Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Oracle OS Audit

 

The Oracle OS Audit DSM for JSA allows monitoring of the audit records that are stored in the local operating system file.

When audit event files are created or updated in the local operating system directory, a Perl script detects the change, and forwards the data to JSA. The Perl script monitors the Audit log file, and combines any multi-line log entries in to a single log entry to make sure that the logs are not forwarded line-by-line, because this is the format in the log file. Then, the logs are sent by using syslog to JSA. Perl scripts that are written for Oracle OS Audit work on Linux/UNIX servers only. Windows based Perl installations are not supported.

To integrate the Oracle OS Audit DSM with JSA:

  1. Go to the following website to download the files that you need:

    https://support.juniper.net/support/downloads/

  2. From the Software tab, select Scripts.
  3. Download the Oracle OS Audit script:

    oracle_osauditlog_fwdr_5.3.tar.gz

  4. Type the following command to extract the file:

    tar -zxvf oracle_osauditlog_fwdr_5.3.tar.gz

  5. Copy the Perl script to the server that hosts the Oracle server. Note

    Perl 5.8 must be installed on the device that hosts the Oracle server. If you do not have Perl 5.8 installed, you might be prompted that library files are missing when you attempt to start the Oracle OS Audit script. It is suggested that you verify that Perl 5.8 is installed before you continue.

  6. Log in to the Oracle host as an Oracle user that has SYS or root privilege.
  7. Make sure the ORACLE_HOME and ORACLE_SID environment variables are configured properly for your deployment.
  8. Open the following file:

    ${ORACLE_HOME}/dbs/init${ORACLE_SID}.ora

  9. For syslog, add the following lines to the file:

    *.audit_trail=os *.audit_syslog_level=local0.info

  10. Verify account has read/write permissions for the following directory:

    /var/lock/ /var/run/

  11. Restart the Oracle database instance.
  12. Start the OS Audit DSM script:

    oracle_osauditlog_fwdr_5.3.pl -t target_host -d logs_directory

    Table 1: Oracle OS Audit Command Parameters

    Parameters

    Description

    -t

    The -t parameter defines the remote host that receives the audit log files.

    -d

    The -d parameter defines directory location of the DDL and DML log files.

    The directory location that you specify should be the absolute path from the root directory.

    -H

    The -H parameter defines the host name or IP address for the syslog header. It is suggested that is the IP address of the Oracle server on which the script is running.

    -D

    The -D parameter defines that the script is to run in the foreground.

    Default is to run as a daemon (in the background) and log all internal messages to the local syslog service.

    -n

    The -n parameter processes new logs, and monitors existing log files for changes to be processed.

    If the -n option string is absent all existing log files are processed during script execution.

    -u

    The -u parameter defines UDP.

    -f

    The -f parameter defines the syslog facility.priority to be included at the beginning of the log.

    If you do not type a value, user.info is used.

    -r

    The -r parameter defines the directory name where you want to create the .pid file. The default is /var/run. This parameter is ignored if -D is specified.

    -l

    The -I parameter defines the directory name where you want to create the lock file. The default is /var/lock. This parameter is ignored if -D is specified.

    -h

    The -h parameter displays the help message.

    -v

    The -v parameter displays the version information for the script.

    If you restart your Oracle server you must restart the script:

    oracle_osauditlog_fwdr.pl -t target_host -d logs_directory

You can now configure the log sources within JSA.

Configuring the Log Sources Within JSA for Oracle OS Audit

You can configure the log sources within JSA.

  1. From the Log Source Type list, select Oracle RDBMS OS Audit Record.
  2. From the Protocol Configuration list, select syslog.
  3. From the Log Source Identifier field, type the address that is specified by using the -H option in Oracle OS Audit.

    For more information about your Oracle Audit Record, see your vendor documentation.

osquery

The JSA DSM for osquery receives JSON formatted events from devices that use a Linux operating system. The osquery DSM is available for JSA V7.3.0 and later.

The osquery DSM supports rsyslog and the following queries that are included in the qradar.pack.conf file for osquery V3.3.2:

  • container_processes

  • docker_container_mounts

  • docker_containers

  • listening_ports

  • process_open_sockets

  • sudoers

  • users

  • file_events

The supported osquery queries run on a 10 second interval, and only capture data that is available at that moment. For example, if a new process starts and finishes between queries of container_processes, that information is not captured by osquery.

The following supported queries only capture data that is available at the 10 second querying interval:

  • container_processes

  • docker_container_mounts

  • docker_containers

  • listening_ports

  • process_open_sockets

  • sudoers

  • users

To integrate osquery with JSA, complete the following steps: