21 Haziran 2013 Cuma
RMAN DBID
In different situations you need to know your database dbid. You can learn your dbid easily from connect to to RMAN tool. You must record your dbid to anywhere.
[oracle@server ~]$ rman target /
Recovery Manager: Release 11.2.0.2.0 - Production on Fri Jun 21 13:35:02 2013
Copyright (c) 1982, 2009, Oracle and/or its affiliates. All rights reserved.
connected to target database: HR (DBID=7264534995)
RMAN>
Sometimes disasters have unexpected behaviours so we couldnt find dbid where we recorded it.
But still we need to restore rman backup, control file, spfile, whole database etc. We have a small tip for writing dbid to alertlog file.
[oracle@server ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.2.0 Production on Fri Nov 9 15:16:45 2012
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining
and Real Application Testing options
SQL> declare
2 l_dbid number;
3 begin
4 select dbid into l_dbid from v$database;
5 dbms_system.ksdwrt(2,'DBID='||l_dbid);
6 end;
7 /
PL/SQL procedure successfully completed.
SQL> commit;
Commit complete.
Procedure "dbms_system.ksdwrt" writes dbid at alertlog file. This procedure write messages to alertlog file. I learned from Arup Nanda.
DATA GUARD SECURITY
In this post I want to point out new feature of Oracle Database 11g Enterprise Edition that have caught my eye.
Because its mention about "physical standby database security" and sounds good !
With this new feature : You can make log shipping to continue work without copying password file from primary to physical standby.
- You dont have to set the same SYS password for production and standby databases, also you dont have to copy password file on all nodes for Rac enviroments.
- No more password mismatch error messages, no more un "ORA-16191: Primary log shipping client not logged on standby" error messages.
- You can manage archivelog downstream / realtime downstream via redo transport user.! ( Realtime Datawarehousing )
Coding:
Step 1:
sqlplus / as sysdba
SQL*Plus: Release 11.2.0.2.0 Production on Fri Jun 21 11:01:26 2013
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining
and Real Application Testing options
SQL>
SQL>
SQL>
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
PL/SQL Release 11.2.0.2.0 - Production
CORE 11.2.0.2.0 Production
TNS for Linux: Version 11.2.0.2.0 - Production
NLSRTL Version 11.2.0.2.0 - Production
SQL> create user DG_USER identified by "PSSWD4$" ;
User created.
SQL> GRANT SYSOPER TO DG_USER;
Grant succeeded.
SQL> show parameter redo_transport_user
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
redo_transport_user string
SQL>
SQL>
SQL> ALTER SYSTEM SET REDO_TRANSPORT_USER='DG_USER' SID='*';
System altered.
SQL>
SQL> show parameter redo_transport_user
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
redo_transport_user string DG_USER
SQL>
SQL> select * from V$PWFILE_USERS ;
USERNAME SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
SYS TRUE TRUE FALSE
DG_USER FALSE TRUE FALSE
Step 2 :
[oracle@server]$ cd $ORACLE_HOME/dbs
[oracle@server dbs]$ ls -ltr
-rw-r----- 1 oracle oinstall 2048 Jan 21 10:05 orapwtest
[oracle@server dbs]$ cp orapwtest orapw_backup
[oracle@server dbs]$ orapwd file=orapwtest password="PSSWD4$" ignorecase=y entries=5
[oracle@server dbs]$ ls -ltr
-rw-r----- 1 oracle oinstall 2048 Jan 21 10:15 orapwtest
Step 3 ( important notice / revoke user):
- If you need to change password for REDO_TRANSPORT_USER (DG_USER) , you need to copy password file from primary to standby. But we are accepting that we dont change redo_transport_user password as often as SYS password. You check the SEC_CASE_SENSITIVE_LOGON parameter at dataguard pfile for case sensitive databases.
- If you dont want to redo_transport_user ; You must revoke sysoper from user and set redo_transport_user parameter to null with alter system command and then drop user.
ref: ID [1416595.1]
18 Haziran 2013 Salı
DATABASE SECURITY CHECKLIST - 3
33. Check the users and roles Who
has “CREATE ANY DIRECTORY”
privilege.
·
select
GRANTEE,ADMIN_OPTION from
dba_sys_privs where privilege like '%CREATE
ANY DIRECTORY%';
34. Check the users who has “CREATE JOB” privilege and discuss.
Because creating job privilege can provide schedule dba’s nightmares.
·
select
GRANTEE,ADMIN_OPTION from
dba_sys_privs where privilege like '%CREATE
JOB%';
35. Check the powerful network packages and control the
PUBLIC grants. If they were
granted to PUBLIC read the oracle support document ID 247093.1 and ID 470366.1
and revoke the privileges from PUBLIC and regrant to necessary schema accounts.
Ø Be Cautious When Revoking Privileges
Granted to PUBLIC [ID 247093.1]
Ø Permissions for Packages DBMS_RANDOM,
UTL_FILE, UTL_HTTP, UTL_SMTP and UTL_TCP [ID 470366.1]
·
SELECT grantee,
table_name,
privilege,
grantable
FROM
dba_tab_privs
WHERE
table_name IN
('UTL_FILE',
'UTL_TCP',
'UTL_HTTP',
'UTL_SMTP',
'DBMS_RANDOM',
'DBMS_LOB',
'DBMS_SQL',
'DBMS_SYS_SQL')
AND
grantee = 'PUBLIC';
36. Check the DBMS_SCHEDULER and DBMS_JOB
package privileges and revoke them from PUBLIC.
·
select * from
dba_tab_privs where
table_name ='DBMS_SCHEDULER';
·
select * from
dba_tab_privs where
table_name ='DBMS_JOB';
37. Check the users except schema accounts
who has RESOURCE privileges .
·
Select * from
dba_role_privs where
granted_role ='RESOURCE' and
grantee not in (select
username from
dba_users where profile ='SCHEMA');
38. Check the users who has CONNECT
privileges and if its note necessary REVOKE them.
·
select
* from
dba_role_privs where
granted_role ='CONNECT' and
grantee not in (select
username from
dba_users where profile ='ORAUSER');
39. Check the critical and
administrative roles which has password
·
select * from sys.user$
where
type#=0 and password is not null ;
40. Check these parameters value and set
the minimum requirements
·
SELECT distinct limit,resource_name FROM DBA_PROFILES WHERE
RESOURCE_NAME IN ('PASSWORD_LIFE_TIME','FAILED_LOGIN_ATTEMPTS','PASSWORD_GRACE_TIME','PASSWORD_REUSE_MAX') order by 2 desc;
41. Check the users who has default
profile and check limits for profile
default .
·
select username from
dba_users where profile='DEFAULT' ;
·
select * from
dba_profiles where profile ='DEFAULT';
42. Check the SLECT ANY PRIVILEGE and If
its granted to PUBLIC revoke THEM.
·
select grantee,admin_option from dba_sys_privs where privilege='SELECT
ANY TABLE' ;
43. Check the users who has default password
·
select * from
dba_users_with_defpwd;
44. Check the TMP_DIR and TMPDIR
directories path and privileges .
·
#cat
/home/oracle/.bash_profile |grep TMP*
45. Check the Oracle osuser id and group
id , also privileges.
46. 07_DICTIONARY_ACCESSIBILITY parameter
value is important for system privileges.
Its default = FALSE and not allowed the see sys and system privileges.
·
select value from
gv$parameter where name='O7_DICTIONARY_ACCESSIBILITY';
47. Control remote os authentication
parameter.If its true check the users who can authenticate remotely.
·
select value from
gv$parameter where name='remote_os_authent'
48. Control the remote os roles parameter
.If its true check the roles and granted users.
·
select value from
gv$parameter where name='remote_os_roles' ;
49. Check the ifile parameter value and security.
50. Check the users who was created
externally.
·
select * from
dba_users where
authentication_type<>'PASSWORD';
51. Check
the privileges INITJVMAUX and OWA_UTIL packages.
If they granted to public analyze them and revoke from public give the
necessary users.
·
select
table_name,privilege,grantable
from dba_tab_privs where
table_name in('INITJVMAUX','OWA_UTIL') and
grantee='PUBLIC' ;
52. Check the database components
and their status. INVALID states
requires reinstalling, deinstalling or compiling according to Otn documents. Older version companents requires up to date.
·
select
comp_id,version,status
from dba_registry;
53. Check the trace file public parameter
and find the optimum value. (pfile)
·
_trace_files_public
54. Check the CREATE EXTERNAL JOB system privilege and control granted to
PUBLIC.
·
select
grantee,admin_option
from dba_sys_privs where privilege='CREATE
EXTERNAL JOB' and
grantee='PUBLIC';
·
55. SEC_RETURN_SERVER_RELEASE_BANNER and SEC_MAX_FAILED_LOGIN_ATTEMPS parameter values are very important. These
parameters are new features in 11g.
·
select
inst_id,name,value from
gv$parameter where name in ('sec_return_server_release_banner','sec_max_failed_login_attempts') ;
56. Chek the SEC_CASE_SENSITIVE_LOGON
parameter value. It provides case sensitive user and role passwords in 11g
.Default value is TRUE.
·
select * from
gv$parameter where name='sec_case_sensitive_logon';
57. Check the DBMS_XMLQUERY package is
granted to PUBLIC.
·
SELECT DECODE (grantee, 'PUBLIC', 'TRUE', 'FALSE')
FROM dba_tab_privs
WHERE
table_name = 'DBMS_XMLQUERY' AND
grantee = 'PUBLIC';
58. Check audit sys operation parameter is TRUE or FALSE.
·
select inst_id,value from
gv$parameter where name='audit_sys_operations';
59. Control the all profiles and limit password verify
function value. Set the NULL values to Oracle 11g standard VERIFY_FUNCTION. (
which has 8 karakter ,case sensitive, minimum 1 char, 1 number, 1 punction )
·
select * from
dba_profiles where
resource_name='PASSWORD_VERIFY_FUNCTION' and limit is null;
60. Check the SYS
user profile and set the profile ORASYS if its not. Control ORASYS profile users.
·
select profile from
dba_users where
username='SYS' ;
61. Check the audit log level parameter.
·
select
inst_id,value from
gv$parameter where name='audit_syslog_level';
Kaydol:
Kayıtlar (Atom)