5 Securing the Operations of the Recovery Appliance

The following steps harden the Recovery Appliance by reducing exposure to powerful users, like root and rasys and allowing improved auditing of maintenance actions. Although this procedure is optional for many installations and applications, establishing and using secure users is required for operations to be compliant with various regulatory mandates.

For purposes of example, the sample commands have three fictive users: bob, sue, and jim.

  1. Create named users and assign them db_user with user type admin with administration rights.

    The db_user user type admin replaces the usage of rasys for configuration and day-to-day Recovery Appliance management operations. This account can issue certain SQLPlus commands within its assigned privileges. 

    racli add db_user --user_type=admin --user_name=bob
racli add db_user --user_type=admin --user_name=sue

    In this example, bob and sue are given --user_type=admin for administration rights.

    Note:

    The db_user user type admin has limits of privileges, and cannot be used as sysdba in SQLPlus.

  2. Create ssh users for the Recovery Appliance.

    The admin_user account is a role for new named users who manage the Recovery Appliance from an operation's perspective. It permits operating system level operations on the Recovery Appliance that previously required root access, however admin_user is not root. 

    racli add admin_user --user_name=bob
racli add admin_user --user_name=jim
racli add admin_user --user_name=sue

    In this example, bob, sue and jim are given admin_user with administration rights.

  3. Disable ssh access for root and oracle.

    racli disable ssh

  4. Disable root access for root, oracle, and raadmin.

    racli disable root_access

  5. Disable rasys access.

    Note:

    Make sure that you have the db_user user type admin accounts and admin_user accounts before disabling rasys access. 
    racli disable rasys_user

  6. Disable sys remote access.

    racli disable sys_remote_access

  7. Validate the time service.

    Refer to Changing the CHRONY Servers.

  8. Validate that the Recovery Appliance is in compliance.

    racli run check --check_name=check_ra_compliance

    The above should return TRUE. The check_ra_compliance validates:

    • ssh access for root and oracle is disabled on all nodes.

    • rasys access is disabled.

    • sys remote access is disabled.

    • Time service is enabled.

    • Two or more admin_users for the Recovery Appliance have been established.

    • Two or more db_users who are admin have been established.

    If any of the above items are not completed, check_ra_compliance fails, because one or more security gaps still exist on the Recovery Appliance.

At the completion of the above steps:

  • The initial set of administrative users have been configured.
  • An audit trail of actions by administrative users is now possible.
  • Various commands are restricted to users with the proper permissions.
  • Certain commands are restricted to quorum operations requiring approval of others to finally be run.

Remote Handling of Recovery Appliance System Logs

As part of efficient management of the Recovery Appliance, it can be beneficial to export the system log files automatically to one or more remote servers for status monitoring and review.

You can configure which Recovery Appliance log files are sent, such as:

  • /var/log/audit/audit.log
  • /var/log/messages
  • /var/log/oracle/deploy/dbmcli.lst.root.0
  • /var/log/aide/aide.log
  • /etc/passwd
  • /var/log/yum.log
  • /var/log/clamav/clamscan.log
  • /var/log/secure
  • /opt/oracle.RecoveryAppliance/log/ra_export.log
  • /opt/oracle.RecoveryAppliance/log/em_backup.log
  • /opt/oracle.RecoveryAppliance/log/ra_fs_cleanup.log
  • /opt/oracle.RecoveryAppliance/log/emctl.log
  • /opt/oracle.RecoveryAppliance/log/racli_update_parameter.log
  • /opt/oracle.RecoveryAppliance/log/racli_alter_parameter.log
  • /opt/oracle.RecoveryAppliance/log/racli_list_parameter.log

To Create a Configuration File for a Remote Receiver

The command racli add remote_syslog creates a configuration file in /etc/rsyslog.d/ from the arguments passed in: 

racli add remote_syslog --dest=<desturl> --port=<destPort> --config_name=<yourConfig>
  • --dest=<desturl> defines the IP address of the (remote) destination to receive this Recovery Appliance's system logs.
  • --port=<destPort> defines the port on the (remote) destination to receive this Recovery Appliance's system logs.
  • --config_name=<yourConfig> defines a meaningful name to the organization, like fleet01_remote_central. 
racli add remote_syslog --dest=100.104.102.184 --port=514 --config_name=fleet1_test02:
 
Created log /opt/oracle.RecoveryAppliance/log/racli_add_remote_syslog.log
Mon Apr 11 09:17:41 2022: Start: Configure Sys Log to 100.104.102.184
Mon Apr 11 09:17:41 2022:   Start: On Local Node zdlra10adm01
Mon Apr 11 09:17:41 2022:       Start: Restart rsyslog
Mon Apr 11 09:17:41 2022:       End: Restart rsyslog
Mon Apr 11 09:17:41 2022:   End: On Local Node zdlra10adm01
Mon Apr 11 09:17:42 2022:   Start: On Remote Node zdlra10adm02
Mon Apr 11 09:17:43 2022:   End: On Remote Node zdlra10adm02
Mon Apr 11 09:17:43 2022: End: Configure Sys Log to 100.104.102.184

To View the Remote Receivers

The command racli list remote_syslog lists all the configuration files, or a specific one, from the /etc/rsyslog.d/ directory. 

racli list remote_syslog --config_name=fleet1_test01: 

syslog_fleet1_test01:
    NAME = fleet1_test01
    CONFIG_FILE = /etc/rsyslog.d/fleet1_test01.conf

To Remove the Remote Receivers

The command racli remove remote_syslog removes a named configuration file from the /etc/rsyslog.d/ directory. 

racli remove remote_syslog --config_name='fleet1_test01'

Created log /opt/oracle.RecoveryAppliance/log/racli_remove_remote_syslog.logMon Apr
1109:17:582022: Start: Remove Sys Log
fleet1_test01
Mon Apr 1109:17:582022:   Start: On Local Node zdlra10adm01
Mon Apr 1109:17:582022:       Removed: Sys Log fleet1_test01.conf
Mon Apr 1109:17:582022:       Removed: Metadata of syslog_fleet1_test01
Mon Apr 1109:17:582022:       Start: Restart rsyslog
Mon Apr 1109:17:582022:       End: Restart rsyslog
Mon Apr 1109:17:582022:   End: On Local Node zdlra10adm01
Mon Apr 1109:17:582022:   Start: On Remote Node zdlra10adm02
Mon Apr 1109:18:002022:   End: On Remote Node zdlra10adm02
Mon Apr 1109:18:002022: End: Remove Sys Log fleet1_test01

To Configure the Syslog Server or Fleet Manager

The external and separate syslog or fleet server needs to be configured to receive the Recovery Appliance log files.

  • Each config file can accept one (1) destination only.

  • The location of the config file is: /etc/rsyslog.d/

  • Location set for logs: /var/odo/hostsyslogs/

  • Naming convention on the log files: %PROGRAMNAME%_%HOSTNAME%_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log

Example of .conf file under /etc/rsyslog.d

##########REMOTE SYSLOG#################
 
  $ModLoad imfile
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/aide/aide.log
    $InputFileTag aide:
    $InputFileStateFile stat-aide
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'aide' then @@100.104.102.184:514
    if $programname == 'aide' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/audit/audit.log
    $InputFileTag audit:
    $InputFileStateFile stat-audit
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'audit' then @@100.104.102.184:514
    if $programname == 'audit' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/clamav/clamscan.log
    $InputFileTag clamav:
    $InputFileStateFile stat-clamav
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'clamav' then @@100.104.102.184:514
    if $programname == 'clamav' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/oracle/deploy/dbmcli.lst.root.0
    $InputFileTag dbmcli:
    $InputFileStateFile stat-dbmcli
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'dbmcli' then @@100.104.102.184:514
    if $programname == 'dbmcli' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/em_backup.log
    $InputFileTag em-backup:
    $InputFileStateFile stat-em-backup
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'em-backup' then @@100.104.102.184:514
    if $programname == 'em-backup' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/emctl.log
    $InputFileTag emctl:
    $InputFileStateFile stat-emctl
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'emctl' then @@100.104.102.184:514
    if $programname == 'emctl' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/messages
    $InputFileTag messages:
    $InputFileStateFile stat-messages
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'messages' then @@100.104.102.184:514
    if $programname == 'messages' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /etc/passwd
    $InputFileTag passwd:
    $InputFileStateFile stat-passwd
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'passwd' then @@100.104.102.184:514
    if $programname == 'passwd' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/ra_export.log
    $InputFileTag ra-export:
    $InputFileStateFile stat-ra-export
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'ra-export' then @@100.104.102.184:514
    if $programname == 'ra-export' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/ra_fs_cleanup.log
    $InputFileTag ra-fs-cleanup:
    $InputFileStateFile stat-ra-fs-cleanup
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'ra-fs-cleanup' then @@100.104.102.184:514
    if $programname == 'ra-fs-cleanup' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/racli_alter_parameter.log
    $InputFileTag racli-alter-parameter:
    $InputFileStateFile stat-racli-alter-parameter
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'racli-alter-parameter' then @@100.104.102.184:514
    if $programname == 'racli-alter-parameter' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/racli_list_parameter.log
    $InputFileTag racli-list-parameter:
    $InputFileStateFile stat-racli-list-parameter
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'racli-list-parameter' then @@100.104.102.184:514
    if $programname == 'racli-list-parameter' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/racli_update_parameter.log
    $InputFileTag racli-update-parameter:
    $InputFileStateFile stat-racli-update-parameter
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'racli-update-parameter' then @@100.104.102.184:514
    if $programname == 'racli-update-parameter' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/secure
    $InputFileTag secure:
    $InputFileStateFile stat-secure
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'secure' then @@100.104.102.184:514
    if $programname == 'secure' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/yum.log
    $InputFileTag yum:
    $InputFileStateFile stat-yum
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'yum' then @@100.104.102.184:514
    if $programname == 'yum' then stop
 
########################################