Tag Archives: Trivadis Content

Blog posts also posted on the Trivadis Blog (TriBlog)

AVDF missing boot partition

While working on the problem with missing RAM on the AVDF test system (see ) I realized, that the linux boot partition is not available by default. 

[root@melete2 log]# ls -al /boot
total 16
drwxr-xr-x  2 root root 4096 Jan 11  2013 .
drwxr-xr-x 24 root root 4096 Jul 11 20:19 ..

[root@melete2 log]# df -kh /boot
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_root-lv_root
                      6.6G  2.2G  4.1G  35% /

Initially I was a bit confused since it contains stuff like grub configuration, inited.img, kernel etc. All stuff that are needed for system boot. Ok, I have not thought about that for the bootloader, the file system does not have to be mounted. From the security point of view it’s even better to not have it mounted. If not mounted nobody can accidentally change something. 😉 Oracle has defined noauto for the boot partition. Therefore the device is not mounted automatically during system boot.

[root@melete2 log]# cat /etc/fstab|grep boot
LABEL=/boot                    /boot                    ext3   noatime,noauto,nodev,nosuid                  1 2

If you need to change the grub configuration just mount the boot partition manually.

[root@melete2 log]# mount /boot

[root@melete2 log]# vi /boot/grub/grub.conf 

[root@melete2 ~]# umount /boot

Audit Vault and Database Firewall 12.1.1 Bundle Patch 1

Oracle just released the new bundle patch for Audit Vault and Database Firewall 12.1.1. The patch can be downloaded on metaling as RPM patch set for existing installations or as full installation images for new installations.

According the readme, the BP1 contains the July 2013 PSU 11.2.0.3.7 for the database as well several bug fix for both the audit vault server and the database firewall.

  • 16993733 Client program column is null when audit collected from Oracle table trail
  • 16699889 Database Vault:Legacy Audit:12c – mapping for a few events missing
  • 16399439 Audit settings UI problem when IE8 browser is used.
  • 16860810 Firewall reports ODF-10001: Internal error: did not find substitution string
  • 15831798 “Print success message checksum content error” seen on login after timeout
  • 16878611 “ATC” files may not be refreshed (file ownership)
  • 16879023 Starting a trail takes a long time – many minutes
  • 16939931 Trails stop when files are deleted

The installation on my test system was quite straightforward. You just have to copy the RPM package on the AV server and start the installation as root with rpm.

[root@melete2 ~]# /bin/rpm -U /tmp/avs-12.1.1.1.0-51_130731.0100.x86_64.rpm
OK
[root@melete2 ~]#

As prerequisite all secure targets and avagents have to be stopped. A simple task on a test environment like I use. But this can become quite cumbersome in a real production environment with a couple of hundred secure targets.

Some MOS links related to this post.

  • Database Firewall 5.x and Oracle Audit Vault and Database Firewall 12.1 bundled patch reference [1328209.1]
  • Patch 16965973 12.1.1.1.0 PS1 bundle patch 1 for Oracle Audit Vault and Database Firewall
  • Patch 16965974 12.1.1.1.0 Full install images for Oracle Audit Vault and Database Firewall
  • Oracle Audit Vault and Database Firewall Readme Release 12.1.1 BP1

AVDF Linux kernel could not recognize whole RAM

After initial setup of an Audit Vault and Database Firewall engineering system, I’ve started to add several audit vault agents and secure targets. In the beginning it went quite smoothly. But after a certain number of secured targets, there were continuously ORA-04031 errors. Most of the errors were related to large pool and PX Msg buffers issues. The analysis of the trace files has shown interesting stuff. 😉 But more on that in a later blog post. The real problem is the available memory.

Symptoms

The Audit Vault and Database Firewall engineering system is running on a HP ProLiant BL465c Gen 8. It comes with 32GB Memory. Should actually be sufficient for a system engineering. It turned out that the 32GB are not recognized by operating system. As you can see below the system has just 3GB memory in total.

[root@melete2 ~]# free
                     total    used   free shared buffers  cached
Mem:               3048108 2385888 662220      0   10720 1525036
-/+ buffers/cache:  850132 2197976
Swap:              4194296  453564 3740732

Reviewing dmesg shows that we lose 29 GB of memory.

Initializing cgroup subsys cpuset
Initializing cgroup subsys cpu
Linux version 2.6.32-300.39.5.el5uek (mockbuild@ca-build56.us.oracle.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-50)) #1 SMP Wed Mar 13 11:26:53 PDT 2013
Command line: ro root=/dev/vg_root/lv_root console=tty9 udevtimeout=10
KERNEL supported cpus:
  Intel GenuineIntel
  AMD AuthenticAMD
  Centaur CentaurHauls
BIOS-provided physical RAM map:
 BIOS-e820: 0000000000000000 - 000000000009f000 (usable)
 BIOS-e820: 000000000009f000 - 00000000000a0000 (reserved)
 BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
 BIOS-e820: 0000000000100000 - 00000000bddde000 (usable)
 BIOS-e820: 00000000bddde000 - 00000000bde0e000 (ACPI data)
 BIOS-e820: 00000000bde0e000 - 00000000d0000000 (reserved)
 BIOS-e820: 00000000fec00000 - 00000000fee10000 (reserved)
 BIOS-e820: 00000000ff800000 - 0000000100000000 (reserved)
 BIOS-e820: 0000000100000000 - 000000083efff000 (usable)
DMI 2.7 present.
last_pfn = 0x83efff max_arch_pfn = 0x400000000
MTRR default type: uncachable
MTRR fixed ranges enabled:
  00000-9FFFF write-back
  A0000-BFFFF uncachable
  C0000-FFFFF write-back
MTRR variable ranges enabled:
  0 base 000000000000 mask FFFF80000000 write-back
  1 base 000080000000 mask FFFFC0000000 write-back
  2 disabled
  3 disabled
  4 disabled
  5 disabled
  6 disabled
  7 disabled
x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106
e820 update range: 00000000c0000000 - 000000083efff000 (usable) ==> (reserved)
WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing 29679MB of RAM.
------------[ cut here ]------------

Cause

According to an Oracle Metalink Note 1448147.1 this problem is related to a BIOS issue.

Solutions and Workaround

The solution described in Oracle Metalink Note 1448147.1 is to upgrade the BIOS or disable MTRR in kernel. Since BIOS upgrade is not an option for this environment I’ll try to workaround by disable MTRR.

Disable MTRR

Changing the grub.conf is basically quite easy if you find the boot files. When I first try it, I’d realized that there is no grub configuration available. It seems that Oracle decided to not mount /boot at startup. So it is mandatory to first mount the boot partition. Afterward you just can add disable_mtrr_trim as additional kernel option. 

[root@melete2 ~]# mount /boot

[root@melete2 ~]# df -kh /boot
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             145M   26M  112M  19% /boot

[root@melete2 ~]# vi /boot/grub/grub.conf 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/vg_root/lv_root
#          initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Audit Vault Server 12.1.1.0.0
        root (hd0,0)
        kernel /vmlinuz-2.6.32-300.39.5.el5uek ro root=/dev/vg_root/lv_root console=tty9 
udevtimeout=10 disable_mtrr_trim
        initrd /initrd-2.6.32-300.39.5.el5uek.img
title Audit Vault Server 12.1.1.0.0
        root (hd0,0)
        kernel /vmlinuz-2.6.32-300.38.1.el5uek ro root=/dev/vg_root/lv_root console=tty9 
udevtimeout=10 disable_mtrr_trim
        initrd /initrd-2.6.32-300.38.1.el5uek.img

[root@melete2 ~]# reboot

Broadcast message from root (pts/0) (Thu Jul 11 20:17:56 2013):

The system is going down for reboot NOW!
[root@melete2 ~]# Connection to melete2 closed by remote host.
Connection to melete2 closed.

After reboot we now have 32GB memory available.

[root@melete2 ~]# free
                      total     used     free shared buffers  cached
Mem:               33024372  3930724 29093648      0   17868 2640744
-/+ buffers/cache:  1272112 31752260
Swap:              14680056        0 14680056

Unfortunately, the configuration of the AVDF appliance is not automatically updated to use the extra memory. We have to do some manual changes.

Update Kernel Parameters

The kernel setting have to be changed to allow a bigger SGA. See Metalink Note 1529433.1 for more detailed information on how calculate and set the kernel parameters. For the engineering system we will define a SGA with 20GB therefor we set the shmmax and shmall as follows:

[root@melete2 ~]# vi /etc/sysctl.conf
…
kernel.shmmax=23622320128
kernel.shmall=5368709120
...
[root@melete2 ~]# sysctl -p

Increase SWAP

With 32GB memory, it is also advisable to enlarge the swap space. I’ve discussed this already in the blog post Resize swap space on linux. Since the AVDF appliance does use logical volumes it’s even a bit easier.

[root@melete2 ~]# swapoff -v /dev/vg_root/lv_swap

[root@melete2 ~]# lvresize /dev/vg_root/lv_swap -L +8G

[root@melete2 ~]# mkswap /dev/vg_root/lv_swap

[root@melete2 ~]# swapon -v /dev/vg_root/lv_swap

Increase SGA

Finally we can increase the SGA.


SQL> alter system set sga_max_size=20G scope=spfile;
System altered.

SQL> alter system set sga_target=20G scope=spfile;
System altered.

SQL> startup force

Conclusion

Although AVDF is an appliance, it is mandatory to examine the system after installation. Eg. are there errors in the log files in /var/log, memory, storage etc. available. The solution described here makes it possible to use all the memory. Nevertheless, the appliance has been adjusted to an extent where is necessary to consider whether the support is still archive. If you run into a similar issue on your production AVDF setup I would recommend opening an Oracle SR. Looking forward to the next AVDF patchset. I hope this system stays patchable.

References

Some links related to this post.

  • Linux kernel could not recognize whole RAM [1448147.1]
  • Upon startup of Linux database get ORA-27102: out of memory Linux-X86_64 Error: 28: No space left on device[301830.1]
  • Requirements for Installing Oracle Database 12.1 on RHEL5 or OL5 64-bit (x86-64) [1529433.1]
  • Requirements for Installing Oracle 11gR2 RDBMS on RHEL (and OEL) 5 on AMD64/EM64T [880989.1]
  • Master Note of Linux OS Requirements for Database Server [851598.1]

How to find latest oracle database patchset

It is sometimes a bit of a hassle, to have the latest patch name or number on hand, when you need them. Ok, you may search on My Oracle Support and save it as custom search. But it may happen that the search is inaccurate and the required patch is not found. A much easier way is to use the Oracle Metalink Notes, which have been available for a while. These MOS Notes are updated regularly with the latest patch information. My favorite is definitely the Quick Reference to Patch Numbers for Database PSU, SPU(CPU), Bundle Patches and Patchsets [1454618.1]. But there are more interesting MOS notes.

Which Patch’s are available?

MOS notes about patches, patch sets, PSU, SRU and bundle patches :

  • Introduction to Oracle Recommended Patches [756388.1]
    This MOS notes is the main entry to the Oracle recommended patches. It includes further links to Oracle Database, Oracle Enterprise Manager, Oracle Fusion Middleware and other products.
  • Oracle Recommended Patches — Oracle Database [756671.1]
    This notes includes the links for the latest recommended patches of Oracle Databases on Unix and Linux since Oracle 10.2.0.3
  • Oracle Database, Networking and Grid Agent Patches for Microsoft Platforms [161549.1]
    As the name says, this note contains further links for recommended patches of Oracle Databases on Microsoft Windows
  • Quick Reference to Patch Numbers for Database PSU, SPU(CPU), Bundle Patches and Patchsets [1454618.1]
    This MOS note is some kind of a master note for any PSU, CPU, Bundle Patches and Patchset. Here you’ll find any patch number without struggling yourself first through all the Oracle recommendations 🙂
  • Release Schedule of Current Database Releases [742060.1]
    On this MOS Note you do not really find any patch numbers or names but you’ll find the release schedules of upcoming patch set. Ok you do not see an exact date. But at least the quarter of the year.

Which Patch has been installed?

The easies way to list the installed patches in the current ORACLE_HOME is to use the patch utility.

List of installed patches:

$ORACLE_HOME/OPatch/opatch lsinventory

Grep on the patch description:

$ORACLE_HOME/OPatch/opatch lsinventory|grep "Patch description"
Patch description:  "Database Patch Set Update : 11.2.0.3.7 (16619892)"

A more verbose list on the installed patches:

$ORACLE_HOME/OPatch/opatch lsinventory -details

Which Patch has been applied?

The table REGISTRY$HISTORY does contain information on applied patches respectively PSU, SRU or CPU. SinceSince I use this query regularly during the tests of the Critical Patch Update, I have it packed in a handy script ( cpui.sql). 

set linesize 200 pagesize 200
col action_time for a28
col version for a10
col comments for a35
col action for a25
col namespace for a12
select * from registry$history;

Oracle database binaries with perl

Perl and Oracle has not always an easy past. Depending on the OS type and Oracle Version it can be quite nerve racking to compile DBI and DBD::Oracle. In addition to DBD::Oracle there are also other binary Perl modules that are not so easy to compile. On operating systems such as Microsoft Windows it is necessary to invest a little more effort to compile Perl. Alternatively one can use precompiled packages like Active Perl or Strawberry Perl. But this is basically not necessary at all if Oracle is already installed. Since Oracle 10g Perl is part of the Oracle binaries for the client and Database server. Oracle does use it for various tools itself. This allows it to easily create and execute custom perl scripts even on an Oracle Client installation. I do this regularly when I create Oracle Database security reviews. Instead of manually collecting all sorts of information, I’m running a few Perl scripts. This also works if I only have access to an Oracle client installation.

Available Perl Versions

Consequently, the different Oracle versions contains different versions of Perl. With the latest Oracle Database 12c Release 1 it just got update.

  • Oracle 10g Release 2 contains Perl 5.8.3
  • Oracle 10g Release 2 contains Perl 5.10.0
  • Oracle 12c Release 1 contains Perl 5.14.1

As you see this are not realy the latest stable version of Perl. The following Picture show’s the latest release for each branch of Perl.

LatestPerlReleases

Depending on what you want to do with Perl, this is generally not a problem. Nevertheless, it is useful to check what is supported in the corresponding release or not.

With perldoc you’ll get all kind of perl documentation. For instance the user contributed perl modules aka additional perl modules

$ORACLE_HOME/perl/bin/perldoc perllocal

With corelist you’ll get information on core perl modules perl.

$ORACLE_HOME/perl/bin/corelist -a utf8

utf8 was first released with perl 5.006
5.006 undef
5.006001 undef
5.006002 undef
5.007003 1.00
5.008 1.00
5.008001 1.02
5.008002 1.02
5.008003 1.02
5.008004 1.03
5.008005 1.04
5.008006 1.04
5.008007 1.05
5.008008 1.06
5.009 1.02
5.009001 1.02
5.009002 1.04
5.009003 1.06
5.009004 1.06
5.009005 1.07
5.01 1.07

Restrictions

But before you start to develop your big perl applications be aware, that you shouldn’t relay on it. According to the Oracle Metalink Note 342754.1 You should not use it for your own applications.

Note:- Perl and other 3rd party tools such as the Sun JRE are provided in the ORACLE_HOME for Oracle tool usage only. PERL libraries which are part of the Oracle RDBMS CD (Client / Database) are not meant for PERL custom application development, but they are used by various Oracle tools that are shipped along with Oracle RDBMS software such as EM DB Console etc.,

Using it for just a bunch of admin and reports scripts it shouldn’t be a big issues. Especially because you save quite some time when you not have to install Perl and DBD::Oracle yourself.

How tu use it

A few example how to use it will follow later on…

References

Some links related to this post.

  • Perl Source Readme on CPAN with information on the latest version on each branch of Perl
  • DBI – Database independent interface for Perl
  • DBD::Oracle Oracle database driver for the DBI module
  • Oracle Support of PHP, Perl, DBD/DBI and other 3rd party products [342754.1]
  • Active Perl from ActiveState
  • Strawberry Perl

Query alert log from sqlplus

It is not really a novum that you can directly query the alertlog from SQLPlus. Tanel Poder and others already have discussed this a while ago. Somehow I can never remember the name of the X$ view when I need it. So it is time to sum up the information a little bit.

SQL> desc X$DBGALERTEXT
    Name                         Null?    Type
    ---------------------------- -------- ---------------------------
 1  ADDR                                  RAW(8)
 2  INDX                                  NUMBER
 3  INST_ID                               NUMBER
 4  CON_ID                                NUMBER
 5  ORIGINATING_TIMESTAMP                 TIMESTAMP(3) WITH TIME ZONE
 6  NORMALIZED_TIMESTAMP                  TIMESTAMP(3) WITH TIME ZONE
 7  ORGANIZATION_ID                       VARCHAR2(64)
 8  COMPONENT_ID                          VARCHAR2(64)
 9  HOST_ID                               VARCHAR2(64)
10  HOST_ADDRESS                          VARCHAR2(46)
11  MESSAGE_TYPE                          NUMBER
12  MESSAGE_LEVEL                         NUMBER
13  MESSAGE_ID                            VARCHAR2(64)
14  MESSAGE_GROUP                         VARCHAR2(64)
15  CLIENT_ID                             VARCHAR2(64)
16  MODULE_ID                             VARCHAR2(64)
17  PROCESS_ID                            VARCHAR2(32)
18  THREAD_ID                             VARCHAR2(64)
19  USER_ID                               VARCHAR2(64)
20  INSTANCE_ID                           VARCHAR2(64)
21  DETAILED_LOCATION                     VARCHAR2(160)
22  PROBLEM_KEY                           VARCHAR2(550)
23  UPSTREAM_COMP_ID                      VARCHAR2(100)
24  DOWNSTREAM_COMP_ID                    VARCHAR2(100)
25  EXECUTION_CONTEXT_ID                  VARCHAR2(100)
26  EXECUTION_CONTEXT_SEQUENCE            NUMBER
27  ERROR_INSTANCE_ID                     NUMBER
28  ERROR_INSTANCE_SEQUENCE               NUMBER
29  VERSION                               NUMBER
30  MESSAGE_TEXT                          VARCHAR2(2048)
31  MESSAGE_ARGUMENTS                     VARCHAR2(512)
32  SUPPLEMENTAL_ATTRIBUTES               VARCHAR2(512)
33  SUPPLEMENTAL_DETAILS                  VARCHAR2(4000)
34  PARTITION                             NUMBER
35  RECORD_ID                             NUMBER

A simple query to get the alert log messages and timestamp would look like.

set linesize 160 pagesize 200
col RECORD_ID for 9999999 head ID
col ORIGINATING_TIMESTAMP for a20 head Date
col MESSAGE_TEXT for a120 head Message

select 
    record_id,
    to_char(originating_timestamp,'DD.MM.YYYY HH24:MI:SS'),
    message_text 
from 
    x$dbgalertext;

For daily use I’ve put together two scripts.

  •  tal.sql list all or some alert log messages. Messages will be filtered by the parameter
  •  taln.sql list the last n numbers of rows in an alert log.

Write into the alertlog

The procedure kdswrt in dbms_system package allows us to write own messages in the alert log / trace files or both. It receives two parameters:

  • A number that indicates where do we want to write our message
    1. Writing to a TRACE file
    2. Writing to the Alert.log file
    3. Writing to both of them
  • A text string (the message itself).

exec dbms_system.ksdwrt(2, 'ORA-00042: Test message in alert log.');

Query the Alertlog

List the last 10 lines in the alert log.

SQL> @taln 10


SQL> @taln 10

      ID Date                 Message
-------- -------------------- ----------------------------------------------------------------------
    4333 23.07.2013 22:00:47  Thread 1 advanced to log sequence 94 (LGWR switch)
    4334 23.07.2013 22:00:47    Current log# 1 seq# 94 mem# 0: /u00/oradata/TDB01/redog1m1TDB01.dbf
    4335 23.07.2013 22:00:47    Current log# 1 seq# 94 mem# 1: /u01/oradata/TDB01/redog1m2TDB01.dbf
    4336 23.07.2013 22:00:47  Archived Log entry 111 added for thread 1 sequence 93 ID 0xa3d43dfa...
    4337 24.07.2013 02:00:00  Closing scheduler window
    4338 24.07.2013 02:00:00  Closing Resource Manager plan via scheduler window
    4339 24.07.2013 02:00:00  Clearing Resource Manager plan via parameter
    4340 24.07.2013 03:38:21  VKTM detected a time drift. Please check trace file for more details.
    4341 24.07.2013 09:18:38  VKTM detected a time drift. Please check trace file for more details.
    4342 24.07.2013 14:50:05  ORA-00042: Test Message in alert log

10 rows selected.

Query the alert log string ORA-00042.


SQL> @tal ORA-00042

      ID Date                 Message
-------- -------------------- -------------------------------------------
    4342 24.07.2013 14:50:05  ORA-00042: Test Message in alert log


Filter on alert log message => ORA-00042

Other fixed tables

There are bunch of other X$ Fixed Tables. At lease the following are somehow related to the ADR

  • X$DBGDIREXT list all file and directory names under diagnostic_dest/diag directory. Will be quite a lot on a shared DB server
  • X$DBGRICX list of ADR Incidents

References

Some links related to this post.

Oracle 12c new password verify function

Even with Oracle Database 12c, the quality of the database passwords is not enforced by default. A password verify function with the corresponding password resource limits has to be developed individually. As a basis one can use the script  utlpwdmg.sql to setup the default password resource limits. The script is provided by Oracle and is used to update the default profile. It has been updated for Oracle Database 12c, but it still does not run automatically when creating a database. The 12c DBCA is missing a flag or a radio button to select something like extended standard security settings as this was known from 11g.

New Password Resource Limits

Without modification,  utlpwdmg.sql updates the profile DEFAULT, which is the default profile for all users. The following limits are the same as of Oracle Database 11g except a different password verify function.

Resource NameLimitDescription

PASSWORD_LIFE_TIME 180 Sets the number of days the user can use his current password.
PASSWORD_GRACE_TIME 7 Sets the number of days that a user has to change his password before it expires.
PASSWORD_REUSE_TIME UNLIMITED Sets the number of days before which a password cannot be reused.
PASSWORD_REUSE_MAX UNLIMITED Sets the number of password changes required before the current password can be reused.
FAILED_LOGIN_ATTEMPTS 10 Specify the number of failed attempts to log in to the user account before the account is locked.
PASSWORD_LOCK_TIME 1 Specify the number of days an account will be locked after the specified number of consecutive failed login attempts.
PASSWORD_VERIFY_FUNCTION ora12c_verify_function PL/SQL password complexity verification function to enforce password complexity.

In the comment of the script you find other password resource limits. Recommendations from Center for Internet Security (CIS Oracle 11g).

Resource NameLimit

PASSWORD_LIFE_TIME 90
PASSWORD_GRACE_TIME 3
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 20
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION ora12c_verify_function

Recommendations from Department of Defense Database Security Technical Implementation Guide (STIG v8R1).

Resource NameLimit

PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 5
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_VERIFY_FUNCTION ora12c_strong_verify_function

New Functions

The function has been cleaned up by Oracle. As before, there are the two functions verify_function (10g) and verify_function_11G (11g). New there are four more functions for 12c, ora12c_verify_function and ora12c_strong_verify_function and two helper functions complexity_check and string_distance.

string_distance

This function calculates the Levenshtein distance between two strings ‘s’ and ‘t’ or a bit simpler how much do two strings differ from each other. The Levenshtein algorithms has already be used in the old verify_function_11G. It is now just a function for itself to be easier used in custom password verify functions.

differ := string_distance(old_password, password);

complexity_check

This function verifies the complexity of a password string. Beside the password string it accepts a few value to describe the complexity. Nothing basically new but it makes it a bit easier to define custom password verify functions.

  • chars – All characters (i.e. string length)
  • letter – Alphabetic characters A-Z and a-z
  • upper – Uppercase letters A-Z
  • lower – Lowercase letters a-z
  • digit – Numeric characters 0-9
  • special – All characters not in A-Z, a-z, 0-9 except DOUBLE QUOTE which is a password delimiter

Verify if the password has at least 8 characters, 1 letter and 1 digit.

IF NOT complexity_check(password, chars => 8, letter => 1, digit => 1) THEN
RETURN(FALSE);
END IF;

Verify if the password has at least 9 characters, 2 upper/lower case character, 2 digits and 2 special characters.

IF NOT complexity_check(password, chars => 9, upper => 2, lower => 2,
digit => 2, special => 2) THEN
RETURN(FALSE);
END IF;

ora12c_verify_function

This function is the new 12c password verify function. It enforce a similar respectively slightly stronger password complexity as verify_function_11G. verify_function_11G just checked for DB_NAME or ORACLE with 1 to 100 attached. e.g. oracle1 or oracle83. With the new function DB_NAME or ORACLE may not be part of the password at all. The following is verified

  • Password at least 8 characters
  • at least 1 letters
  • at least 1 digits
  • must not contain database name
  • must not contain user name or reverse user name
  • must not contain oracle
  • must not be too simple like welcome1
  • password must differ by at least 3 characters from the old password

ora12c_strong_verify_function

This function is provided to give stronger password complexity. It considers recommendations of the Department of Defense Database (STIG) with the following limits.

  • Password at least 9 characters
  • at least 2 capital letters
  • at least 2 small letters
  • at least 2 digits
  • at least 2 special characters
  • password must differ by at least 4 characters from the old password

References

Links all around Critical Patch Update:

Conclusion

Oracle Database 12c brings a slightly enhanced  utlpwdmg.sql script which can much easier be adapted to custom requirements. Nevertheless a DBA has to define a password verify function himself or run  utlpwdmg.sql. Oracle does not enforce passwords by default. It is recommended to define different profiles for different user groups e.g. DBA, App Users, Schema Owner etc. and to use as well a password verify function. The examples in  utlpwdmg.sql can and must be adapted to fulfill minimal security requirements.

Oracle released CPU / PSU July 2013

About a week ago Oracle has released the July Critical Patch Updates. Overall this CPU contains 89 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database Server it does contain 6 fixes, but none of them is for client-only installation. 1 of these vulnerabilities may be remotely exploitable without authentication. According the Database risk matrix all supported versions are affected. Since the critical patch update does mainly fix vulnerabilities in the core RDBMS and Oracle executables, it is worth to have a closer look. I’ll test the critical patch update on my test systems as usual. But I do not expect problems, since MOS Note 1546428.1 does not yet list any known issues. Be aware that Critical Patch Update (CPU) are usually cumulative and do contain previous security fixes. If you do not regularly apply Critical Patch Updates, it is essential to check previous patch notes.

First Testing

The Critical Patch Update could easily be installed on Linux x86-64bit, but opatch does fail with a few warnings. None of them prevents a successful installation. According to the Known Issues section in the Patch ReadMe and the two Metalink Notes 1448337.1 and 854711.1 the output can be safely ignored.

First Findings

After installing the patch and run catbundle I could identify a few changes on the hidden parameters. The following hidden parameters have been updated on my test system

SQL> @hip _db_flash_cache_keep_limit

Parameter                  Session Instance   S I D Description
-------------------------- ------- ---------- - - - --------------------------------------------------
_db_flash_cache_keep_limit         217751120        Flash cache keep buffer upper limit in percentage

SQL> @hip _fastpin_enable

Parameter                 Session Instance   S I D Description
------------------------- ------- ---------- - - - --------------------------------------------------
_fastpin_enable                   217827585        enable reference count based fast pins

The following hidden parameter has been removed

SQL> @hip _db_flash_cache_keep_limit

Parameter                   Session Instance   S I D Description
--------------------------- ------- ---------- - - - --------------------------------------------------
_thirteenth_spare_parameter                          thirteenth spare parameter - string

But the strange thing is, the following new hidden parameters.

SQL> @hip _july2013_cpu_admin_user_fix

Parameter                    Session Instance   S I D Description
---------------------------- ------- ---------- - - - --------------------------------------------------
_july2013_cpu_admin_user_fix                          july2013 cpu admin user fix

So far I could not figure out the purpose of _july2013_cpu_admin_user_fix parameter. It look’s somehow like a temporary fix for something. I assume it will disappear in the next Critical Patch Update on october 2014.

CPU Release Dates

The next four Critical Patch Updates will be released at the following dates:

  • 15 October 2013
  • 14 January 2014
  • 15 April 2014
  • 15 July 2014

References

Links all around Critical Patch Update:

  • Oracle Critical Patch Update Advisory – July 2013
  • Patch Set Update and Critical Patch Update July 2013 Availability Document [1548709.1]
  • Critical Patch Update July 2013 Database Known Issues [1546428.1]
  • Opatch warning: overriding commands for target xxxx [1448337.1]
  • Oracle Critical Patch Update July 2013 Documentation Map [1563067.1]
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle [394487.1]
  • Risk Matrix Glossary — terms and definitions for Critical Patch Update risk matrices [394486.1]
  • Oracle Critical Patch Updates and Security Alerts on OTN including links to Critical Patch Update since january 2005

Error installing Audit Vault Agent 12.1.1 on AIX

The Problem

During the setup of the current audit vault agent 12.1.1 on AIX, I’ve run into issues. Depending on the configuration of the AIX environment, the agent can not be installed at all.

avagent@host:/u00/app/avagent/ [avagent] java -jar agent.jar -d /u00/app/avagent/product/avagent
/u00/app/avagent/product/avagent/bin/agentctl[56]: LOGNAME: is read only
Error while executing command: [sh, /u00/app/avagent/product/avagent/bin/agentctl, fixperms]
avagent@host:/u00/app/avagent/ [avagent]

The problem is in the for loop on line 56 of agentctl where it tries to unset environment variables. Specifically, the environment variable LOGNAME can not be reset. On our AIX LOGNAME has been defined as read only in /etc/profile.

