Skip to Main Content

Question for several audit/monitoring related changes to Exadata/ZFS systems

Manfred WollmannMay 4 2022 — edited May 4 2022

Hello,
Triggered by internal auditing/security department, I've got several important - and unfortunately urgent - questions:
Basics: we are forced to give syslog AND auditlog of all components to security department, preferable via Universal Forwarder (splunk agent).
Learned:
- syslog forwarding possible to be configured via dbmcli/cellcli on compute nodes/cell servers => ok.
- auditlog forwarding has to happen via audispd + configuration or Universal Forwarder; both need special customer audit_rules file

Question 1: Is it allowed to replace existing audit_rules file by a customer version of it on compute nodes and cell servers?
Question 2: Is it allowed to install Universal Forwarder (splunk agent) on compute nodes and cell servers?

Exadata switches (management switch and/or RoCE leaf and spine switches):
Question 1: Is it allowed to install Univeral Forwarder (splunk agent Cisco version or an other one) to Exadata switches + replacing the audit_rules file?
Question 2: In case (1) not allwoed, is syslog and auditlog forwarding allowed/possible + replacing the audit_rules file

ZFS ToR switches for Exadata-ZFS connection:
Question 1: Is it allowed to install Univeral Forwarder (splunk agent Cisco version or an other one) to ZFS ToR switches + replacing the audit_rules file?
Question 2: In case (1) not allwoed, is syslog and auditlog forwarding allowed/possible + replacing the audit_rules file

ZFS systems:
Question 1: Is it allowed to install Univeral Forwarder (splunk agent Solaris version) to ZFS ToR switches + replacing the audit_rules file?
Question 2: In case (1) not allwoed, is syslog and auditlog forwarding allowed/possible + replacing the audit_rules file

Always important: Is replacing the audit_rules file allowed?

Kind Regards,
Manfred

Comments
Post Details
Added on May 4 2022
0 comments
12 views