Monthly Archives: May 2012

Resize swap space on linux

A few times a year I create a new linux VM. I usually do this by using a kickstart server. The kickstart configuration file I normally use is creating a swap partition which is to small for an Oracle database server. Unfortunately, I forget regularly how to resize the swap partition. Ok, I could update my kickstart configuration file before I create the VM, but this gets forgotten as well ;-)

Background

I try to limit the size of my VM as good as possible. Disk space on a SSD disk is not yet as cheep as it should be. Therefore I usually create VM disk which can grow to certain limit. For the swap disk I use a 4GB VM disk and define a swap space of about 2G. The VM disk itself will not grow as long as there is not a lot of swapping. But if the VM has at least 2GB memory the Oracle installer is complaining about to low swap space. Ok, you can ignore this ;-) or you can increase the swap space.

Let’s do it

Check the current settings

cat /etc/fstab
LABEL=/                 /                       ext3    defaults        1 1
LABEL=/u00              /u00                    ext3    defaults        1 2
LABEL=/u01              /u01                    ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
LABEL=SWAP-sdb1         swap                    swap    defaults        0 0

Switch off the swap device

swapoff -a

Recreate the swap partition with frisk

fdisk /dev/sdb


Command (m for help): m
Command action
   a   toggle a bootable flag
   b   edit bsd disklabel
   c   toggle the dos compatibility flag
   d   delete a partition
   l   list known partition types
   m   print this menu
   n   add a new partition
   o   create a new empty DOS partition table
   p   print the partition table
   q   quit without saving changes
   s   create a new empty Sun disklabel
   t   change a partition's system id
   u   change display/entry units
   v   verify the partition table
   w   write table to disk and exit
   x   extra functionality (experts only)

Delete the old swap partition

Command (m for help): d
Selected partition 1

Command (m for help): d
No partition is defined yet!

Select the partition type

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): l

 0  Empty           1e  Hidden W95 FAT1 80  Old Minix       bf  Solaris        
 1  FAT12           24  NEC DOS         81  Minix / old Lin c1  DRDOS/sec (FAT-
 2  XENIX root      39  Plan 9          82  Linux swap / So c4  DRDOS/sec (FAT-
 3  XENIX usr       3c  PartitionMagic  83  Linux           c6  DRDOS/sec (FAT-
 4  FAT16 <32M      40  Venix 80286     84  OS/2 hidden C:  c7  Syrinx        
 5  Extended        41  PPC PReP Boot   85  Linux extended  da  Non-FS data    
 6  FAT16           42  SFS             86  NTFS volume set db  CP/M / CTOS / .
 7  HPFS/NTFS       4d  QNX4.x          87  NTFS volume set de  Dell Utility  
 8  AIX             4e  QNX4.x 2nd part 88  Linux plaintext df  BootIt        
 9  AIX bootable    4f  QNX4.x 3rd part 8e  Linux LVM       e1  DOS access    
 a  OS/2 Boot Manag 50  OnTrack DM      93  Amoeba          e3  DOS R/O        
 b  W95 FAT32       51  OnTrack DM6 Aux 94  Amoeba BBT      e4  SpeedStor      
 c  W95 FAT32 (LBA) 52  CP/M            9f  BSD/OS          eb  BeOS fs        
 e  W95 FAT16 (LBA) 53  OnTrack DM6 Aux a0  IBM Thinkpad hi ee  EFI GPT        
 f  W95 Ext'd (LBA) 54  OnTrackDM6      a5  FreeBSD         ef  EFI (FAT-12/16/
10  OPUS            55  EZ-Drive        a6  OpenBSD         f0  Linux/PA-RISC b
11  Hidden FAT12    56  Golden Bow      a7  NeXTSTEP        f1  SpeedStor      
12  Compaq diagnost 5c  Priam Edisk     a8  Darwin UFS      f4  SpeedStor      
14  Hidden FAT16 3 61  SpeedStor       a9  NetBSD          f2  DOS secondary  
16  Hidden FAT16    63  GNU HURD or Sys ab  Darwin boot     fb  VMware VMFS    
17  Hidden HPFS/NTF 64  Novell Netware  b7  BSDI fs         fc  VMware VMKCORE
18  AST SmartSleep  65  Novell Netware  b8  BSDI swap       fd  Linux raid auto
1b  Hidden W95 FAT3 70  DiskSecure Mult bb  Boot Wizard hid fe  LANstep        
1c  Hidden W95 FAT3 75  PC/IX           be  Solaris boot    ff  BBT            
Hex code (type L to list codes): 82
Changed system type of partition 1 to 82 (Linux swap / Solaris)

Create a new partition. I’ll use the full size of the disk /dev/sdb

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-522, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-522, default 522):
Using default value 522

Write the changes to disk and exit

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Now it’s time to create a new swap filesystem with mkswap. Because I use labels in fstab, I create the new filesystem again with a label.

mkswap /dev/sdb1 -L SWAP-sdb1

Enable the swap device again

swapon -a

Display the new swap info

swapon -s
Filename                                Type            Size    Used    Priority
/dev/sdb1                               partition       4192924 34324   -1

Oracle TNS Poison vulnerability

A few days after the last critical patch update Oracle had to post security alert for CVE-2012-1675. The issue also known as “TNS Listener Poison Attack” is affecting any Oracle Database Server. As a personal reference I have summarized the most important information about this topic.

Vulnerability Description

This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as “TNS Listener Poison Attack” affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied. The post The history of a -probably- 13 years old Oracle bug: TNS Poison from Joxean Koret is explaining how this vulnerability can be exploited.

Impact

The attack point of this vulnerability is once again the Oracle listener. The impact of this vulnerability differs from the network configuration of the database server and listener. Public accessible listener will suffer a lot from this issue while internal listener a bit less.

  • Public accessible Listener e.g. listener is accessible from the internet => extremely critical
  • Listener is accessible by the company network e.g. any client can access the listener => very critical
  • Network zoning or network segmentation is used. E.g only a limited number of system accessing (application server) can access listener => critical

Bug fix

According to Oracle (see web sources below) there is no security fix for this issue. It probably will not be fixed before Oracle 12c. Until now there are several workarounds to eliminate or minimize the potential security risk.

Workaround

In order to prevent the exploitation of the vulnerability the dynamic registration must be switched of or it must be limited (e.g only local registrations, allow certain IP’s or identified by certificate )

  1. Switch off dynamic registration

    2. Switch off dynamic registration by setting dynamic_registration_LISTENER_NAME=off in listener.ora according to DYNAMIC_REGISTRATION_listener_name To switch off the dynamic registration is not an option if you’re using Oracle DataGuard, RAC or the PL/SQL Gateway in connection with APEX.

  2. Using Class of Secure Transport on single inctance databases

    3. Oracle recommend to set class of secure transportation to restrict instance registration to the local system. This parameter is available since Oracle 10.2.0.3 and can be implemented according to MOS Note 1453883.1

  3. Using Class of Secure Transport in Oracle RAC

    4. For RAC the use of COST is a bit more complex and require to configure SSL/TCPS. This is as well only possible for Oracle 10.2.0.3 and newer. It can be implemented according to MOS Note 1340831.1

  4. Limit Network Access

    5. Start using valid node checking to limit access to listener to certain IP addresses.

    TCP.VALIDNODE_CHECKING = YES
    TCP.INVITED_NODE = (Comma separated list OF ALL valid, clients)
  5. Limit Network Access on the network

    6. As an alternative limit network access to certain listener on the network layer e.g. network segmentation, firewalls etc.

Strategy

I recommend to install the latest CPU / PSU as well as one of the workaround mentioned above. In it is a good advice to switch of remote registration in general if it is not used e.g for RAC.

