AVDF installation ISO

Due to some problems during the installation of Oracle Audit Vault and Database Firewall 12.1.2 (see AVDF installation fails on HP server with Smart Array Disk Controller), I’ve looked at the AVDF ISO image and its kickstart setup.

AVDF 12.1.2 is based on Oracle Enterprise Linux 5.9. To setup or upgrade AVDF it is required to boot the system from the AVDF ISO. The menu from the ISOLINUX bootloader allows simple selection of installation, upgrade, or memory test.
AVDF_12.1.2.0.0_setup01
As you can see in the picture, it is also possible to specify the boot options directly in the prompt.
The boot loader menu itself is configured in the isolinux.cfg file. Looking at the file reveals how an installation respectively an upgrade will be started. Both use their own kickstart file. 

default memtest86

prompt 1
display boot.msg

F1 boot.msg

label install
kernel vmlinuz
append noipv6 initrd=initrd.img ramdisk_size=8192 ks=file:/kickstart/kickstart.cfg noshell

label upgrade
kernel vmlinuz
append noipv6 initrd=initrd.img ramdisk_size=8192 ks=file:/kickstart/update.cfg noshell

label memtest86
kernel memtest
append -

A special note, Oracle has switched off the shell on console 2 (alt-F2) with noshell. If you want to use console 2 during the installation, you have to enter the boot options directly on the prompt. But enabling the shell on console 2 leaves the system vulnerable to root access. It should not be left unattended when such a shell exists. An example can be seen in the picture above.

The kickstart file is part of the initrd.img which is used during the boot process. But this image needs first to be unpacked. The image is some kind of a gzipped cpio archive.

Rename and unpack the image:

mv initrd.img initrd.gz
gunzip initrd.gz

So extract the files from initrd using cpio:

mkdir initrd_work
cd initrd_work
cpio -id < ../initrd
31570 blocks

Now we can see the content of the initrd.img file and in particular the kickstart files.

ls
bin etc kickstart proc selinux tmp
dev init modules sbin sys var

References

Further information on this topic.

Trivadis PL/SQL & SQL CodeChecker

A couple of days ago Trivadis released the Trivadis PL/SQL & SQL CodeChecker (tvdcc) as SQL Developer Extension. TVDCC does check the editor content for compliance violations of the Trivadis PL/SQL & SQL Coding Guidelines Version 2.0.

Quote from the blog post of my work colleague:

Furthermore McCabe’s cyclomatic complexity, Halstead’s volume, the maintainability index and some other software metrics are calculated for each PL/SQL unit and aggregated on file level.

The results are presented in an additional tabbed panel. One tab shows all guideline violations to quickly navigate to the corresponding code position, the other tab contains a full HTML report, which also may be opened in your external browser.

Tvdcc sqldev report

It is a convenient tool, especially if you do not regularly developed PL / SQL code.

References

Additional information and links related to the Trivadis PL/SQL & SQL CodeChecker.

Audit Vault and Database Firewall 12.1.2

Oracle has just released a new Release of its Oracle Audit Vault and Database Firewall. The new release is immediately available on Oracle’s Software Delivery Cloud. It look’s like Oracle added a bunch of Enterprise-Grade Features like iSCSI SAN Disk, NFS Storage as well as SYSLOG integration. Starting with this Release, the Audit Vault Repository is again protected by Database Vault.

The installation / update is done in the same manner as the other versions AVDF. Download the ISO, reboot the AVDF server and initiate an upgrade. But be carefully to not initiate an installation. This would erase your system and data.

A bit unusual that the ISO image was split into two parts. They have to be merged prior to use.

  1. Unzip Images avs-installer-disc-12.1.2.0.0.iso00, avs-installer-disc-12.1.2.0.0.iso01
  2. Combine the two files to create a single .iso

Combine the two files to create a single .iso on Windows:

copy /b avs-installer-disc-12.1.2.0.0.iso00+avs-installer-disc-12.1.2.0.0.iso01 
avs-installer-disc-12.1.2.0.0.iso

Combine the two files to create a single .iso on Linux:

cat avs-installer-disc-12.1.2.0.0.iso00 \
avs-installer-disc-12.1.2.0.0.iso01 > avs-installer-disc-12.1.2.0.0.iso

Oracle Audit Vault and Database Firewall 12.1.2 New Features

According to the Release Notes, the following features are available as of 12.1.2:

  • Configure the Audit Vault Server to use an external iSCSI SAN server to store the audit event repository and system data
  • The Audit Vault Agent is updated automatically when the Audit Vault Server is upgraded or a patch is applied
  • Store archive data in a Network File Share (NFS) location
  • Entitlement reports include data specific to Oracle Database 12c
  • Database Vault is automatically enabled and configured in the Oracle Database embedded in the Audit Vault Server. This further strengthens security by restricting privileged access to the Oracle Database for all users including those with administrative access
  • Password hashing has been upgraded to a more secure standard. Change your passwords after upgrade to take advantage of the more secure hash
  • The Audit Vault Agent deployment procedure has been simplified. Registering a host in the Audit Vault Server automatically generates an Agent activation key, and therefore, the step requesting Agent activation is no longer required
  • Adding and updating a secured target location has been simplified in the Audit Vault Server administrator console UI
  • Define policy alerts to be forwarded to syslog
  • Download diagnostics log files from the Audit Vault Server UI
  • The Audit Vault Agent is supported on 32-bit Linux and Windows platforms
  • Oracle Database 9i is supported for Database Firewall
  • MySQL 5.6 is supported on the Database Firewall
  • Migration Path to Migrate Oracle Audit Vault 10.3 to AVDF 12.1.2. See MOS Note 1666742.1

References

Some links related to this post.

As soon as the download of the images is done, I’ll start to test the new release on my test AVDF Server. So stay tuned…

Update: Oracle and OpenSSL ‘Heartbleed’ vulnerability

While writing a post about the new Critical Patch Advisory I’ve discovered, that Oracle made the Information about the OpenSSL Vulnerability publicly available. The information in MOS Note 1645479.1 has been moved to OpenSSL Security Bug – Heartbleed CVE-2014-0160.

Until now it looks like that Oracle Databases are not affected since they do not use OpenSSL. On the other hand products like Oracle Wallet Manager and EM Base Platform are still under investigation. We’ll know more once Oracle has completed its investigations.

Oracle released CPU / PSU April 2014

As announced last week in my post Oracle CPU / PSU Pre-Release Announcement April 2014, Oracle has now released the Critical Patch Updates for April 2014. Overall this CPU contains 104 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database it contains only 2 security fixes, whereas one of the fixes has a very high CVSS rating. But this only affects installations on Windows. On these platform it is recommended to install the patch bundle as soon as possible. Nevertheless it is certainly advisable to install the patches on Unix/Linux-based systems

As somehow expectable, Oracle did not add any information about the OpenSSL issue to it’s current Critical Patch Advisory. I assume this is because the vulnerability was announced a few days ago. As discussed in my post Oracle and OpenSSL ‘Heartbleed’ vulnerability, Oracle is tracking information about this issue in MOS Note 1645479.1 OpenSSL Security Bug-Heartbleed.

CPU Release Dates

The next four Critical Patch Updates will be released at the following dates:

  • 15 July 2014
  • 14 October 2014
  • 20 January 2015
  • 14 April 2015

References

As usual there are a bunch of links and MOS Notes around the critical patch update available:

  • Oracle Critical Patch Update Advisory – April 2014
  • Patch Set Update and Critical Patch Update April 2014 Availability Document [1618213.1]
  • Oracle Critical Patch Update April 2014 Documentation Map [1637289.1]
  • Critical Patch Update April 2014 Database Known Issues [1615881.1]
  • Critical Patch April 2014 Database Patch Security Vulnerability Molecule Mapping [1615882.1]
  • Critical Patch Update April 2014 Oracle Fusion Middleware Known Issues [1618208.1]
  • Oracle Critical Patch Updates and Security Alerts on OTN

Oracle and OpenSSL ‘Heartbleed’ vulnerability

Earlier this week the OpenSSL Project as well US-CERT informed about a Security Vulnerability in OpenSSL. See OpenSSL Security Advisory or US-CERT Alert (TA14-098A) The vulnerability may affect Oracle Products as well, since some of them do use OpenSSL. So far Oracle did not provide dedicate information on it’s public Critical Patch Updates and Security Alerts web page. But there is a MOS Note 1645479.1 OpenSSL Security Bug-Heartbleed, which contains a list of affected products. It seems to get regularly updated. Nevertheless you have to open a service request to get information on possible workarounds or get a patch.

Fortunately not all products always use the latest versions. Thus, in Oracle Audit Vault and Database Firewall still OpenSSL 0.9.8 in use. 

[support@melete ~]$ openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

References

Some links related to the OpenSSL Heartbleed issues.

Trivadis CBO Days 2014

CBO Days 2014
The company I work for, Trivadis, organized again an exceptional event with top speakers in Zurich. This year’s focus will be on the Oracle Database query optimizer, also known as cost-based optimizer (CBO).

The query optimizer is not only one of the most complex pieces of software that constitutes the Oracle kernel; it is also one of the most unappreciated. Why? Taking efficient and sufficient advantage of the query optimizer, you will definitively need to understand how it works. This is exactly what we are aiming for at the CBO Days.

The event will take place from June 10 to 11 in Zurich. More Information on the Event including full agenda, registration, etc is available on the website of Trivadis.

Oracle CPU / PSU Pre-Release Announcement April 2014

Today Oracle has published the Pre-Release Announcement of the CPU Advisory for April 2014. This Critical Patch Update contains 103 new security vulnerability fixes for several Oracle products. There are only a few days since the publication of the vulnerability CVE-2014-0160 known as “Heartbleed”. Therefore I assume, that this patch update does not yet address the corresponding vulnerability.

Nevertheless it seems that it contains bug fix for some major security issues. From the Oracle database point of view it is a small update. There are only two security bug fix for the Oracle Database Server and no for client-only installations. But one of the vulnerabilities does have a CVSS rating of 8.5 and affects the Core RDBMS. The vulnerabilities of Oracle Java SE are even higher and rated with a 10.0 out of 10.0.

We will see all the details next Tuesday when Oracle is officially releasing official Critical Patch Update for April 2014. Next week I’ll have a closer look and do some test installations.

More details about the patch will follow soon on the Oracle Security Pages.

Get rid of Adobe PDF Viewer plugin in Safari

Recently I’ve had to install the Adobe Acrobat Reader on my MacBook Pro. As usual, I was in a hurry and had no time to complete the installation. Since then Safari will always use Acrobat PDF Viewer plugin to display PDF. Because I prefer using Mac OS Preview to view PDF files, it is time to get rid of the Acrobat plug-in.

Nothing easier than that…

… just open Terminal and go to the Library folder to remove the corresponding Acrobat Internet Plug-Ins. 

cd "/Library/Internet Plug-Ins/"
sudo rm -rf AdobePDFViewer*

Oracle CPU / PSU Pre-Release Announcement January 2014

Today Oracle has published the Pre-Release Announcement for the first CPU Patch in 2014. This Critical Patch Update contains 147 new security vulnerability fixes for several Oracle products. From the Oracle database point of view it is a small update. There are only five security fix for the Oracle Database Server and no for client-only installations.

Although the CVSS rating of these vulnerabilites are 5.0, it looks that there is no hurry to install this security fix on most of the database environments. If this is true, we’ll see next Tuesday when Oracle is officially releasing CPU / PSU January 2014. Next week I’ll have a closer look.

More details about the patch will follow soon on the Oracle Security Pages.