORACLE_HOME/cfgtoollogs/opatch/lsinv
This command returns something like the following response:
# file: /export/home/ora1020/product/10.2.0/Db_1/cfgtoollogs/opatch/lsinv
# owner: ora1020
# group: oinstall
user::rwx
user:fortidb:rwx #effective:rwx <--- Please check it
group::r-x #effective:r-x
mask:rwx
other:r-x
Example two: Set ACL on an Oracle 9, 10g, 11g, or 12c target server for OSVA ORCL 01.06, 01.07, and 01.08
This example describes how to set ACL on an Oracle 10g target server for OSVA ORCL 01.01.
- In order to find the directories within $ORACLE_HOME for which the required permissions do not exist, execute the following, as the Oracle owner (see o_owner), on your target-database machine:
- Using the File Access Control List program, grant the appropriate permissions to sshuser:
- (Optionally) confirm that correct permissions were granted with:
- (Optionally) you can revoke permissions with:
$ find $ORACLE_HOME \( -type d \) -a \( ! -perm -o+rx \) -ls|awk '{print $3,$11}'
which might return something like:
drwx------ /oracle/db1/Apache/Apache/conf/ssl.key
drwxr-x--- /oracle/db1/.patch_storage
$ setfacl -m user:sshuser:r-x,mask:r-x /oracle/db1/Apache/Apache/conf/ssl.key
$ setfacl -m user:sshuser:r-x,mask:r-x /oracle/db1/.patch_storage
$ getfacl /oracle/db1/Apache/Apache/conf/ssl.key
$ getfacl /oracle/db1/.patch_storage
which would return something like:
# file: /export/home/ora1020/product/10.2.0/Db_1/.patch_storage
# owner: ora1020
# group: oinstall
user::rwx
user:mitagaki:rwx #effective:r--
group::r-- #effective:r--
mask:r--
other:---
$ setfacl -d user:sshuser:r-x,mask:r-x oracle/db1/Apache/conf/ssl.key
$ setfacl -d user:sshuser:r-x,mask:r-x /oracle/db1/.patch_storage
If you can not give read(r)/exec(x) permission to the directory, FortiDB VA will produce a "Permission denied" error on the report which you can ignore. |