During the setup of the current audit vault agent 12.1.1 on AIX, I’ve run into issues. Depending on the configuration of the AIX environment, the agent can not be installed at all.
avagent@host:/u00/app/avagent/ [avagent] java -jar agent.jar -d /u00/app/avagent/product/avagent
/u00/app/avagent/product/avagent/bin/agentctl: LOGNAME: is read only
Error while executing command: [sh, /u00/app/avagent/product/avagent/bin/agentctl, fixperms]
The problem is in the for loop on line 56 of agentctl where it tries to unset environment variables. Specifically, the environment variable LOGNAME can not be reset. On our AIX LOGNAME has been defined as read only in /etc/profile.
# Unset all env vars
for var in `$ENV | $SED 's#=.*##'`; do
$ECHO $var | $EGREP "$passthru" > /dev/null
# If no match, i.e. not a passthru then unset
if [ $? -eq 1 ]; then
Change OS default profile
One solution would be to change the default profile on the OS. For this just open /etc/profile and comment out line 37. But I assume for most of us it is not an option to change the default profile.
# System wide profile. All variables set here may be overridden by
# a user's personal .profile file in their $HOME directory. However,
# all commands here will be executed at login regardless.
trap "" 1 2 3
Change the audit agent
The alternate solution is to update the agent.jar and fix agentctl. Get the current agent.jar from the audit vault server and extract the agentclt script.
jar -xf agent.jar bin/agentctl
Update the agentctl and add LOGNAME the the list of pass through variable on line 46.
# Passthrough env vars
# Note: we passthru any vars with "-" invalid character
Put the updated agentctl script back to the agent.jar and run a regular installation.
jar -uf agent.jar bin/agentctl
The problem was reported to Oracle and can be tracked using the bug number 17058352.
By the way if you’re using multiline shell prompts agentctl will fail on the same code on any OS. Here you may simple workaround by setting a single line prompt.
I’ve just uploaded the slides for my lecture Oracle 12c new security features, as I had promised this in my previous posts. (See also DOAG 2013 Datenbank or DOAG SIG Security). The slides is a consolidation of my presentations on the New Security Features in latest generation of Oracle Database and does no reflect 1:1 the slides at the different events.
Yet a short summary of new security features
- Oracle Data Redaction, Advanced Security feature to prevent display of sensitive data.
- Support for Secure Hash Algorithm SHA-2 for DBMS_CRYPTO and the password hash.
- New unified auditing and audit policies.
- Privilege Analysis, to analyse who is using which privileges and clean up authorization.
- New administration privileges like SYSBACKUP, SYSDG and SYSKM to reduce the dependence on SYSDBA and improve separation of duty.
- Database Vault persistent protections, DB Vault does not longer depend on executables.
There is much more just on security. The full list of new features is available in the New Features Guide 12c Release 1 (12.1). Oracle 12c is a release with so many security innovations since long time. So let’s discuss the good, the bad and the mad….
If you plan to take a training have a look at the Trivadis Oracle Database 12c Techno Circle.
As I announced a while ago in SOUG Special Interest Group Baden March 21st I’ll speak again about some improvements in the latest generation of Oracle Database. The content of the presentation is a mixture of the presentations I’ve lectured at SOUG SIG Baden and DOAG SIG Security Munich. It covers the following possible new features. The features will explained by several practical examples.
- Data Redaction
- Unified Database Auditing
- Role and Privilege Analysis
More Information on the Event is available on the DOAG website.
Due to the fact that this presentation contains preliminary information, the slides will not be available for download yet. But I will make the download link available once the dust settles on the latest Generation of Database Technology…
Just a couple of hours ago I’ve lecture a presentation about the latest Generation of Database Technology at the DOAG SIG Security in München. It is a sneak preview on a few upcoming security improvements. Unfortunately I do not yet have the permission to provide the presentation for download. But I will make the download link available once the dust settles on the latest Generation of Database Technology…
so stay tuned.
In about two weeks I will participate at the SOUG special interest group at Baden. I will present a paper entitled “New Security Features in latest generation of Oracle Database“. Where latest generation of Oracle Database does not stand for an other Oracle 11g release. But that’s an other story…
The aim of the presentation is to provide a range of information on new security features as they could be released in with latest generation of Oracle Database. It covers the following possible new features.
- Data Redaction
- Unified Datenbank Auditing
- Role and Privilege Analysis
- Improved Database Vault
- Database Application Security Architecture
- Improved Key Management
- New OS Roles
Have a look at the SOUG Webpage for a detailed Agenda of the Event and the location. Looking forward to see you there.