What to do when the workaround is not available for the database release e.g 9i databases? From the security point of view I recommend to upgrade the database to the latest supported major release with in a useful time.

Web Sources

Web sources around this topic.

iPad Apps

For once I do not write anything related to Oracle Database Technologies and Security. After I’ve been asked from time to time, what I’ve installed on my iPad or what I could recommend, it is time to put things together again. It is not an “All-time best IOS App list” nor is the list exhaustive. It is just a personal experience at time of writing. Some App’s are just for the iPad and some are for the iPhone as well. For the price I can not make any statements. But I try to rate them at least with free, costs or free/costs. Where free/pay means that there are two version available.

My must haves

App’s which I regularly use.

iTunes Link Costs Comment
AroundMe free Information what’s around me e.g Restaurants, Bars etc.
Evernote free Collect and access your links, notes etc on the iPad and sync it with your Max
Facebook free Official FaceBook App. There are others around but it’s a good one to start with
Flipboard free My favorite to read news, twitter, etc
iBooks free Must have for eBook’s, PDF etc
Instapaper free Collect web links and read them later
PCalc RPN free/costs My RPN calculator and replacement for HP 48sx
Remote free Remote from Apple for Apple TV and iTunes
Schweizer Fernsehen free Information, news, TV program etc from the swiss broadcasting service
Swiss Phone free Swiss phone book
Twitter free Twitter client
free/costs eVersion of Tagesanzeiger newspaper

Business

Serious App’s for business. Ok in some cases I just though I need them for work…

iTunes Link Costs Comment
Numbers costs Apple’s spreadsheet app
Oracle free Oracle News App
Oracle Magazine free Oracle Magazine
Keynote costs Apple’s presentation app
GoodReader costs read and update all kind of documents, access dropbox, iCloud and WebDAV
OmniFocus costs Task manager with iPhone and Mac synchronisation
OmniGraffle costs Diagramming, charting, and visualization software for iOS
OmniGraphSketscher costs More drawing
Pages costs Apple’s word processing app
Quickoffice Pro HD costs App to view and edit Office documents. With WebDAV and DropBox access
Swiss Map Mobile costs Maps of Switzerland. I mean real maps not just funny pictures but expensive…
iOf free App for the Swiss army. Coordinates, regulations, SNORDA etc
Dropbox free Access and view documents on your dropbox account
Penultimate cost Notes and sketches
Reeder for iPad cost Newsreader for iPad and iPhone
iKeePass costs Password management storing the passwords in a keepass database
Textastic costs Text editor with syntax highlighting for differen languages (C, perl, sql etc)
WordPress costs iOS App to view and edit wordpress posts, pages etc
F5 BIG-IP Edge Client free Open a VPN over F5 VPN Gateways

Gadgets

Ok, these App’s are somehow just gadgets :-)

iTunes Link Costs Comment
Evri for iPad free Something similar to Flipboard
FastFinga free/costs Write with your fingers
Find My Friends free Localize your friends…
IMDb Movie free Need to know anything about a movie or actor?
Find My iPhone free missing your iPhone? Here’s the app to look for it…
Google Earth free Google earth for the iPad
iBrainstrom free as the name implies
iCircuit cost Must have for an electrical engineer. App to draw and simulate circuits
iPhoto cost iPhoto for the iPad. Haven’t used it that much sofa
iWeather costs Nice weather app
Jumpidoo free Simple game from swiss rail service. Helpful if you are traveling with children ;-)
SBB Memory free Another game from swiss rail service. Helpful if you are traveling with children ;-)
NASA App HD free Pictures from outer space
Radios free Swiss and other internet radios
Skype for iPad free Skype what else….
Wikihood for iPad free/costs Wikipedia based travel guide
Wikipanion for iPad free/costs Wikipedia for the iPad
ZüriPlan free Maps from Zürich, City maps, history maps etc