# Unset all env vars
#
for var in <code>{{EJS34}}</code>; do
  $ECHO $var | $EGREP "$passthru" > /dev/null

  # If no match, i.e. not a passthru then unset
  if [ $? -eq 1 ]; then
    unset $var
  fi
done

The Solutions

Change OS default profile

One solution would be to change the default profile on the OS. For this just open /etc/profile and comment out line 37. But I assume for most of us it is not an option to change the default profile.

# System wide profile.  All variables set here may be overridden by
# a user's personal .profile file in their $HOME directory.  However,
# all commands here will be executed at login regardless.

trap "" 1 2 3 
#readonly LOGNAME

Change the audit agent

The alternate solution is to update the agent.jar and fix agentctl. Get the current agent.jar from the audit vault server and extract the agentclt script.

jar -xf agent.jar bin/agentctl

Update the agentctl and add LOGNAME the the list of pass through variable on line 46.

# Passthrough env vars
# Note: we passthru any vars with "-" invalid character
#
passthru='^TZ$|^LANG$|^LC_|^JAVA_HOME$|^PATH$|^PS1$|^LOGNAME$|-'

Put the updated agentctl script back to the agent.jar and run a regular installation.

jar -uf agent.jar bin/agentctl

The Bugfix

The problem was reported to Oracle and can be tracked using the bug number 17058352.

By the way if you’re using multiline shell prompts agentctl will fail on the same code on any OS. Here you may simple workaround by setting a single line prompt.

Enterprise Manager Cloud Control 12c Release 3

Oracle just released Enterprise Manager Cloud Control 12c Release 3. (see Oracle Enterprise Manager Downloads ) for all supported platforms. Is assume this release is related to Oracle Database 12c which has been released about a week ago.

The new release can immediately be downloaded downloaded on OTN for the following platforms:

What’s New in 12.1.0.3

According the online documentation this release includes the following new features:

    Framework and Infrastructure

  • Simplified OMS Disaster Recovery
  • System Dashboard Enhancements
  • LDAP Integration Enhancements
  • Administrator Entitlement Summary Page
  • Auditing Enhancements
  • Enterprise Manager Command Line Interface With Scripting Option
  • Administrator Entitlement Summary Page
    Enterprise Monitoring and Incident Management Features

  • Flexible Editing of Administration Group Hierarchy
  • Metric Extensions Enhancements
  • All Metrics Chart Enhancements
  • Incident Manager Updates in 12.1.0.3
  • Target Down Root Cause Analysis
  • SLA Management Enhancements
  • Service Target Dashboard

Fusion Application Management Features

  • Oracle Fusion Applications Plug-in 12.1.0.4 Features

Database Management Features

  • Performance Diagnostics Enhancements

Middleware Management Features

  • Fusion Middleware Plug-in 12.1.0.4 Features
  • Application Replay Enhancements

Exadata Features

  • Exadata Plug-in

Siebel Features

  • Siebel Plug-in 12.1.0.3

Extensibility

  • Support for SQL Server 2012 (32-bit / 64-bit)

Cloud Management Features

  • Cloud Management Plug-in 12.1.0.5 Features
  • Cloud Management Plug-in 12.1.0.6 Features
  • Virtualization Management Plug-in 12.1.0.5 Features

Lifecycle Management Features

  • Change Activity Planner
  • Offline Patching – Uploading Patches to the Software Library Directly from Remote Patch Repositories

Resources

Links all around the Enterprise Manager, software, presentations and documentation:

Requirements

The requirements are still the same as for 12c release 1 and release 2. The following excerpt has been taken from Oracle® Enterprise Manager Cloud Control Basic Installation Guide.

  • OS requirements: Oracle Linux 6, Oracle Linux 5.x, Red Hat Enterprise Linux 5.x, SUSE Linux Enterprise 10, SUSE Linux Enterprise 11, Asianux Server 3
  • Hardware Requirments OMS (small) : 2 Cores, 4 GB RAM 6 GB RAM with ADPFoot 1 , JVMDFoot 2, 10 GB Hard Disk Space or 14GB Hard Disk Space with ADP, JVMD