Due to the fact that this presentation contains preliminary information, the slides will not be available for download. It is a must to personally attend the SIG SOUG If you do not have time to participate at the SOUG event, you have a second chance later this year. I’ve planned a similar presentation for the DOAG Event in Düsseldorf. More on that later.
As announced in my post about Oracle’s pre-release announcement of last week, Oracle has now released the first Critical Patch Updates for 2013. Overall this CPU contains 86 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For products like Oracle Database Mobile it does contain quite some critical security fixes with a CVSS Rating of 10. On the other hand there’s just one security fix for regular oracle database servers. This security fix relates merely to the SPATIAL option. For a variety of Oracle database server, which do not use the spatial option, this CPU is not so critical. It’s probably worth waiting for the CPU april 2013.
CPU Release Dates
The next four Critical Patch Updates will be released at the following dates:
- 16 April 2013
- 16 July 2013
- 15 October 2013
- 14 January 2014
Links all around Critical Patch Update:
In the hustle and bustle of the Christmas season, it went under that Oracle had released a new version of Oracle Audit Vault respectively Oracle Audit Vault and Database Firewall. This weekend I found some time to take a first look into the new release.
About a year ago Oracle released the Audit Vault Server 10.3. (see New release of Oracle Audit Vault). During this update Oracle mainly moved internally to a 188.8.131.52 database. The architecture has remained more or less the same. But this has changed now. Oracle is trying to complete its security portfolio. Therefore Oracle has merged the two Oracle Audit Vault and Oracle Database Firewall into the new Oracle Audit Vault and Database Firewall. From the security officer point of view it is definitely more interesting to only have one platform. On the other hand a software appliance is one of the favorites of the DBA and Unix admins. What about, updates, HA, backup & recovery etc? I’ll try to consider these thoughts in a later post on installing and configuring the new Oracle Audit Vault and Database Firewall.
Some short notes on the new features:
- Oracle Audit Vault and Database Firewall is released as a software appliance-based platform
- Internally Oracle does use Oracle 184.108.40.206 including Advance Security and Database Vault to enforce Database security and segregation of duties
- One simple setup does install and configure the operating system, software, database, web frontend etc
- Audit Vault Agents for:
- Oracle Database 10g
- Oracle Database 11g
- Microsoft SQL Server 2000
- Microsoft SQL Server 2005
- Microsoft SQL Server 2008
- Sybase Adaptive Server Enterprise (ASE) versions 12.5.4 to 15.0.x
- IBM DB2 version 9.x (Linux, UNIX, Microsoft Windows)
- Solaris operating system
- Oracle ACFS
- Microsoft Windows Server 2008
- Microsoft Windows Server 2008 R2
- Microsoft Active Directory 2008
- Microsoft Active Directory 2008 R2 on 64 bit
As initially mentioned Audit Vault and Database Firewall are moving closer. Oracle Audit Vault is now also the data storage and analysis platform for the Oracle Database Firewall. Former Database Firewall Management Server is eliminated and thus is replaced with Oracle Audit Vault.
An important note here is that Oracle Audit Vault can not be installed on different platforms as before. It is rather a software appliance like the Oracle Database Firewall. The license for each Oracle Audit Vault and Oracle Database Firewall includes always a license for Oracle Enterprise Linux as well. To install only the appropriate hardware is required. This can be a virtual or a physical host. To setup my test environment, I’ve use as usual virtual servers.
Oracle AVDF Requirements
To install Oracle AVDF the following minimal Hardware Requirements must be met. See as the online installation guide for more details on the installation requirements in particular for the supported secured target products (agents).
- x86 64-bit Server
- 2 GB Ram
- single hard drive 125 GB
- 1 NIC for Audit Vault Server
- 1 NIC for Database Firewall Proxy Mode
- 2 NICs for Database Firewall DAM Mode (monitoring)
- 3 NICs for Database Firewall DPE Mode (blocking)
In addition to the hardware the following software is required to begin the installation:
- Oracle Linux Release 5 Update 8 for x86_64 (64 Bit) V31120-01 (3.7GB)
- Oracle Audit Vault and Database Firewall (220.127.116.11.0) – Server V35715-01 (3.4GB)
- Oracle Audit Vault and Database Firewall (18.104.22.168.0) – Database Firewall V35716-01 (3.1GB)
The server can not be used for other activities, setup of either Oracle Audit Vault or Oracle Database Firewall will completely reimage the server. But I’ll post more details on the installation later this month.
Links all around the new Oracle Audit Vault and Database Firewall…