Oracle ACFS Command-Line Tools for Security
This topic provides a summary of the commands for Oracle ACFS security.
Table 16-50 lists the Oracle ACFS security commands with brief descriptions. For an overview of Oracle ACFS security, refer to Oracle ACFS Security.
For more information about running Oracle ACFS acfsutil
commands, refer to About Using Oracle ACFS Command-Line Tools.
Table 16-50 Summary of commands for Oracle ACFS security
Command | Description |
---|---|
Adds a security administrator. |
|
Lists the Oracle ACFS security administrators. |
|
Changes the password of a security administrator. |
|
Removes a security administrator. |
|
Runs a batch file. |
|
Disables Oracle ACFS security. |
|
Enables Oracle ACFS security. |
|
Displays Oracle ACFS file system security information. |
|
Lists the security realms that a specified file or directory belongs to. |
|
Initializes Oracle ACFS file system security. |
|
Loads Oracle ACFS file system security metadata. |
|
Prepares an Oracle ACFS file system for security. |
|
Adds objects to an Oracle ACFS file system security realm. |
|
Disables auditing of command rules for files in an Oracle ACFS security realm. |
|
Enables auditing of command rules for files in an Oracle ACFS security realm. |
|
Displays the realm auditing information for a specified Oracle ACFS security realm. |
|
Clones an Oracle ACFS file system security realm. |
|
Creates an Oracle ACFS file system security realm. |
|
Removes objects from an Oracle ACFS file system security realm. |
|
Removes an Oracle ACFS file system security realm. |
|
Clones an Oracle ACFS file system security rule. |
|
Creates an Oracle ACFS file system security rule. |
|
Removes an Oracle ACFS file system security rule. |
|
Updates an Oracle ACFS file system security rule. |
|
Clones an Oracle ACFS file system security rule set. |
|
Creates an Oracle ACFS file system security rule set. |
|
Removes an Oracle ACFS file system rule set. |
|
Updates an Oracle ACFS file system rule set. |
|
Saves Oracle ACFS file system security metadata. |
acfsutil sec admin add
Purpose
Adds a new security administrator for an Oracle ACFS file system.
Syntax and Description
acfsutil sec admin add -h
acfsutil sec admin add admin
acfsutil
sec
admin
add
-h
displays help text and exits.
Table 16-51 contains the options available with the acfsutil
sec
admin
add
command.
Table 16-51 Options for the acfsutil sec admin add command
Option | Description |
---|---|
|
Specifies a security administrator user name. The user specified must be an existing operating system user and a member of the security group specified with the On Windows, a security administrator user name must be specified with a fully qualified domain user name in the form of |
Security administrators are common for all Oracle ACFS file systems in a cluster. A temporary password must be provided for the new security administrator. The password must conform to the format that is described in "acfsutil sec init".
The new security administrator can change the password with the acfsutil
sec
admin
password
command. For information, refer to "acfsutil sec admin password".
Security administrators are allowed to browse all directories in an Oracle ACFS file system whether they have the underlying operating system permissions and whether any realm checks allow it. This exception enables a security administrator to check the location of the files when securing them with Oracle ACFS security realms. However, a security administrator cannot view the contents of individual files without the appropriate operating system and security realm permissions.
Only an existing security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
admin
add
command.
Example 16-45 Using the acfsutil sec admin add command
$ /sbin/acfsutil sec admin add sec_admin_three
acfsutil sec admin info
Purpose
Displays a list of the Oracle ACFS security administrators.
Syntax and Description
acfsutil -h sec admin info acfsutil sec admin info
acfsutil
sec
admin
info
-h
displays help text and exits.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
admin
info
command.
Example 16-46 Using the acfsutil sec info password command
$ /sbin/acfsutil sec admin info
acfsutil sec admin password
Purpose
Changes the password of a security administrator for an Oracle ACFS file system.
Syntax and Description
acfsutil sec admin password -h acfsutil sec admin password
acfsutil
sec
admin
password
-h
displays help text and exits.
The acfsutil
sec
admin
password
command changes the security password for the administrator that is running the command. When you run this command, you are prompted to enter a new password. The password must conform to the format that is described in "acfsutil sec init".
Every time a security administrator runs an acfsutil
sec
command, the administrator is prompted for the security administrator's password.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
admin
password
command.
Example 16-47 Using the acfsutil sec admin password command
$ /sbin/acfsutil sec admin password ACFS Security administrator password: New password: Re-enter new password:
acfsutil sec admin remove
Purpose
Removes a security administrator from an Oracle ACFS file system.
Syntax and Description
acfsutil sec admin remove -h
acfsutil sec admin remove admin
acfsutil
sec
admin
remove
-h
displays help text and exits.
Table 16-52 contains the options available with the acfsutil
sec
admin
remove
command.
Table 16-52 Options for the acfsutil sec admin remove command
Option | Description |
---|---|
|
Specifies an existing security administrator user name. On Windows, the security administrator user name must be specified with a fully qualified user name in the form of |
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
admin
remove
command.
Example 16-48 Using the acfsutil sec admin remove command
$ /sbin/acfsutil sec admin remove sec_admin_three
acfsutil sec batch
Purpose
Runs a specified batch file.
Syntax and Description
acfsutil sec batch -h
acfsutil sec batch batch_file
acfsutil
sec
batch
-h
displays help text and exits.
Table 16-53 contains the options available with the acfsutil
sec
batch
command.
Table 16-53 Options for the acfsutil sec batch command
Option | Description |
---|---|
|
Specifies an existing batch file name. The batch file contains a list of |
The batch file can only contain security realm management commands. Interactive commands are not recommended. The acfsutil
sec
admin
add
, acfsutil
sec
admin
password
, and acfsutil
sec
init
commands are not supported in the batch file. Also, other acfsutil
commands, such as acfsutil
encr
commands, are not allowed in the batch file. If a command in the batch file fails, subsequent commands in the batch file are not run.
The following are examples of commands that can be in a batch file:
acfsutil sec realm create my_realm1 -m /mnt1 -e off acfsutil sec realm create my_realm2 -m /mnt2 -e off
Only a security administrator can run this command. When the command is run, the administrator is prompted once for a password.
Examples
The following example shows the use of the acfsutil
sec
batch
command.
Example 16-49 Using the acfsutil sec batch command
$ /sbin/acfsutil sec batch my_batch_file
acfsutil sec disable
Purpose
Disables Oracle ACFS security on a mount point or a realm in a mount point.
Syntax and Description
acfsutil sec disable -h acfsutil sec disable -m mount_point [-S snap_name] [realm]
acfsutil
sec
disable
-h
displays help text and exits.
Table 16-54 contains the options available with the acfsutil
sec
disable
command.
Table 16-54 Options for the acfsutil sec disable command
Option | Description |
---|---|
|
Specifies the directory where the file system is mounted. |
|
Disables security for the specified read-write snapshot. |
|
Specifies the name of the security realm in the Oracle ACFS file system. |
The acfsutil
sec
disable
-m
mount_point
command disables security functionality on the Oracle ACFS file system specified by the mount point option. When security is disabled on the file system, security realms do not enforce realm authorization.
The acfsutil
sec
disable
-m
mount_point
realm
command disables security for the realm specified in the command.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
disable
command.
Example 16-50 Using the acfsutil sec disable command
$ /sbin/acfsutil sec disable -m /acfsmounts/acfs1 my_realm
acfsutil sec enable
Purpose
Enables Oracle ACFS security on a mount point or a realm in a mount point.
Syntax and Description
acfsutil sec enable -h acfsutil sec enable -m mount_point [-S snap_name] [realm]
acfsutil
sec
enable
-h
displays help text and exits.
Table 16-55 contains the options available with the acfsutil
sec
enable
command.
Table 16-55 Options for the acfsutil sec enable command
Option | Description |
---|---|
|
Specifies the directory where the file system is mounted. |
|
Enables security for the specified read-write snapshot. |
|
Specifies the name of the security realm. |
The acfsutil
sec
enable
-m
mount_point
command enables security functionality on the Oracle ACFS file system specified by the mount point option. When security is enabled on the file system, security realms that have been enabled enforce realm authorization. You should run this command before enabling any individual security realm.
The acfsutil
sec
enable
-m
mount_point
realm
command enables security for the realm specified in the command. The realm enforces authorization if security has been enabled on the file system.
Only a security administrator can run this command.
Examples
These example shows the use of the acfsutil
sec
enable
command.
Example 16-51 Using the acfsutil sec enable command
$ /sbin/acfsutil sec enable -m /acfsmounts/acfs1 $ /sbin/acfsutil sec enable -m /acfsmounts/acfs1 my_realm
acfsutil sec info
Purpose
Displays information about Oracle ACFS security.
Syntax and Description
acfsutil sec info -h acfsutil sec info -m mount_point [{-n [realm] | -l [rule] |-s [ruleset] |-c }] [-S snap_name]
acfsutil
sec
info
-h
displays help text and exits.
Table 16-56 contains the options available with the acfsutil
sec
info
command.
Table 16-56 Options for the acfsutil sec info command
Option | Description |
---|---|
|
Specifies the directory where the file system is mounted. |
|
Displays information about the specified security realm. If the realm name is omitted, a list of all realms is displayed. |
|
Displays information about the specified rule. If the rule name is omitted, a list of all rules is displayed. |
|
Displays information about the specified rule set. If the rule set name is omitted, a list of all rule sets is displayed. |
|
Lists all the command rules. |
|
Displays information about the realms, rules, and rule sets in the specified snapshot. |
The acfsutil
sec
info
command retrieves information about the list of realms, rules, and rule sets on the specified mount point. By specifying a particular realm, rule, or ruleset, you can retrieve information specific about the specified realm, rule, or ruleset. You can also display information about a specified snapshot.
If the -m
option is specified without any other options, then the security enabled status and prepared status are displayed for the specified mount point.
To access files in the system security realms, the user should be assigned as a security administrator with the acfsutil
sec
admin
add
command. Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
info
command.
Example 16-52 Using the acfsutil sec info command
$ /sbin/acfsutil sec info -m /acfsmounts/acfs1 -n my_realm
acfsutil sec info file
Purpose
Lists the names of the Oracle ACFS security realms that the specified file or directory belongs to.
Syntax and Description
acfsutil sec info file -h acfsutil sec info file -m mount_point path
acfsutil
sec
info
file
-h
displays help text and exits.
Table 16-57 contains the options available with the acfsutil
sec
info
file
command.
Table 16-57 Options for the acfsutil sec info file command
Option | Description |
---|---|
|
Specifies the directory where the file system is mounted. |
|
Specifies the path of the file or directory in the file system. |
This command also displays the encryption status of files.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
info
file
command.
Example 16-53 Using the acfsutil sec info file command
$ /sbin/acfsutil sec info file -m /acfsmounts/acfs1 /acfsmounts/acfs1/myfiles
acfsutil sec init
Purpose
Initializes Oracle ACFS security.
Syntax and Description
acfsutil sec init -h acfsutil sec init -u admin -g admin_sec_group
acfsutil
sec
init
-h
displays help text and exits.
Table 16-58 contains the options available with the acfsutil
sec
init
command.
Table 16-58 Options for the acfsutil sec init command
Option | Description |
---|---|
|
Specifies the first security administrator user name. The user specified must be an existing operating system (OS) user and a member of the operating system group specified by the On Windows, the security administrator user name must be specified with a fully qualified user name in the form of |
|
Specifies the name of the security group for the administrator. The group specified must be an existing operating system (OS) group. On Windows, the group name must be specified with a fully qualified domain group name in the form of |
The acfsutil
sec
init
command creates the storage necessary for security credentials and identifies an operating system user as the first security administrator. The command also identifies the operating system group that is the designated security group. All users that are security administrators must be members of the designated security group. Security administrators are common for all Oracle ACFS file systems.
If you are setting up an OS user and OS group, refer to your operating system-specific (OS) documentation for information.
The acfsutil
sec
init
command is run once to set up Oracle ACFS security for each cluster and can be run from any node in the cluster. Other security commands can also be run from any node in a cluster.
Only the root user or Windows Administrator
user can run this command. The user specifies a password for the security administrator. The security administrator password must conform to the following format:
-
The maximum number of characters is 20.
-
The minimum number of characters is 8.
-
The password must contain at least one digit.
-
The password must contain at least one letter.
The new security administrator can change the password with the acfsutil
sec
admin
password
command. For information, refer to "acfsutil sec admin password".
Security administrators are allowed to browse all directories in an Oracle ACFS file system whether they have the underlying operating system permissions and whether any realm checks allow it. This exception enables a security administrator to check the location of the files when securing them with Oracle ACFS security realms. However, a security administrator cannot view the contents of individual files without the appropriate operating system and security realm permissions.
Examples
The following example shows the use of the acfsutil
sec
init
command.
Example 16-54 Using the acfsutil sec init command
$ /sbin/acfsutil sec init -u grid -g asmadmin
acfsutil sec load
Purpose
Loads Oracle ACFS security metadata into a file system identified by a mount point.
Syntax and Description
acfsutil sec load -h acfsutil sec load -m mount_point -p file
acfsutil
sec
load
-h
displays help text and exits.
Table 16-59 contains the options available with the acfsutil
sec
load
command.
Table 16-59 Options for the acfsutil sec load command
Option | Description |
---|---|
|
Specifies the directory where the file system is mounted. |
|
Specifies the name of an existing saved security metadata file. |
The acfsutil
sec
load
command loads the security metadata in a saved XML file into the specified Oracle ACFS file system. acfsutil
sec
load
restores only user-created security policies; the command does not add files to the realms.
acfsutil
sec
load
and acfsutil
sec
save
can be used together to copy user-created policies from one file system to another. For example, if you have security policies on one file system that you want to replicate on other file systems, then use acfsutil
sec
save
on the source file system to create an XML backup file. Next, use acfsutil
sec
load
on the other destination file systems to load the saved security metadata and create the same policies. After creating the policies, you can choose to apply policies on different directories and files on that file system by adding directories and files in different realms, according to the policies you want to impose on those files.
To run the acfsutil
sec
load
command, the destination mount point must have a file system that has been prepared for security and does not contain any user-created security objects.
If the file system mounted on destination mount point contains security objects, then you must run acfsutil
sec
prepare
-u
to remove all previously created security objects on the file system. After successfully running acfsutil
sec
prepare
-u
, you must run acfsutil
sec
prepare
to prepare the file system for security. After successfully running acfsutil
sec
prepare
, you can run acfsutil
sec
load
on the file system. For information about preparing security on or removing security from a file system, refer to "acfsutil sec prepare".
The acfsutil
sec
load
command does not load system security realms from the backup file. System security realms are created with the acfsutil
sec
prepare
command; acfsutil
sec
load
does not re-create these realms. For information about the system-created security realms, refer to "acfsutil sec prepare".
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
load
command.
Example 16-55 Using the acfsutil sec load command
$ /sbin/acfsutil sec load -m /acfsmounts/acfs1 -p my_metadata_file.xml
acfsutil sec prepare
Purpose
Prepares an Oracle ACFS file system for security features.
Syntax and Description
acfsutil sec prepare -h
acfsutil sec prepare [-u] -m mount_point
acfsutil
sec
prepare
-h
displays help text and exits.
Table 16-60 contains the options available with the acfsutil
sec
prepare
command.
Table 16-60 Options for the acfsutil sec prepare command
Option | Description |
---|---|
|
Specifies the directory where the file system is mounted. |
|
Backs out security for the specified mount point. This command removes security from in the file system and reverts the file system to the state before This command removes all realm-secured files and directories from the realms and then destroys all Oracle ACFS security rules, rule sets and realms from the file system. However, the If you want to remove encryption and security is being used, then this command must be run before encryption is backed out. To back out encryption, refer to "acfsutil encr set". |
The acfsutil
sec
prepare
command must be run before any of the realm management commands. This command prepares the specified Oracle ACFS file system for security and by default turns security on for the file system.
When running acfsutil
sec
prepare
-u
, ensure that no other Oracle ACFS security commands are run until acfsutil
sec
prepare
has completed.
If auditing is initialized on a cluster, this command also enables an Oracle ACFS security auditing source on the file system. The actions performed when enabling this audit source are the same as those done when the acfsutil
audit
enable
command is run directly. For more information, refer to "acfsutil audit enable".
This command creates the /
mount_point
/.Security
, /
mount_point
/.Security/backup
, and /
mount_point
/.Security/realm/logs
directories where mount_point
is the option specified in the command line.
This command creates the following system security realms:
-
SYSTEM_Logs
This is a system-created realm to protect the Oracle ACFS security log files in the directory
.Security/realm/logs/
directory. -
SYSTEM_Audit
This is a system-created realm to protect audit trail files. This realm is created if auditing has been initialized. If auditing has not been initialized, it is created when auditing is enabled for the security source through the
acfsutil
audit
enable
command. This realm secures the audit trail file so that the audit manager can read and write and the auditor can read the file, and no one else has access. This realm also protects the audit trail file so the audit manager cannot delete (without running theacfsutil
audit
purge
command), truncate, overwrite, or chmod the file. -
SYSTEM_SecurityMetadata
This is a system-created realm to protect the Oracle ACFS metadata XML file in the directory
.Security/backup/
directory. -
SYSTEM_Antivirus
This is a system-created realm that allows access for the antivirus software that is running on an Oracle ACFS file system. For every realm protected file or directory, the
SYSTEM_Antivirus
realm is evaluated when authorization checks are performed to determine if theSYSTEM_Antivirus
realm allows access to the file or directory.To allow the antivirus process to access realm-protected files or directories, you must add the
LocalSystem
orSYSTEM
group to the realm with theacfsutil
sec
realm
add
command, as shown in Example 16-57. If other antivirus processes are running asAdministrator
, then the userAdministrator
must be added to theSYSTEM_Antivirus
realm to allow access to realm protected files and directories.If no Antivirus products have been installed, do not add any users or groups to the
SYSTEM_Antivirus
realm. Because users or groups added to theSYSTEM_Antivirus
realm haveREAD
andREADDIR
access, limit the users or groups added to this realm. You can restrict the time window when the users or groups of this realm can access the realm protected files or directories with time-based rules. You can also have application-based rules if you can identify the process name for the antivirus installation that scans the files.The
SYSTEM_Antivirus
realm can only perform the following operations on a file or directory:OPEN
,READ
,READDIR
, and setting time attributes. To remove or delete files or directories, you may need to disable security to clean up the infected files.This realm is set up only for Windows systems.
-
SYSTEM_BackupOperators
This is a system-created realm that enables you to authorize users that can back up realm-secured files and directories. You can add users, groups, rule sets, and command rules to this realm to provide fine-grain authorization for backing up realm-secured files and directories. A user must be added to this realm to back up realm-secured files and directories.
Use caution when adding groups to this system realm. After you add a group to this system realm, all the users of the added group are able to override the realm protections to access files.
To access files in the system security realms, the user should be assigned as a security administrator with the acfsutil
sec
admin
add
command.
You can add users, groups, rule sets, and command rules to system-created realms with the acfsutil
sec
realm
add
command, the same as for user-created realms. However, adding files and directories to system realms is not recommended. You can use the acfsutil
sec
realm
delete
command to delete objects from the system-created realms.
System-created security realms cannot be removed by a security administrator with the acfsutil
sec
admin
destroy
command. These realms are only removed when security is backed out of a file system when executing the acfsutil
sec
prepare
command with the -u
option.
The acfsutil
sec
prepare
–u
command is not allowed if any snapshots exist in the file system.
Only a security administrator can run the acfsutil
sec
prepare
command.
Examples
The following example shows the use of the acfsutil
sec
prepare
command.
Example 16-56 Using the acfsutil sec prepare command
$ /sbin/acfsutil sec prepare -m /acfsmounts/acfs1
acfsutil sec realm add
Purpose
Adds objects to an Oracle ACFS security realm.
Syntax and Description
acfsutil sec realm add -h acfsutil sec realm add realm -m mount_point {[-u user, ...] [-G os_group,...] [-l commandrule:ruleset,commandrule:ruleset, ...] [-e [-a {AES}] [-k {128|192|256}]] [-f [ -r] path ...]}
acfsutil
sec
realm
add
-h
displays help text and exits.
Table 16-61 contains the options available with the acfsutil
sec
realm
add
command.
Table 16-61 Options for the acfsutil sec realm add command
Option | Description |
---|---|
|
Specifies the realm name to add. |
|
Specifies the directory where the file system is mounted. |
|
Specifies user names to add. |
|
Specifies the operating system groups to add. |
|
Specifies the filters to add. The
For a list of command rules, refer to Table 16-62. To display a list of the command rules, use |
|
Enables encryption on the realm. Turning encryption on for the realm causes all files contained in the realm to be encrypted. These files remain encrypted until they are no longer part of an encrypted realm. Files that are encrypted are not re-encrypted to match the new specified encryption parameters. |
|
Specifies the encryption algorithm for the realm. |
|
Specifies the encryption key length. |
|
Adds files specified by If a specified file is not realm secured, the file is encrypted or decrypted to match the encryption status for the realm. |
The acfsutil
sec
realm
add
command adds objects to the specified realm. The objects to be added include users, groups, command rules, rule sets, and files. If the command encounters an error when adding an object, a message is displayed and the command continues processing the remaining objects.
Multiple entries can be added in a comma-delimited list when adding users, operating system groups, or command rules. Do not use spaces in the comma-delimited list. If spaces are added, then enclose the list in quotes.
If the -e
option is specified, then encryption must have been initialized for the cluster and set on the file system. For more information, refer to "acfsutil encr init" and "acfsutil encr set".
If the entire mount point, which includes the .Security
directory, is added to the realm then the security administrator operating system group should be added to the realm to maintain security logging and backing up operations.
The supported command are rules listed in Table 16-62. These command rules restrict or protect against file system operations on realm-secured files and directories.
Table 16-62 Security Realm Command Rules
Rule | Description |
---|---|
|
Protects against all file system operations on files and directories. |
|
Restricts against additions to the end of a file. Restrictions include writes that start within the current file size, but proceed beyond the end of the file. |
|
Protects from changing the group ownership on a file or directory. |
|
Protects from changing the permissions on a file or directory. |
|
Protects from changing the owner information of a file or directory. |
|
Protects from creation of new file in a directory. |
|
Protects from deletion of a file from a directory. |
|
Restricts the extension operation of a file size. A file size may still be modifiable with other operations. |
|
Denies any changes to the files and directories in the realm except changes to extended attributes resulting from commands such as Includes the following protection for a file or directory:
Can be set to archive the files and directories in a security realm. |
|
Restricts the creation of hard links to files. |
|
Protects from the creation of new directory in a directory. |
|
Protects a file from being memory mapped for a read operation using |
|
Protects a file from being memory mapped for a write operation. Setting |
|
Protects from the opening of a file. |
|
Prevents existing content in a file from being overwritten with a If the operations on a file are |
|
Restricts for a directory listing, except for use by the security administrator group. |
|
Protects from reading the contents of a file. |
|
Protects against renaming a file or directory. |
|
Protects against removing a directory. |
|
Restricts the creation of symbolic links in the directories protected by a security realm. When creating symbolic links, it does not matter whether the source file is protected by a security realm. |
|
Restricts the truncation of a file. |
|
Protects a file against the A file may still be modifiable with other file operations. To protect the file from other modifications, also use the |
Only a security administrator can run this command.
Examples
Example 16-57 shows the use of the acfsutil
sec
realm
add
command. The first acfsutil
sec
command adds a user group to a security realm. The second and third commands add the LocalSystem
or SYSTEM
group to the SYSTEM_Antivirus
realm in a Windows environment.
Example 16-57 Using the acfsutil sec realm add command
$ /sbin/acfsutil sec realm add my_security_realm -m /acfsmounts/acfs1 -G my_os_group C:\> acfsutil sec realm add SYSTEM_Antivirus /m e: /G "NT AUTHORITY\\SYSTEM" C:\> acfsutil sec realm add SYSTEM_Antivirus /m e: /G "SYSTEM"
acfsutil sec realm audit disable
Purpose
Disables auditing of a specific command rule or all command rules for files in an Oracle ACFS security realm.
Syntax and Description
acfsutil sec realm audit disable -h acfsutil sec realm audit disable realm -m mount_point [-l commandrule,commandrule,...] {-a |-v }
acfsutil
sec
realm
audit
disable
-h
displays help text and exits.
Table 16-63 contains the options available with the acfsutil
sec
realm
audit
disable
command.
Table 16-63 Options for the acfsutil sec realm audit disable command
Option | Description |
---|---|
|
Specifies the security realm name. |
|
Specifies the directory where the file system is mounted. |
|
Specifies the command rules on which to disable auditing. If this option is not specified, then the list of all command rules is the default. For a list of command rules, refer to Table 16-62. To display a list of the command rules, use |
|
Specifies to disable audit realm authorizations ( |
Multiple entries can be added in a comma-delimited list when listing command rules. Do not use spaces in the comma-delimited list. If spaces are added, then enclose the list in quotes.
Only a security administrator can run this command. This command is authenticated using the Oracle ACFS security administrator password.
Examples
Example 16-58 shows the use of the acfsutil
sec
realm
audit
disable
command. This command disables auditing on the OPEN
(all violations) and WRITE
(all violations) command rules.
Example 16-58 Using the acfsutil sec realm audit disable command
$ /sbin/acfsutil sec realm audit disable mySecureRealm –m /acfsmounts/acfs1 –l OPEN,WRITE –v
acfsutil sec realm audit enable
Purpose
Enables auditing of a specific command rule or all command rules for files in an Oracle ACFS security realm.
Syntax and Description
acfsutil sec realm audit enable -h acfsutil sec realm audit enable realm -m mount_point [-l commandrule,commandrule,...] [-a ] [-v [ -u] ]
acfsutil
sec
realm
audit
enable
-h
displays help text and exits.
Table 16-64 contains the options available with the acfsutil
sec
realm
audit
enable
command.
Table 16-64 Options for the acfsutil sec realm audit enable command
Option | Description |
---|---|
|
Specifies the security realm name. |
|
Specifies the directory where the file system is mounted. |
|
Specifies the command rules on which to enable auditing. If this option is not specified, then the list of all command rules is the default. For a list of command rules, refer to Table 16-62. To display a list of the command rules, use |
|
Specifies to audit realm authorizations. |
|
Specifies to audit realm violations. If |
If the acfsutil
sec
realm
audit
enable
command is run multiple times, then the earlier configuration is not negated and the new settings are also applied. An exception to this behavior occurs when the command is run with the –v
option and the specified command rule has auditing set for realm violations. In this case, the behavior is updated according to whether the –u
flag was specified. For more information, see Example 16-61.
Multiple entries can be added in a comma-delimited list when listing command rules. Do not use spaces in the comma-delimited list. If spaces are added, then enclose the list in quotes.
If neither –a
or –v
are specified with the acfsutil
sec
realm
audit
enable
command, the default is –v
. Both –a
and –v
can be specified.
Only a security administrator can run this command. This command is authenticated using the Oracle ACFS security administrator password.
Examples
Example 16-59 shows how to enable auditing of the Oracle ACFS backup operators. Because these users are allowed access to files through the SYSTEM_Backup
realm and are granted special privileges that give them access to all files on the file system, a security administrator may want to audit their actions. After the command is executed, any time a member of the SYSTEM_Backup
realm opens a file an audit record is written to the Oracle ACFS Security audit trail on the file system.
Example 16-59 Auditing Oracle ACFS security backup operators
$ /sbin/acfsutil sec realm audit enable SYSTEM_Backup –m /acfsmounts/acfs1 –l OPEN –a
Example 16-60 shows how to use the –u
option to audit realm violations by users who are part of the realm. In this scenario sensitive human resources information is stored in HumanResources
security realm and the hr
group is allowed to access this information. However, a ruleset applied to the ALL
command rule prevents access to this data from 6 PM to 8 AM. With this command, the security administrator could discover if any human resource employees are attempting to access sensitive data outside of the allowed time period. After this command is executed, only access violations by users who are members of the hr
group are audited.
Example 16-60 Auditing only security realm users
$ /sbin/acfsutil sec realm audit enable HumanResources –m /acfsmounts/acfs1 –l ALL –v –u
Example 16-61 shows multiple runs of the acfsutil
sec
realm
audit
enable
command. After run 1, the OPEN
(all violations) and WRITE
(all violations) command rules are audited. After run 2, the OPEN
(all violations), WRITE
(all violations), and DELETEFILE
(authorizations) command rules are audited. After run 3, the OPEN
(authorizations and realm user violations), WRITE
(all violations), DELETEFILE
(authorizations), and TRUNCATE
(authorizations and realm user violations) command rules are audited. After run 4, all violations are audited on all command rules. In addition, authorizations are audited for OPEN
, DELETEFILE
, and TRUNCATE
.
Example 16-61 Running acfsutil sec realm audit enable multiple times
$ echo run 1 $ /sbin/acfsutil sec realm audit enable mySecureRealm –m /acfsmounts/acfs1 –l OPEN,WRITE –v $ echo run 2 $ /sbin/acfsutil sec realm audit enable mySecureRealm –m /acfsmounts/acfs1 –l DELETEFILE –a $ echo run 3 $ /sbin/acfsutil sec realm audit enable mySecureRealm -m /acfsmounts/acfs1 –l OPEN,TRUNCATE –a –v -u $ echo run 4 $ /sbin/acfsutil sec realm audit enable mySecureRealm –m /acfsmounts/acfs1 –v
acfsutil sec realm audit info
Purpose
Displays the realm auditing information for a specified Oracle ACFS security realm.
Syntax and Description
acfsutil sec realm audit info -h acfsutil sec realm audit info -m mount_point -n realm
acfsutil
sec
realm
audit
info
-h
displays help text and exits.
Table 16-64 contains the options available with the acfsutil
sec
realm
audit
info
command.
Table 16-65 Options for the acfsutil sec realm audit info command
Option | Description |
---|---|
|
Specifies the directory where the file system is mounted. |
|
Specifies the security realm name. |
The acfsutil
sec
realm
audit
info
command provides information about a specified Oracle ACFS security realm.
Examples
Example 16-62 shows an example of the acfsutil
sec
realm
audit
info
command.
Example 16-62 Running acfsutil sec realm audit info
$ /sbin/acfsutil sec realm audit info –m /acfsmounts/acfs1 -n mySecureRealm Command rule auditing information for realm 'mySecureRealm' on mount point '/acfsmounts/acfs1': Realm authorization : 'READ, WRITE' Realm violation for all users : 'READ, OPENFILE' Realm violation for realm users: 'None'
acfsutil sec realm clone
Purpose
Clones an Oracle ACFS security realm.
Syntax and Description
acfsutil sec realm clone -h acfsutil sec realm clone realm -s src_mount_point new_realm [-e] [-f] [-G] [-l] [-u] acfsutil sec realm clone realm -s src_mount_point [new_realm] -d destination_mount_point [-e] [-G] [-l] [-u]
acfsutil
sec
realm
clone
-h
displays help text and exits.
Table 16-66 contains the options available with the acfsutil
sec
realm
clone
command.
Table 16-66 Options for the acfsutil sec realm clone command
Option | Description |
---|---|
|
Specifies the realm name to be cloned. |
|
Specifies the directory where the source file system is mounted. |
|
Specifies the new realm name. |
|
Specifies the directory for the destination mount point for the new realm. |
|
Copy encryption attributes to the new realm. |
|
Copy file objects to the new realm. |
|
Copy operating system groups to the new realm. |
|
Copy filters to the new realm. |
|
Copy users to the new realm. |
The acfsutil
sec
realm
clone
makes a copy of the specified realm in the destination mount point. If the source and mount points are different and the new realm name is not specified, then the realm is cloned using the existing realm name in the Oracle ACFS file system specified by destination mount point. If the destination mount point is not specified, then the cloned realm is located in the source mount point and a new unique realm name must be specified.
If the -l
option is specified and the destination mount point is different than the source mount point, then the rules and rule sets must be cloned first.
If the -e
option is specified and the destination mount point is different than the source mount point, then encryption must be set on destination mount point. For more information, refer to "acfsutil encr set".
The -f
option can only be used if the destination mount point is the same as the source mount point.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
realm
clone
command.
Example 16-63 Using the acfsutil sec realm clone command
$ /sbin/acfsutil sec realm clone my_security_realm -s /acfsmounts/acfs1 my_new_security_realm -d /acfsmounts/acfs2 -G
acfsutil sec realm create
Purpose
Creates an Oracle ACFS security realm.
Syntax and Description
acfsutil sec realm create -h acfsutil sec realm create realm -m mount_point -e { on -a {AES} -k {128|192|256} | off } [-o {enable|disable}] [-d "description"]
acfsutil
sec
realm
create
-h
displays help text and exits.
Table 16-67 contains the options available with the acfsutil
sec
realm
create
command.
Table 16-67 Options for the acfsutil sec realm create command
Option | Description |
---|---|
|
Specifies the realm name. |
|
Specifies the mount point for the file system. A mount point is specified as a path on Linux platforms. |
|
Specifies encryption on or off for the realm. |
|
Specifies the encryption algorithm. |
|
Specifies the encryption key length. |
|
Specifies where security is on or off for the realm. |
|
Specifies a realm description. |
The acfsutil
sec
create
realm
creates a new realm in the specified Oracle ACFS file system. The new realm name must be unique in the file system identified by the mount point.
A maximum of 500 Oracle ACFS security realms can be created, including any default system realms created by the acfsutil
sec
prepare
command.
The realm is enabled by default unless the -o
disable
option is specified.
If the -e
on
option is specified, then encryption must have been initialized for the cluster and set on the file system. For more information, refer to "acfsutil encr init" and "acfsutil encr set".
If the -e
off
option is specified, you cannot specify the -a
and -k
options.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
realm
create
command.
Example 16-64 Using the acfsutil sec realm create command
$ /sbin/acfsutil sec realm create my_security_realm -m /acfsmounts/acfs1 -e on -a AES -k 192 -o enable
acfsutil sec realm delete
Purpose
Deletes objects from an Oracle ACFS security realm.
Syntax and Description
acfsutil sec realm delete -h acfsutil sec realm delete realm -m mount_point {[-u user, ...] [-G os_group, ...] [-l :ruleset,commandrule:ruleset, ...] [-f [ -r] path, ...] ] [-e ]}
acfsutil
sec
realm
delete
-h
displays help text and exits.
Table 16-68 contains the options available with the acfsutil
sec
realm
delete
command.
Table 16-68 Options for the acfsutil sec realm delete command
Option | Description |
---|---|
|
Specifies the realm name. |
|
Specifies the directory where the file system is mounted. |
|
Specifies user names to delete. |
|
Specifies the operating system groups to delete. |
|
Specifies the filters to delete from the realm. To display a list of the command rules, use |
|
Deletes files specified by If this is the last realm securing the file, the file is encrypted or decrypted to match the file system level encryption state. |
|
Disables encryption on the realm. When disabling encryption, this option decrypts any files in the realm that do not belong to any other encrypted realms. If a file is part of another realm which is encrypted or if encryption is turned on for the file system, then the file remains encrypted. |
The acfsutil
sec
realm
delete
command removes objects from the specified realm. The objects to be deleted include users, groups, rule sets, and files. If the command encounters an error when deleting an object, a message is displayed and the command continues processing the remaining objects.
Multiple entries can be added in a comma-delimited list when adding users, operating system groups, or command rules. Do not use spaces in the comma-delimited list. If spaces are added, then enclose the list in quotes.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
realm
delete
command.
Example 16-65 Using the acfsutil sec realm delete command
$ /sbin/acfsutil sec realm delete my_security_realm -m /acfsmounts/acfs1 -f -r /acfsmounts/acfs1/myoldfiles/*.log
acfsutil sec realm destroy
Purpose
Destroys an Oracle ACFS security realm.
Syntax and Description
acfsutil sec realm destroy -h acfsutil sec realm destroy realm -m mount_point
acfsutil
sec
realm
destroy
-h
displays help text and exits.
Table 16-69 contains the options available with the acfsutil
sec
realm
destroy
command.
Table 16-69 Options for the acfsutil sec realm destroy command
Option | Description |
---|---|
|
Specifies the realm name. |
|
Specifies the directory where the file system is mounted. |
The acfsutil
sec
destroy
realm
removes a security realm from the specified Oracle ACFS file system. Destroying the realm does not destroy the objects in the realm; this command simply removes the security associated with the realm from the objects.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
realm
destroy
command.
Example 16-66 Using the acfsutil sec realm destroy command
$ /sbin/acfsutil sec realm destroy my_security_realm -m /acfsmounts/acfs1
acfsutil sec rule clone
Purpose
Clones a security rule.
Syntax and Description
acfsutil sec rule clone -h acfsutil sec rule clone rule -s src_mount_point new_rule acfsutil sec rule clone rule -s src_mount_point [new_rule] -d mount_point
acfsutil
sec
rule
clone
-h
displays help text and exits.
Table 16-70 contains the options available with the acfsutil
sec
rule
clone
command.
Table 16-70 Options for the acfsutil sec rule clone command
Option | Description |
---|---|
|
Specifies the existing name of the rule. If the name contains a space, enclose in quotes ( |
|
Specifies the directory where the source file system is mounted. |
|
Specifies the directory for the destination mount point of the file system. |
|
Specifies the new name of the rule. If the name contains a space, enclose in quotes ( |
If the source and mount points are different and the new rule name is not specified, then the rule is cloned using the existing rule name in the Oracle ACFS file system specified by destination mount point. If the destination mount point is not specified, then the cloned rule is located in the source mount point and a new unique rule name must be specified.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
rule
clone
command.
Example 16-67 Using the acfsutil sec rule clone command
$ /sbin/acfsutil sec rule clone my_security_rule -s /acfsmounts/acfs1 my_new_security_rule -d /acfsmounts/acfs2
acfsutil sec rule create
Purpose
Creates a security rule.
Syntax and Description
acfsutil sec rule create -h acfsutil sec rule create rule -m mount_point -t rule_type rule_value [-o {ALLOW|DENY}]
acfsutil
sec
rule
create
-h
displays help text and exits.
Table 16-71 contains the options available with the acfsutil
sec
rule
create
command.
Table 16-71 Options for the acfsutil sec rule create command
Option | Description |
---|---|
|
Specifies the name of the rule. If the name contains a space, enclose in quotes ( |
|
Specifies the directory where the file system is mounted. |
|
Specifies a rule type and a rule value. The rule type can be |
|
Specifies options preceded by |
The acfsutil
sec
rule
create
command creates a new rule in the Oracle ACFS file system specified by the mount point. The new rule can be added to a rule set and that rule set can be added to a security realm.
A maximum of 500 Oracle ACFS security rules can be created.
The rule types and associated rule values are:
-
application
This rule type specifies the name of an application which is allowed or denied access to the objects protected by a realm.
-
hostname
This rule type specifies the name of a computer from which a user accesses the objects protected by a realm. Access from a node can be allowed or denied using this rule. The
hostname
should be one of the cluster node names and not any other external nodes which could have mounted the Oracle ACFS file system as a network File System (NFS) mount. -
time
This rule type specifies the time interval in the form
start_time
,end_time
. This time interval specifies access to a realm. Access can be allowed or denied to objects protected by a realm only during certain times of the day by setting this rule in a realm. The time is based on the local time of the host. -
username
This rule type specifies the name of a user to be added or deleted from a realm. You can use this option to deny access for any user that belongs to a security group that is part of a realm.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
rule
create
command.
Example 16-68 Using the acfsutil sec rule create command
$ /sbin/acfsutil sec rule create my_security_rule -m /acfsmounts/acfs1 -t username security_user_one -o ALLOW
acfsutil sec rule destroy
Purpose
Removes a security rule.
Syntax and Description
acfsutil sec rule destroy -h acfsutil sec rule destroy rule -m mount_point
acfsutil
sec
rule
destroy
-h
displays help text and exits.
Table 16-72 contains the options available with the acfsutil
sec
rule
destroy
command.
Table 16-72 Options for the acfsutil sec rule destroy command
Option | Description |
---|---|
|
Specifies the name of the rule. If the name contains a space, enclose in quotes ( |
|
Specifies the directory where the file system is mounted. |
The acfsutil
sec
rule
destroy
command removes a rule from the rule sets in the Oracle ACFS file system specified by the mount point. A rule set is not destroyed if all the rules are destroyed. The empty rule set must be explicitly destroyed.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
rule
destroy
command.
Example 16-69 Using the acfsutil sec rule destroy command
$ /sbin/acfsutil sec rule destroy my_security_rule -m /acfsmounts/acfs1
acfsutil sec rule edit
Purpose
Updates a security rule.
Syntax and Description
acfsutil sec rule edit -h acfsutil sec rule edit rule -m mount_point { [-t rule_type rule_value ] [-o {ALLOW|DENY}] }
acfsutil
sec
rule
edit
-h
displays help text and exits.
Table 16-73 contains the options available with the acfsutil
sec
rule
edit
command.
Table 16-73 Options for the acfsutil sec rule edit command
Option | Description |
---|---|
|
Specifies the name of the rule. If the name contains a space, enclose in quotes ( |
|
Specifies the directory where the file system is mounted. |
|
Specifies a rule type and a rule value. The rule type can be |
|
Specifies options preceded by |
The acfsutil
sec
rule
edit
updates a rule. The value that is associated with a rule can be updated, but not the rule type.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
rule
edit
command to update my_security_rule
. The existing rule is of type username
and that value cannot be changed.
Example 16-70 Using the acfsutil sec rule edit command
$ /sbin/acfsutil sec rule edit my_security_rule -m /acfsmounts/acfs1 -t username security_user_three -o ALLOW
acfsutil sec ruleset clone
Purpose
Clones a security rule set.
Syntax and Description
acfsutil sec ruleset clone -h acfsutil sec ruleset clone ruleset -s mount_point new_ruleset acfsutil sec ruleset clone ruleset -s mount_point [new_ruleset] -d mount_point
acfsutil
sec
ruleset
clone
-h
displays help text and exits.
Table 16-74 contains the options available with the acfsutil
sec
ruleset
clone
command.
Table 16-74 Options for the acfsutil sec ruleset clone command
Option | Description |
---|---|
|
Specifies the existing name of the rule set. If the name contains a space, enclose in quotes ( |
|
Specifies the directory where the source file system is mounted. |
|
Specifies the directory for the destination mount point of the file system. |
|
Specifies the new name of the rule set. If the name contains a space, enclose in quotes ( |
If the source mount point is different from destination mount point, the rules in the rule set must be cloned first.
If the source and mount points are different and the new rule set name is not specified, then the rule set is cloned using the existing rule set name in the Oracle ACFS file system specified by destination mount point. If the destination mount point is not specified, then the cloned rule set is located in the source mount point and a new unique rule set name must be specified.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
ruleset
clone
command.
Example 16-71 Using the acfsutil sec ruleset clone command
$ /sbin/acfsutil sec ruleset clone my_security_ruleset -s /acfsmounts/acfs1 my_new_security_ruleset -d /acfsmounts/acfs2
acfsutil sec ruleset create
Purpose
Creates a security rule set.
Syntax and Description
acfsutil sec ruleset create -h acfsutil sec ruleset create rule_set -m mount_point [-o {ALL_TRUE|ANY_TRUE}]
acfsutil
sec
ruleset
create
-h
displays help text and exits.
Table 16-75 contains the options available with the acfsutil
sec
ruleset
create
command.
Table 16-75 Options for the acfsutil sec ruleset create command
Option | Description |
---|---|
|
Specifies the name of the rule set. If the name contains a space, enclose in quotes ( |
|
Specifies the directory where the file system is mounted. |
|
Specifies options preceded by |
The acfsutil
sec
ruleset
create
command creates a new rule set in the specified mount point.
A maximum of 500 Oracle ACFS security rule sets can be created.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
ruleset
create
command.
Example 16-72 Using the acfsutil sec ruleset create command
$ /sbin/acfsutil sec ruleset create my_security_ruleset -m /acfsmounts/acfs1 -o ANY_TRUE
acfsutil sec ruleset destroy
Purpose
Removes a security rule set.
Syntax and Description
acfsutil sec ruleset destroy -h acfsutil sec ruleset destroy rule_set -m mount_point
acfsutil
sec
ruleset
destroy
-h
displays help text and exits.
Table 16-76 contains the options available with the acfsutil
sec
ruleset
destroy
command.
Table 16-76 Options for the acfsutil sec ruleset destroy command
Option | Description |
---|---|
|
Specifies the name of the rule set. If the name contains a space, enclose in quotes ( |
|
Specifies the directory where the file system is mounted. |
The acfsutil
sec
ruleset
destroy
command removes a rule set from the Oracle ACFS file system specified by the mount point. Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
ruleset
destroy
command.
Example 16-73 Using the acfsutil sec ruleset destroy command
$ /sbin/acfsutil sec ruleset destroy my_security_ruleset -m /acfsmounts/acfs1
acfsutil sec ruleset edit
Purpose
Updates a security rule set.
Syntax and Description
acfsutil sec ruleset edit -h acfsutil sec ruleset edit rule_set -m mount_point { [-a rule,...] [-d rule,...] [-o {ALL_TRUE|ANY_TRUE}]}
acfsutil
sec
ruleset
edit
-h
displays help text and exits.
Table 16-77 contains the options available with the acfsutil
sec
ruleset
edit
command.
Table 16-77 Options for the acfsutil sec ruleset edit command
Option | Description |
---|---|
|
Specifies the name of the rule set. If the name contains a space, enclose in quotes ( |
|
Specifies the directory where the file system is mounted. |
|
Specifies the rule to add. |
|
Specifies the rule to remove. |
|
Specifies options preceded by |
The acfsutil
sec
ruleset
edit
command updates a rule set in the Oracle ACFS file system specified by the mount point.
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
ruleset
edit
command.
Example 16-74 Using the acfsutil sec ruleset edit command
$ /sbin/acfsutil sec ruleset edit my_security_ruleset -m /acfsmounts/acfs1 -a my_new_rule -o ANY_TRUE
acfsutil sec save
Purpose
Saves Oracle ACFS file system security metadata.
Syntax and Description
acfsutil sec save -h acfsutil sec save -m mount_point -p file
acfsutil
sec
save
-h
displays help text and exits.
Table 16-78 contains the options available with the acfsutil
sec
save
command.
Table 16-78 Options for the acfsutil sec save command
Option | Description |
---|---|
|
Specifies the directory where the file system is mounted. |
|
Specifies a file name to store the security metadata. The file is saved in the |
The acfsutil
sec
save
command saves the security metadata for an Oracle ACFS file system to an XML file. By default, the file is saved in the /
mount_point
/.Security/backup
directory.
This file can be backed up as a regular file by a backup application. System realms protect this file and allow only members of these realms to access this file and prevent all other users including the root user and system administrator from access. For information about the system-created security realms, refer to "acfsutil sec prepare".
Only a security administrator can run this command.
Examples
The following example shows the use of the acfsutil
sec
save
command.
Example 16-75 Using the acfsutil sec save command
$ /sbin/acfsutil sec save -m /acfsmounts/acfs1 -p my_metadata_file.xml