The others

I have them but in most cases I do not really use the often :-)

iTunes Link Costs Comment
Activity Monitor Touch free/costs Monitor resources on the iPad
Air Display costs Use your iPad as second monitor for your MacBook Pro
Bambo Paper fee Notes
Booking.com free Booking through booking.com
BlickTV for the iPad free Blick TV
Currency free Currency converter
Dictionary free/costs English / German dictionary
Google Search free Google App’s and Search
Google Translate free Interface to Google translate
iA Writer costs Cool way to write on iPad
Nespresso free Simple app to order Nespresso capsule
Kindle free Kindle Reader
On AIR free TV Schedules
Photogene costs Photo editing similar to iPhoto
Rezepte costs Collection of recipes
Schweizer Spezialitäten costs Swiss recipes
Swiss Info free Swiss news portal
Teletext costs Swiss Teletext
TomTom costs Tom Tom Navigator for iPhone and iPad
Zattoo free Watch TV on your iPad
20 Minuten free News portal for 20 Minutes

There are a few app’s more but run out of time….

Feel free to drop me a line about your favorite apps for the iPad

Oracle Database Security Seminar – New dates

After the two Database Security Seminars in february, Oracle plans two more events in june. I’ll participate with the presentation “Oracle Security – How much should it be?” as already posted in the older blog post Oracle Database Security Seminar – Wieviel darf es denn sein?. The event and presentation is again in german, but there will be a set of slides available in english.

Event Informations

Event announcement and description on the Oracle website.

Abstract

  • Datendiebstahl – auch bei Ihnen ein Risiko?
  • Aber wie hoch ist das Risiko? Und welche (sinnvollen!)
  • Massnahmen gibt es, um das Risiko zu reduzieren?

Dieser Vortrag präsentiert eine fragebogengestützte Herangehensweise an eine Risikoanalyse, anhand deren Ergebnisse die Datenbanken in Security-Klassen eingeteilt (public, intern, vertraulich) werden. In einem zweiten Schritt werden die Risiken pro Klasse definiert – und dazu die Massnahmen, um dies zu reduzierenden. Ziel des Vortrages ist, dass Sie Datenbanken klassifizieren lernen (Sie kennen deren Schutzbedarf und das vertretbare Restrisiko). Ausserdem sehen Sie an einem Praxisbeispiel die Umsetzungen der nötigen Massnahmen.

Slides

The updated slides can be downloaded after the event on this website. Slides from the last events in Düsseldorf, Berlin and Basel are already available.

Important links around the Oracle CPU / PSU April 2012

I’ve been out of office when the April CPU / PSU has been officially released by Oracle and missed to write a blog post. Nevertheless I’ll now take the chance to put a few information and links around the latest CPU together.
The current CPU / PSU patches are available for 10g and 11g, whereby the download of 10g patches is only possible with a corresponding Extended Support contract.
Overall Oracle addressed 88 vulnerabilities for several Oracle products in this security advisory. 6 of these fixes are just for the Oracle Database Server and one for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 9.0, which is quite high. But the big bang are not security fixes with a CVSS of 9.0 but old vulnerabilities which are not fixed. oracle addressed them with a dedicated alert Oracle Security Alert for CVE-2012-1675. The alert is related to an issue identified by Joxean Koret somewhen in 2008 and known as TNS Poison I’ll post a few comments on this later this week.

Affected database component according to the Database Server Risk Matrix:

  • Core RDBMS (mainly Oracle Net)
  • OCI
  • Application Express
  • Enterprise Manager Base Platform

The Database Server Patch’s are available for Oracle Database 11g Release 2 (11.2.0.2, 11.2.0.3), Oracle Database 11g Release (11.1.0.7) and Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5). There is no patch available for Oracle Database 10g Release 1 (10.1.0.5).

A bunch of useful links around the current CPU / PSU:

As well as a few generic links about CPU / PSU: