Tag Archives: Trivadis Content

Blog posts also posted on the Trivadis Blog (TriBlog)

Enterprise Manager Cloud Control 12c Release 1

Thanks to twitter, blog posts from friends, Oracle iPad App and other resource it is quite easy to stay up to date on the latest news from the OOW. Ok, I’ll miss some life sessions and OOW receptions and parties. But hey on the other hand I can download the latest software on a high speed internet connection and do the first test 🙂

As I mentioned in the excerpt of this post, Oracle introduced the new Enterprise Manager now named Oracle Enterprise Manager Cloud Control 12c Release 1 (12.1.0.1). Oracle has already released version for Linux x86-64, which can be downloaded from OTN (Oracle Enterprise Manager Downloads). For know I’ll download the software and start some first tests. The first impression and results will be posted later this week. At least for know it looks like the 2 EMCC Zip archives (2,5-3GB each) contain everything you need to run the OMS exempt the OS and the repository database. No more search for the right JVM and WLS server.

Resources

Links all around the Enterprise Manager, software, presentations and documentation:

Requirements

A few Requirements taken from Oracle® Enterprise Manager Cloud Control Basic Installation Guide. The Certification Matrix is so fare not yet available on Metalink…

Mmh a small side comment, the above two presentations can be found via google, but the footnote has confidential oracle. I guess they use to be confidential before 4th october.

More details will come….

Update Oracle 11.2.0.3.0 Patchset released

As promised by Björn the in his comment the Patchset 11.2.0.3.0 has been released this weekend for Solaris SPARC 64 and Solaris x86-64. Check out the Metalink Note 11.2.0.3 Patch Set – Availability and Known Issues [1348336.1] for more information about the availability. Check out my initial post Oracle 11.2.0.3.0 Patchset released for more details and links to other Metalink Notes.

Oracle 11.2.0.3.0 Patchset released

Since a bit less than a week ago Oracle has released the patchset 11.2.0.3.0 for Oracle 11g Release 2. The current patchset is as well as patchset 11.2.0.2.0 a full installation. This means you will have to download quite a bit from Metalink, altogether 7 files. On My Oracle Support search for patchset 10404530 or follow the link to reach the download page.

So far the patch set is only available for Linux x86 and Linux x86-64bit. The Metalink Note 11.2.0.3 Patch Set – Availability and Known Issues [1348336.1] or the generic ALERT for Oracle 11g Release 2 ALERT: Oracle 11g Release 2 (11.2) Support Status and Alerts [880782.1] will list the patch set for other platforms as soon as they are available.

List of Bugfixes

In the Metalink Note 1348303.1 you find a hell of a long list with bugs fixed in this patchset. I think you would be well advised to test the patchset before installing on production. According to Metalink Note 1348336.1 there are up to now only two notable fixes with potential change in behavior but no new issues introduced in this patchset. But I guess the issues will show up as soon as the Oracle Open World is finished. So check the Metalink Note on updates.

New Features

Compared with previous patch set this one does not include all too many new features. Below a you find a list of the new features included in this patch set.

  • Oracle ACFS Snapshot Enhancements
  • Oracle ACFS Security and Encryption Features
  • Support for ACFS Replication and Tagging on Windows
  • Oracle LogMiner Support for Binary XML
  • SQL Apply Support for Binary XML
  • Oracle LogMiner Support for Object Relational Model
  • SQL Apply Support for Object Relational Model
  • Deprecation of Obsolete Oracle XML DB Functions and Packages
  • Oracle Warehouse Builder Support for Partition DML
  • Enhanced Partitioning Support in Oracle Warehouse Builder
  • Oracle Warehouse Builder External Table Data Pump Support
  • Oracle Warehouse Builder External Table Preprocessor Support
  • Compressed Table and Partition Support in Oracle Warehouse Builder
  • Support for PL/SQL Native Compilation

Details on these new feature are available in the Oracle documentation Oracle Database 11g Release 2 (11.2.0.3) New Features.

Reference

A collection of a few important Metalink Notes, readme and other links related to Patchset 11.2.0.3.0:

  • README for 10404530
  • ALERT: Oracle 11g Release 2 (11.2) Support Status and Alerts [880782.1]
  • 11.2.0.3 Patch Set – Availability and Known Issues [1348336.1]
  • 11.2.0.3 Patch Set – List of Bug Fixes by Problem Type [1348303.1]
  • ANNOUNCEMENT: Deprecating the cursor_sharing = ‘SIMILAR’ setting [1169017.1]
  • Quick Reference to Patchset Patch Numbers [753736.1]
  • Important Changes to Oracle Database Patch Sets Starting With 11.2.0.2 [1189783.1]
  • Information on installing the patch set must be taken from the documentation (Installing and Upgrading) or the Metaling Note: Complete checklist for out-of-place manual upgrade from 11.2.0.1 to 11.2.0.2 [ID 1276368.1] (old only used as reference)

Tablespace quotas are forever

Today I came across a strange behavior of tablespace quotas. I’ve had to create new tablespaces in a test and a development database. So I’ve created a tablespace in each of the databases and informed the developer. His answer: “Great, in development I can create tables, but in test I do not have quota on the tablespace” Ok, I did not set a quota on the newly create tablespaces nor does the user has the privilege UNLIMITED TABLESPACE. But what happened? It seems that tablespace quotas remain even if a tablespace has been deleted. Ok, lets have a closer look.

The initial situation

We assume, that somebody has created a tablespace TEST and granted unlimited quota on this to user SCOTT.

create tablespace TEST datafile '/u01/oradata/PT1120/test01PT1120.dbf' size 5M;

alter user SCOTT quota unlimited on TEST;

select TABLESPACE_NAME,USERNAME,MAX_BYTES,DROPPED 
from DBA_TS_QUOTAS where username='SCOTT';

TABLESPACE_NAME      USERNAME    MAX_BYTES DROPPED
-------------------- ---------- ---------- ----------
TEST                 SCOTT              -1 NO

Let’s drop the tablespace TEST and see what happens to the tablespace and the quota.

drop tablespace TEST including contents and datafiles;

Tablespace dropped.

select TS#,NAME,ONLINE$ from TS$;

       TS# NAME                              ONLINE$
---------- ------------------------------ ----------
         0 SYSTEM                                  1
         1 SYSAUX                                  1
         2 UNDOTBS1                                1
         3 TEMP                                    1
         4 USERS                                   1
         5 EXAMPLE                                 1
         6 TEST                                    3

7 rows selected.

select TABLESPACE_NAME,USERNAME,MAX_BYTES,DROPPED
from DBA_TS_QUOTAS where username='SCOTT';

TABLESPACE_NAME      USERNAME    MAX_BYTES DROPPED
-------------------- ---------- ---------- ----------
TEST                 SCOTT              -1 YES

As you can see the tablespace status in TS$ has chanted from 1 to 3 (dropped). Querying DBA_TS_QUOTAS is now showing in the column DROPPED that the tablespace for which this quota is valid has been dropped. The information in DBA_TS_QUOTA is taken from TS$ and TSQ$.

Somewhen later

Lets create again a tablespace TEST and verify SCOTT’s quota on this new tablespace. In real world this could be after a going live. Or just after quite some time when nobody remember that there use to be a tablespace TEST.

create tablespace test datafile '/u01/oradata/PT1120/test01PT1120.dbf' size 10M;

Tablespace created.

select TABLESPACE_NAME,USERNAME,MAX_BYTES,DROPPED
from dba_ts_quotas where username='SCOTT';

TABLESPACE_NAME      USERNAME    MAX_BYTES DROPPED
-------------------- ---------- ---------- ----------
TEST                 SCOTT              -1 NO

É voila, SCOTT has again access to the newly created tablespace.

Conclusion

From my understanding it looks like an expected behavior. But is it good, bad or ugly? As usual it depends. If a test somewhen becomes a productive database, it its worth to have a look if there are still some quotas hanging around. Just to make sure, that a low privilege user can not suddenly fill up a tablespace. On the other hand it may be handy when the quota remains and we do not have to grant again quota to x users on a newly created tablespace. I tend more towards the safe side. When a quota is not needed or makes no sense, it should be deleted. What are your opinion and experience on this topic?

By the way, the post has started with a movie title as well ended with one. Do you know which two?

Tablespace point in time recovery and Oracle 11.2.0.2

I was quite busy in the past week with customer projects, lecturing backup & recovery lessons and enjoying the summer holidays. Therefore is also quite a lot of time passed since my last blog post. The days are getting shorter and so more time remains for a couple of posts 🙂

Tablespace point in time revocery

Tablespace point in time recovery is used when the data within a tablespace is screwed up and needs to be restored in a point back in time. Rather than restoring the complete database just a part of it is restored. This database part is called auxiliary set and must contain the SYSTEM, SYSAUX, UNDO and affected tablespaces. As soon as the auxiliary set has been restored / recoverd the data can be moved back to the target database. The following image shows the schematic flow.

TSPITR can be executed with the following three options:

  • Full automatic TSPITR: RMAN cares about “almost” everything
  • Customized TSPITR with automatic auxiliary instance: A bit something between full automatic and manual 🙂
  • Manual TSPITR: Still using RMAN but you have to build your own auxiliary database and care about the data move

The issue

In one of my demos, I show a full automatic TSPITR. So far this demo went smoothly and easily through. Since the test database recently has been updated to 11.2.0.2 it was the first TSPITR demo on 11.2.0.2. In the demo I just create a table in the tablespace DATA01, fill the table with data, update the table with some wrong values and start the TSPITR. It is unnecessary to mention that the DB is running in archivelog mode and associated backups are available. For TSPITR I run the following RMAN command: 

recover tablespace DATA01 until sequence=10 auxiliary destination '/u00/app/oracle/admin/TDB01/aux';

After a while RMAN stop’s with the following error:

ORA-39126: Worker unexpected fatal error in KUPW$WORKER.UNLOAD_METADATA [PLUGTS_BLK]
ORA-00904: "Q"."TABOBJ_NUM": invalid identifier
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 95
ORA-06512: at "SYS.KUPW$WORKER", line 8358

Looking a bit deeper into the RMAN output show’s that the error arise, when RMAN start’s to export the tablespace DATA01. My research in MOS yielded a expdp problem in 11.2.0.2. Metalink Note 1273450.1 mention a bug (10185688) introduced with 11.2.0.2 when exporting transportable tablespaces in databases without XDB installed. My test database for RMAN demo’s is a tiny small database with only the most essential components installed. 

select comp_name "Component" from dba_registry;

Component
--------------------------------------------------------------------------------
Oracle Workspace Manager
Oracle Database Catalog Views
Oracle Database Packages and Types

Solution

At the end it the issue is not really an RMAN TSPITR issue but more an expdp problem. In my case the solution was fairly easy. I’ve just installed XDB and re-run the demo again. Alternatively there exists a generic patch and plans for fixing this in 11.2.0.3 and Oracle 12.1.

References and links

A few links mentioned and used in this post:

  • Metalink Note: 1273450.1 Data Pump TTS Export Fails With ORA-39126 & ORA-904
  • Bug: 10185688 TTS export using EXPDP fails if XDB not installed
  • Metalink Note: 1292089.1 Master Note for Oracle XML Database (XDB) Install / Deinstall

Oracle Audit Performance Guide

A while ago I found an Oracle white paper discussing the performance impact of Oracle database audit (Oracle Database Auditing: Performance Guidelines) It’s pretty obvious that Oracle audit can have an impact on performance. But I’ve never compare different audit trails and audit settings in terms of performance. According to the figures it is recommended to use file-based audit trails for performance critical applications rather than database-based. On the other hand database-based audit trails are easier to query and to analyse.

The test in the white paper have been done with a TPC-C like workload which generates aprox 250 audit records per seconds. Unfortunately it was not clearly stated which audit settings has been used to generate this amount of records. Are just 11g standard audit settings used or as well custom defined object auditing?

According to my experience the performance impact isn’t that critical when just a set of system privilege are audited. On the other hand when enabling object auditing for a bunch of objects can cause a high amount of audit records. Therefor it is quite crucial to have a clear idea what to audit when defining the audit concept and the audit trail.

If time permits, I will try to have a closer look into the performance impact of Oracle database audit.

What kind of experience on the performance impact of database audit did you made? Are you using file based audit trails (OS, XML) rather than database audit trails? What do you audit? Just a few system privilege or also a lot of DML on tables? Any feedback / comment is welcome.

Database Audit and Audit trail purging

There are several reason to enable database audit and at least as much reason to not enable database audit. For today I will focus on what can be done after the audit has enabled and how to get rid of the audit data quite easily. It is nothing new nor is it rocket engineering. 🙂 Ok, removing data is mostly a quite easy task, sometimes to easy…
Rather than deleting or truncating the data, I would like to user the procedures provided by DBMS_AUDIT_MGMT. This post is kind of a sequel to my post earlier this february about Manage Audit Trails with DBMS_AUDIT_MGMT

Enable Audit

Ok, first of all we have to set the corresponding init.ora parameter and enable the database audit. In my case I’ll also enable audit of all sys operation. This is not necessary when you plan to use standard audit. I just did it because I restarted the database anyway. ok lame excuse, I will come back again later on.

Set the init.ora parameter:

alter system set audit_sys_operations=true scope=spfile;

alter system set audit_trail=db_extended scope=spfile;

startup force;

show parameter audit

Initialize the audit infrastructure. In this example I’ve initialized the standard audit and set a default interval of 10 days.

BEGIN
  DBMS_AUDIT_MGMT.INIT_CLEANUP(
    AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
    DEFAULT_CLEANUP_INTERVAL => 240 /*hours*/
  );
END;
/

commit;

Create a dedicated tablespace for the audit data and change the location of the audit trail. If this is not done AUD$ will remain in the SYSAUX tablespace.

create tablespace audit_data datafile '/u01/oradata/TDB03/audit01TDB03.dbf' 
size 100M autoextend on next 50M maxsize 5G;

BEGIN
  DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
    AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
    AUDIT_TRAIL_LOCATION_VALUE => 'AUDIT_DATA'
  );
END;
/

commit;

Review the audit settings

col PARAMETER_NAME for a30
col PARAMETER_VALUE for a15
col AUDIT_TRAIL for a20
select PARAMETER_NAME, PARAMETER_VALUE, AUDIT_TRAIL 
from DBA_AUDIT_MGMT_CONFIG_PARAMS 
where audit_trail = 'STANDARD AUDIT TRAIL';

PARAMETER_NAME                 PARAMETER_VALUE AUDIT_TRAIL
------------------------------ --------------- --------------------
DEFAULT CLEAN UP INTERVAL      12              STANDARD AUDIT TRAIL
DB AUDIT TABLESPACE            AUDIT_DATA      STANDARD AUDIT TRAIL
DB AUDIT CLEAN BATCH SIZE      10000           STANDARD AUDIT TRAIL

col segment_name for a10
select owner,segment_name,tablespace_name from dba_segments where segment_name ='AUD$';

OWNER                          SEGMENT_NA TABLESPACE_NAME
------------------------------ ---------- ------------------------------
SYS                            AUD$       AUDIT_DATA

Ok, the audit infrastructure has been setup and configured. Now lets enable audit for certain system privilege and objects. The first part of the following audit statements have been taken from $ORACLE_HOME/rdbms/admin/secconf.sql. This script is used in 11g to enable audit during database creation.

audit alter any table by access;
audit create any table by access;
audit drop any table by access;
audit Create any procedure by access;
audit Drop any procedure by access;
audit Alter any procedure by access;
audit Grant any privilege by access;
audit grant any object privilege by access;
audit grant any role by access;
audit audit system by access;
audit create external job by access;
audit create any job by access;
audit create any library by access;
audit create public database link by access;
audit exempt access policy by access;
audit alter user by access;
audit create user by access;
audit role by access;
audit create session by access;
audit drop user by access;
audit alter database by access;
audit alter system by access;
audit alter profile by access;
audit drop profile by access;
audit database link by access;
audit system audit by access;
audit profile by access;
audit public synonym by access;
audit system grant by access;

audit delete on sys.aud$;
audit alter on default;
audit grant on default;

There are a few data dictionary views to review which object and system privilege has audit enabled.

select  * from DBA_STMT_AUDIT_OPTS;

USER_NAME  PROXY_NAME AUDIT_OPTION                 SUCCESS    FAILURE
---------- ---------- ---------------------------- ---------- ----------
                      ALTER SYSTEM                 BY ACCESS  BY ACCESS
                      SYSTEM AUDIT                 BY ACCESS  BY ACCESS
                      CREATE SESSION               BY ACCESS  BY ACCESS
                      CREATE USER                  BY ACCESS  BY ACCESS
                      ALTER USER                   BY ACCESS  BY ACCESS
                      DROP USER                    BY ACCESS  BY ACCESS
                      PUBLIC SYNONYM               BY ACCESS  BY ACCESS
                      DATABASE LINK                BY ACCESS  BY ACCESS
                      ROLE                         BY ACCESS  BY ACCESS
                      PROFILE                      BY ACCESS  BY ACCESS
                      CREATE ANY TABLE             BY ACCESS  BY ACCESS
                      ALTER ANY TABLE              BY ACCESS  BY ACCESS
                      DROP ANY TABLE               BY ACCESS  BY ACCESS
                      GRANT TABLE                  BY ACCESS  BY ACCESS
                      CREATE PUBLIC DATABASE LINK  BY ACCESS  BY ACCESS
                      GRANT ANY ROLE               BY ACCESS  BY ACCESS
                      SYSTEM GRANT                 BY ACCESS  BY ACCESS
                      ALTER DATABASE               BY ACCESS  BY ACCESS
                      CREATE ANY PROCEDURE         BY ACCESS  BY ACCESS
                      ALTER ANY PROCEDURE          BY ACCESS  BY ACCESS
                      DROP ANY PROCEDURE           BY ACCESS  BY ACCESS
                      ALTER PROFILE                BY ACCESS  BY ACCESS
                      DROP PROFILE                 BY ACCESS  BY ACCESS
                      GRANT ANY PRIVILEGE          BY ACCESS  BY ACCESS
                      CREATE ANY LIBRARY           BY ACCESS  BY ACCESS
                      EXEMPT ACCESS POLICY         BY ACCESS  BY ACCESS
                      GRANT ANY OBJECT PRIVILEGE   BY ACCESS  BY ACCESS
                      CREATE ANY JOB               BY ACCESS  BY ACCESS
                      CREATE EXTERNAL JOB          BY ACCESS  BY ACCESS

select * from DBA_PRIV_AUDIT_OPTS;

USER_NAME  PROXY_NAME PRIVILEGE                    SUCCESS    FAILURE
---------- ---------- ---------------------------- ---------- ----------
                      CREATE EXTERNAL JOB          BY ACCESS  BY ACCESS
                      CREATE ANY JOB               BY ACCESS  BY ACCESS
                      GRANT ANY OBJECT PRIVILEGE   BY ACCESS  BY ACCESS
                      EXEMPT ACCESS POLICY         BY ACCESS  BY ACCESS
                      CREATE ANY LIBRARY           BY ACCESS  BY ACCESS
                      GRANT ANY PRIVILEGE          BY ACCESS  BY ACCESS
                      DROP PROFILE                 BY ACCESS  BY ACCESS
                      ALTER PROFILE                BY ACCESS  BY ACCESS
                      DROP ANY PROCEDURE           BY ACCESS  BY ACCESS
                      ALTER ANY PROCEDURE          BY ACCESS  BY ACCESS
                      CREATE ANY PROCEDURE         BY ACCESS  BY ACCESS
                      ALTER DATABASE               BY ACCESS  BY ACCESS
                      GRANT ANY ROLE               BY ACCESS  BY ACCESS
                      CREATE PUBLIC DATABASE LINK  BY ACCESS  BY ACCESS
                      DROP ANY TABLE               BY ACCESS  BY ACCESS
                      ALTER ANY TABLE              BY ACCESS  BY ACCESS
                      CREATE ANY TABLE             BY ACCESS  BY ACCESS
                      DROP USER                    BY ACCESS  BY ACCESS
                      ALTER USER                   BY ACCESS  BY ACCESS
                      CREATE USER                  BY ACCESS  BY ACCESS
                      CREATE SESSION               BY ACCESS  BY ACCESS
                      AUDIT SYSTEM                 BY ACCESS  BY ACCESS
                      ALTER SYSTEM                 BY ACCESS  BY ACCESS

select * from DBA_OBJ_AUDIT_OPTS;

OWNER OBJECT_NAME          OBJECT_TYPE ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE CRE REA WRI FBK
----- -------------------- ----------- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
SYS   AUD$                 TABLE       -/- -/- -/- S/S -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/-
SYS   VERIFY_FUNCTION      PROCEDURE   -/- -/- -/- -/- S/S -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/-
SYS   VERIFY_FUNCTION_11G  PROCEDURE   -/- -/- -/- -/- S/S -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/-

select * from ALL_DEF_AUDIT_OPTS;

ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE FBK REA
--- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
S/S -/- -/- -/- S/S -/- -/- -/- -/- -/- -/- -/- -/- -/- -/-

Audit trail housekeeping

So far we’ve spend quite some time on setting up the audit. Let’s come to the actual part of the post, the housekeeping. The plan is to have regular database job, which purge the audit data as required. For this I defined the following steps:

  • Create a report of your audit trail (optional)
  • Export your audit trail information for longterm archiving (optional)
  • Set the archive timestamp as soon as audit data has been archived
  • Purge archived audit data

I the current example I’ll skip the first to steps.

Create daily archive timestamp job. This job will be a regular dbms_scheduler job.


BEGIN
  DBMS_SCHEDULER.CREATE_JOB (
    job_name   => 'DAILY_AUDIT_ARCHIVE_TIMESTAMP',
    job_type   => 'PLSQL_BLOCK',
    job_action => 'BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(AUDIT_TRAIL_TYPE => 
                   DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,LAST_ARCHIVE_TIME => sysdate-10); END;', 
    start_date => sysdate, 
    repeat_interval => 'FREQ=HOURLY;INTERVAL=24', 
    enabled    =>  TRUE,
    comments   => 'Create an archive timestamp'
  );
END;
/

Create daily purge job

BEGIN
  DBMS_AUDIT_MGMT.CREATE_PURGE_JOB(
    AUDIT_TRAIL_TYPE           => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
    AUDIT_TRAIL_PURGE_INTERVAL => 24 /* hours */,
    AUDIT_TRAIL_PURGE_NAME     => 'Daily_Audit_Purge_Job',
    USE_LAST_ARCH_TIMESTAMP    => TRUE
  );
END;
/

commit;

The defined AUDIT JOB’s are then visible in DBA_AUDIT_MGMT_CLEANUP_JOBS.

col JOB_NAME for a30
col JOB_FREQUENCY for a40
select JOB_NAME,JOB_STATUS,AUDIT_TRAIL,JOB_FREQUENCY from DBA_AUDIT_MGMT_CLEANUP_JOBS;

JOB_NAME               JOB_STAT AUDIT_TRAIL          JOB_FREQUENCY
---------------------- -------- -------------------- ------------------------
DAILY_AUDIT_PURGE_JOB  ENABLED  STANDARD AUDIT TRAIL FREQ=HOURLY;INTERVAL=24

As we can see in dba_scheduler_jobs, DBMS_SCHEDULER.CREATE_JOB is just creating a other scheduler job. 

col next_run_date for a50
select job_name, next_run_date, state, enabled from dba_scheduler_jobs where job_name like '%AUDIT%';

JOB_NAME                       NEXT_RUN_DATE                                      STATE           ENABL
------------------------------ -------------------------------------------------- --------------- -----
DAILY_AUDIT_ARCHIVE_TIMESTAMP  31-MAY-11 01.46.58.000000 PM +02:00                SCHEDULED       TRUE
DAILY_AUDIT_PURGE_JOB          31-MAY-11 01.49.34.900000 PM EUROPE/VIENNA         SCHEDULED       TRUE

Conclusion

For new Oracle 11g database auditing is enabled by default. Unfortunately Oracle does not setup a housekeeping. To make sure, that you do not end up with a full AUDIT_TRAIL you have to either switch off auditing or define some housekeeping jobs. With DBMS_AUDIT_MGMT this is a pretty easy job. It is that easy, that it is worth to think about having some kind of rolling audit window. Define a short retention time to save disk space, but long enough to have access to the audit information of the last hours or days. You may then be able to answer questions like “Did anybody change something?”, “I can not access XY but I could yesterday…”. When enabling audit for sys operation you will also be able to review what user SYS did all day long. Depending on the amount of audit data it will be quite a task to create nice audit reports.

Oracle Database Firewall Patch

Earlier this year, oracle released there first version of Oracle Database Firewall. Since a couple of week’s now a bunch of patches are available. The latest seems to be available since today. As usual the patch can be obtained through the Patch Search on My Oracle Support.

Installation

The patches are delivered as a ZIP archive with misc RPM. These RPM’s have to be copied onto the Database Firewall or the Management Server. As soon as this is done the can be installed with rpm as root. After a reboot the update is complete. By the way, to be able to copy the patch’s and access the system via ssh / command line, terminal access has to be enabled in the system configuration (DB Firewall Web Console).

Installing the latest patch on the Database Firewall would be done according the following procedure :


scp dbfw-multi-5.0-134.i686.rpm support@192.168.1.200:/tmp/

ssh support@192.168.1.200

su -
cd /tmp

rpm --freshen --repackage dbfw-multi-5.0-134.i686.rpm

/bin/ls /var/spool/repackage -t | /usr/bin/head -n1 \
 > /usr/local/dbfw/updates/lastrpm

reboot

Don’t forget to review the readme.txt before installing any patch. It’s a text file very short and readable within seconds 😉

List of available Patches

Below you find a list of available patch’s for Oracle Database Firewall. The amount of patches is still manageable, so that the entire list fits into this post 😉 There is one more (11794289) but this one is supersede by bundled patch 1.

Patch Name Description Release Platform Updated Size
11872181 BUNDLED PATCH 1 5.0 Linux x86 Mar 16, 2011 61.1 MB
11886996 HOT FIX FOR BNY RESTORING CONFIGURATION 5.0 Linux x86 Mar 18, 2011 10.9 MB
11934644 BNY Audit Reports 5.0 Generic Platform Mar 30, 2011 11.1 MB
11873566 LOG SEARCH RESULTS: LONG (>4000 BYTE) STATEMENTS CAUSING ERROR IN SYSTEM LOG 5.0 Linux x86 Apr 7, 2011 11.1 MB
12317493 DBFW 5.0 – BUNDLED PATCH 2 5.0 Linux x86 Apr 12, 2011 64.8 MB
12391703 Alerting and Reporting Hot Fix 5.0 Linux x86 May 10, 2011 50.3 MB

Reference and Links

Find User with unlimited Tablespace Quota

When performing a database security audit various informations about users, roles and privileges have to be collected, including “who has unlimited tablespace on SYSTEM”. It is quite easy to find user with UNLIMITED TABLESPACE or a UNLIMITED quota on SYSTEM. But what when the system privilege is assigned to a role or over several roles? It is still easy if you use hierarchical queries to drill down the cascaded roles, but there is plenty to write.

Ok, why do we want to know who has unlimited quota on the SYSTEM tablespace?

User who have unlimited quota on SYSTEM as well the privilege to create tables or clusters could do some kind of denial of service attack to the database. The just have to fill up the free space in the SYSTEM tablespace. If there default tablespace is as well SYSTEM the could even do this without intention.

Then let’s find them

First find the user with direct quota on tablespace SYSTEM. 

SELECT username,tablespace_name, bytes, max_bytes 
FROM dba_ts_quotas 
WHERE max_bytes = -1 AND tablespace_name ='SYSTEM';

USERNAME                  TABLESPACE_NAME                BYTES  MAX_BYTES
------------------------- ------------------------- ---------- ----------
SCOTT                     SYSTEM                             0         -1
TEST                      SYSTEM                             0         -1

As mentioned above it is quite easy to find user with system privilege UNLIMITED TABLESPACE.

select * from dba_sys_privs where privilege = 'UNLIMITED TABLESPACE'

GRANTEE                        PRIVILEGE                      ADM
------------------------------ ------------------------------ ---
WMSYS                          UNLIMITED TABLESPACE           NO
RRDOMREG                       UNLIMITED TABLESPACE           NO
HR                             UNLIMITED TABLESPACE           NO
OE                             UNLIMITED TABLESPACE           NO
SYS                            UNLIMITED TABLESPACE           NO
LOGSTDBY_ADMINISTRATOR         UNLIMITED TABLESPACE           NO
SCOTT                          UNLIMITED TABLESPACE           NO
BI                             UNLIMITED TABLESPACE           NO
OUTLN                          UNLIMITED TABLESPACE           NO
DBSNMP                         UNLIMITED TABLESPACE           NO
IX                             UNLIMITED TABLESPACE           NO
SH                             UNLIMITED TABLESPACE           NO
DBA                            UNLIMITED TABLESPACE           YES
SYSTEM                         UNLIMITED TABLESPACE           YES

14 rows selected.

What about cascaded roles?

Mmh, but since Oracle 11g it is possible to grant UNLIMITED TABLESPACE to a role and this can be granted to an other role which is granted again to an other role. It could be a role concept or somebody who want to hide a little bit some privileges. To test it I’ve created three roles DBA3, DBA2 and DBA1, granted UNLIMITED TABLESPACE to DBA3.

SELECT 
  grantee, 
  privilege, 
  DECODE(p,'=>'||grantee,'direct',p) path
FROM (
  SELECT 
    grantee, 
    privilege,
    SYS_CONNECT_BY_PATH(grantee, '=>') p
  FROM (
    SELECT 
      grantee, 
      privilege
    FROM dba_sys_privs
    UNION ALL
    SELECT 
      grantee, 
      granted_role privilege
    FROM 
      dba_role_privs)
  START WITH privilege = 'UNLIMITED TABLESPACE'
  CONNECT BY PRIOR grantee = privilege )
WHERE 
  (grantee in (SELECT username FROM dba_users)
  OR grantee = 'PUBLIC');

GRANTEE   PRIVILEGE               PATH
--------- ----------------------- -------------------------------
BI        UNLIMITED TABLESPACE    direct
SYS       DBA                     =>DBA=>SYS
SYSTEM    DBA                     =>DBA=>SYSTEM
SCOTT     DBA1                    =>DBA3=>DBA2=>DBA1=>SCOTT
SYS       DBA1                    =>DBA3=>DBA2=>DBA1=>SYS
SYS       DBA2                    =>DBA3=>DBA2=>SYS
SYS       DBA3                    =>DBA3=>SYS
DBSNMP    UNLIMITED TABLESPACE    direct
HR        UNLIMITED TABLESPACE    direct
IX        UNLIMITED TABLESPACE    direct
SYS       LOGSTDBY_ADMINISTRATOR  =>LOGSTDBY_ADMINISTRATOR=>SYS
OE        UNLIMITED TABLESPACE    direct
OUTLN     UNLIMITED TABLESPACE    direct
RRDOMREG  UNLIMITED TABLESPACE    direct
SH        UNLIMITED TABLESPACE    direct
SYS       UNLIMITED TABLESPACE    direct
SYSTEM    UNLIMITED TABLESPACE    direct
WMSYS     UNLIMITED TABLESPACE    direct

18 rows selected.

We now see that SCOTT has UNLIMITED TABLESPACE through DBA3, DBA2 and DBA1

All wrapped up

Ok, create one to find user’s with direct quotas as well through a system privilege will give something like this.

