IBM Security Guardium: Can ORACLE ASO bequeath traffic be intercepted without adding the bequeath user to the guardium group?

Answer

1.- Can Guardium intercept Oracle ASO bequeath traffic without adding the bequeath OS user to the guardium group?

Answer: No, this is not not possible. To capture Oracle ASO bequeath traffic, the bequeath user must be added to the guardium group, as well as adding read permissions to two directories. The reason is, the user needs to be able to read and write to the /dev/ktap device owned by group guardium.

The requirement is documented in the Guardium Knowledge Base, section "A-TAP Problems And Solutions associated with Oracle Permissions" where you can read:

" In 'BEQUEATH' access from the user other than the one that installed the database the permissions have to be set manually:

add user running sqlplus to group 'guardium'
open the read permissions 'chmod a+rx' on the following two directories:

/usr/local/guardium/xxx/etc/guard
/usr/local/guardium/xxx/etc/guard/executor "

2.- Why does group guardium need write permissions on /dev/ktap?

Answer: The reason is, ATAP interception of traffic uses an OS wrapper that needs to be able to access the ktap device to read the traffic. Unfortunately, the user running bequeath traffic *must* have access to /dev/ktap and there is no alternative option to avoid this part. You need the OS user to be part of guardium group, if you want to monitor ASO encrypted bequeath traffic for Oracle.