SELECT 
  username,
  tablespace_name,
  privilege
FROM (
  SELECT 
    grantee username, 'Any Tablespace' tablespace_name, privilege
  FROM (
    -- first get the users with direct grants
    SELECT 
      p1.grantee grantee, privilege
    FROM 
      dba_sys_privs p1
    WHERE 
      p1.privilege='UNLIMITED TABLESPACE'
    UNION ALL
    -- and then the ones with UNLIMITED TABLESPACE through a role...
    SELECT 
      r3.grantee, granted_role privilege
    FROM 
      dba_role_privs r3
      START WITH r3.granted_role IN (
          SELECT 
            DISTINCT p4.grantee 
          FROM 
            dba_role_privs r4, dba_sys_privs p4 
          WHERE 
            r4.granted_role=p4.grantee 
            AND p4.privilege = 'UNLIMITED TABLESPACE')
    CONNECT BY PRIOR grantee = granted_role)
    -- we just whant to see the users not the roles
  WHERE grantee IN (SELECT username FROM dba_users) OR grantee = 'PUBLIC'
  UNION ALL 
  -- list the user with unimited quota on a dedicated tablespace
  SELECT 
    username,tablespace_name,'DBA_TS_QUOTA' privilege 
  FROM 
    dba_ts_quotas 
  WHERE 
    max_bytes = -1 )
WHERE tablespace_name LIKE UPPER('SYSTEM') 
    OR tablespace_name = 'Any Tablespace';


USERNAME                  TABLESPACE_NAME           PRIVILEGE
------------------------- ------------------------- ------------------------------
...
SYSTEM                    Any Tablespace            UNLIMITED TABLESPACE
SYS                       Any Tablespace            DBA
SYSTEM                    Any Tablespace            DBA
SCOTT                     Any Tablespace            DBA1
SYS                       Any Tablespace            DBA1
SYS                       Any Tablespace            DBA2
SYS                       Any Tablespace            DBA3
SYS                       Any Tablespace            LOGSTDBY_ADMINISTRATOR
TEST                      SYSTEM                    DBA_TS_QUOTA

19 rows selected.

Due to the fact that the query is far to long to write more than one time, I’ve put everything in one script.

@tsq SYSTEM

User Name     Tablespace Name        Privilege
------------- ---------------------- -------------------------
BI            Any Tablespace         UNLIMITED TABLESPACE
DBSNMP        Any Tablespace         UNLIMITED TABLESPACE
HR            Any Tablespace         UNLIMITED TABLESPACE
IX            Any Tablespace         UNLIMITED TABLESPACE
OE            Any Tablespace         UNLIMITED TABLESPACE
OUTLN         Any Tablespace         UNLIMITED TABLESPACE
....

The tsq.sql script can be downloaded at the script section of OraDBA or direct ( tsq.sql). All OraDBA scripts can also be downloaded as a complete archive ( oradba.tgz).

Mac OS X Terminal Compatibility Settings

I start using iTerm rather than Terminal to work on the command line. In my opinion it is much more powerful to setup some window groups. Several tabs and/or windows can be stored and managed as bookmarks. The manipulation of window and tab title seams also a bit easier. But that is not the topic of this post 🙂

When working on the command line I also use TVDBasenv. Starting a new session always display the status of environment / databases.

Last login: Tue Apr 26 22:17:55 on ttys014

Down/dummy   : rdbms1020 rdbms1020IC

Listener     : Down

user@host:~/ [rdbms1020IC]

Unfortunately in iTerm this does not work in the same way as in Terminal.

Last login: Tue Apr 26 21:52:17 on ttys010
ps: illegal option -- f
usage: ps [-AaCcEefhjlMmrSTvwXx] [-O fmt | -o fmt] [-G gid[,gid...]]
[-u]
[-p pid[,pid...]] [-t tty[,tty...]] [-U user[,user...]]
ps [-L]

Down/dummy   : rdbms1020 rdbms1020IC

Listener     : Down

user@host:~/ [rdbms1020IC]

I first thought that the two Application are using a different PATH and therefore a different ps. But all the following test have shown the same output on both environments.

user@host:~/ [rdbms1020IC] which ps
/bin/ps

user@host:~/ [rdbms1020IC] type -a ps
ps is /bin/ps

The comparison of the environment variables finally showed a few differences.

diff iterm.txt terminal.txt
...
< COLORFGBG=0;15
< COMMAND_MODE=legacy
---
> COMMAND_MODE=unix2003
< TERM_PROGRAM=iTerm.app
---
> TERM_PROGRAM=Apple_Terminal
> TERM_PROGRAM_VERSION=273.1
...

It seams that COMMAND_MODE does the trick. In iTerm it is set to legacy while Terminal is using unix2003. So setting COMMAND_MODE to legacy cause utility programs like ps to behave as closely to Mac OS X 10.3’s utility programs, while setting it to unix2003 causes utility programs to obey the Version 3 of the Single UNIX Specification (SUSv3).

To fix my issue I simply have to add COMMAND_MODE=unix2003 to my .bash_profile.

More information on manipulating the compatibility settings can be found in
man 5 compat