Tag: Osama mustafa

Step By Step Install Database Vault On 10g

Posted on by Osama Mustafa in Database
Oracle Database Vault restricts access to specific areas in an Oracle database from any user, including users who have administrative access. For example, you can restrict administrative access to employee salaries, customer medical records, or other sensitive information.
You configure Oracle Database Vault to manage the security of an individual Oracle Database instance. You can install Oracle Database Vault on standalone Oracle Database installations, in multiple Oracle homes, and in Oracle Real Application Clusters (Oracle RAC) environments.
Today i will provide step by step how to install Database Vault on Oracle Database 10g, Notice to install it you should upgrade your database at least to 10.2.0.3 to avoid any errors.
Database Vault is very useful to protect your data from users such as DBA who has access to all tables , But the questions is who is control database vault ?
Usually there are two users to control it , Database vault owner this user is granted the DV_Owner role and can manage database role and configurations, the username must be minimum 2 and maximum 30 character , the password for this user should be complex.
another user called : Database Vault manager which is granted DV_ACCTMGR role, and used to manage database user account , this user is created to facilitate separation duties which mean while you install you can only create one user do all this jobs , the username should be minimum 2/maximum 30 character and the password is complex .
The below is screen-shot for installing Database Vault (Notice Database and Listener should be shutdown) :


Thank you 
Osama Mustafa


Oracle Security Case Study

Posted on by Osama Mustafa in Others
Does your security procedure protect your data?

In most of the companies , there is access to Email Systems, Intranet , networks and internet , most of these user are using the application that connected to Database ( assume that it’s Oracle Database).

By Creating Security Procedure to protect database and what this database contain you create hard environment to deal with  since the three compentents are availability,  integrity and secuirty which mean if you increase the security then integrity will not be on the same level and so on,The Oracle database has several layers of security and provides auditing functionality at each level. most of then mention in Oracle Security Section website.

  • Password management : One of the basic steps to Enforce user to follow the rules such as : password expiration, limit password reuse, limit the number of failed logon attempts, force password complexity, lock and expire database accounts
  •     Database Auditing to monitor user activity.
  •     Fine Grained Auditing to define specific conditions necessary for an audit record to be generated, resulting in a more meaningful audit trail
  •     Database Resource Manager to set resource limits and quotas on the amount of various system resources available to users
  •     Roles to manage object privileges
  •      Oracle Label Security for more sophisticated row level security
  •     Data Encryption to provide an additional layer of protection
Which Kind Of Security Plan you follow , Do you think the Basic Steps to Secure Database will be enough or should someone enable auditing , install database firewall …. when you answer consider that more security means it will be hard to deal with application and environment.
tell me your case about the security ? what you think ?
Thank you 
Osama mustafa  

 

Limit The Access To The Database

Posted on by Osama Mustafa in Database
In this Article, i explain how to limit access to database for only one user per schema which mean one concurrent user per schema.

Resource_limit should set to True

SQL> show parameter resource

NAME                                 TYPE        VALUE
———————————— ———– ——————————
resource_limit                       boolean     TURE
resource_manager_plan                string

After change this parameter Bounce database.

Connect to database using sysdba privileges 

sqlplus / as sysdba

create profile Only_one_user limit sessions_per_user 1;

Create New User/modify old one depend on what you want:

create user test identified by test profile Only_one_user;
grant connect to test;

Now Try to connect to this user using more than one terminal, if you did you will receive error

ORA-02391: exceeded simultaneous SESSIONS_PER_USER limit

Thank you
Osama Mustafa

Most Common Dbcontrol issue

Posted on by Osama Mustafa in Database
After while on Different oracle Forums, I notice that people Facing lot of issues with dbcontrol/dbconsole, Today i will post the most common Issue about dbcontrol and how to solve it.

Notice that sometime the Solution will be different Regarding to DB version and OS Version I will Post Some MOS notes that could help you. Sometimes you need to apply Patch and on other hand there’s Workaround.

Error #1 : 

Exception in thread “main” oracle.sysman.emcp.exception.DatabaseUnavailableException: Database instance unavailable

Solution :

  1. -Make Sure you Database is Up and Running.
  2. -Set/export ORACLE_SID.
  3. -Check if Database registered with Listener.

You can get back to this MOS note :
EMCA fails with “SEVERE: Database instance unavailable” [ID 750697.1]

EMCA fails with Database Instance is unavailable. Fix the ORA error thrown and run EM Configuration Assistant again. [ID 1511262.1]

Creating dbconsole 11.2 fails with “Exception in thread “main” oracle.sysman.emcp.exception.DatabaseUnavailableException: Database instance unavailable” on Windows [ID 1332546.1]

Error #2:

Running EMCA fails with “SEVERE: Invalid username/password”

Solution :

  1. -Make Sure You Insert Correct Password.
  2. -In Some Version you can use “Password” 
  3. -Recreate Password File.

You can Get back to this MOS note :
Problem: Running EMCA fails with “SEVERE: Invalid username/password” [ID 744176.1]

EMCA fails with SEVERE: Invalid username/password or database/scan listener not up or database service is not registered with scan listener. [ID 1330272.1]

Error  #3:

WARNING: ORA-01031: insufficient privileges

Solution

You need to check the logs, different error could be appear.

Failed to unlock all EM-related accounts

Alter User Identified By

Also Check MOS Notes :
Troubleshooting the ‘ORA-01031: insufficient privileges’ error when using EMCA to Create or Drop DBconsole [ID 358201.1]

Error #4:

SEVERE: Listener is not up or database service is not registered with it. Start the Listener and register database service and run EM Configuration Assistant again .

Solution :

  1. – set/export ORACLE_SID
  2. -Check your Listener.
  3. -Check if Database Registered.

Check the below MOS note :

Troubleshooting the EMCA Error “ORA-12514” “Listener is not up. Start the Listener and run EM Configuration Assistant again” When Creating or Dropping DBConsole [ID 368591.1]

EMCA Fails With Error “ORA-12541: TNS:no listener” and “Listener is not up. Start the Listener and run EM Configuration Assistant again” [ID 975024.1]

Using Production Data is this Right ?

Posted on by Osama Mustafa in Others
Production Data Contain Sensitive information should not be shared with unauthorized people this data contain financial , Account Number , ATM passwords  … , Most of the company contain Developers team to support applications and modify the code as they need it, But the developers need data to test the code, How to get this data, This the Question ?

I seen lot of Company Use Production Data on development database/Test Database because it’s great for testing,really easy and No cost for doing this but  is this right ? My View On this Topic No production data is allowed on the development. There’s lot of point to discuss to proof exactly what i mean and if it’s necessary to use it then hide it with multiple ways i will talk about it.

There is a lot more chance that the data may be compromised,This data should be removed and sanitized to make it anonymous / De-personalized.I read lot of articles every article explain something different for example This article support using Prod Data. after reading this blog ask yourself one question how the production  make job easier ? by let developer/unauthorized people looking to customer Data !!!!  Different point of view Customer want their data to be secure and the employees want to test the code and something easy and real to use.

Check this The Ponemon Institute has come out with some interesting (and scary) data on data security during development and testing.

 This chart shows what Breach of data. It shows a lot of sensitive data such as card holder data, customer data, credit card information and business confidential information.

Personally I prefer to use a subset or dummy data use Red-Gate Data Generator, 
There’s lot of security issue can be lead by Using Prod data for testing/development such as  severely compromise its confidentiality, even leading to legal action.

Take this example Hannaford Brothers,In March, the Maine-based Hannaford Brothers grocery store chain
announced that 4.2 million customer card transactions had been compromised by the hackers. More than 1800 credit card numbers were immediately used for fraudulent transactions.

after all this examples is it Ok to use Prod Data On test ?  Do you have a legitimate reason?  do you have
Security,Encryption, Firewalls, Breech Detection , Include to that There’s difference Security Rules On prod data and Test Data , Production database For authorized People, Privacy, Auditing,  Roles , Privileges lot of conditions to access it. on the other hand Development data Frequently wide open,Dozens  of employees  have access, Access from many to unlimited places, Home access And you still Want to use Production Data ? Do you programs care or know the difference ?

Some Rules you have to follow :

  • Make your employees aware of the policies and procedures.
  • If it is  possible to not use production data, take that option.use  alternate ways of testing scenarios.
  • Ensure that production data is masked or scrubbed when it is moved out of the production environment.

if it’s necessary to use your Production Data Then Do it right by scrambling (Scrambling is the function of replacing a character (or byte) of data with a different character (or byte) of data) Oracle Provide you with solutions to do that called data masking By write your own function that will Scramble data for you.
another option could be use is encryption (Encryption is a series of algorithms used to encrypt data into nonsensical characters (not in the English alphabet)). There’s Another way you can hide production data NULL’ing Out,Substitution, Gibberish Generation ….

 Finally Using live data in non-production is either illegal or expensive. For the companies using it illegally, it’s only a matter of time before somebody slips up and the practice is discovered

Using live data in non-production is either illegal or expensive. For the companies using it illegally, it’s only a matter of time before somebody slips up and the practice is discovered. For the companies paying extra to keep their developers compliant, they’ll find themselves resistant to new development and undercut by companies who’ve used their data in a strategic way. In the long run, the tiny benefit is just not worth the risk. – See more at: http://www.businesscomputingworld.co.uk/are-you-using-live-customer-data-outside-of-your-production-database/#sthash.8r06L9KL.dpuf

Using live data in non-production is either illegal or expensive. For the companies using it illegally, it’s only a matter of time before somebody slips up and the practice is discovered. For the companies paying extra to keep their developers compliant, they’ll find themselves resistant to new development and undercut by companies who’ve used their data in a strategic way. In the long run, the tiny benefit is just not worth the risk. – See more at: http://www.businesscomputingworld.co.uk/are-you-using-live-customer-data-outside-of-your-production-database/#sthash.8r06L9KL.dpuf

Read Ponemon Institute Report

Thank you
Osama Mustafa

What is ORA-00600

Posted on by Osama Mustafa in Database
The ORA-600 error is the generic internal error number for Oracle program exceptions. It indicates that a process has encountered a low-level, unexpected condition.

ORA 600 “internal error code, arguments: [%s], [%s],[%s], [%s], [%s]”

and you should it’s different Oracle errors , Because when you see this error then it’s indicating for bugs, the above is general description for the error the first characterset / Number is is used with database version to identify the problem by oracle support. and maybe you will find related document on https://support.oracle.com.

When you face this error you should check the below document searching for some Notes/Patch could help you :

 Note 600.1 ORA-600/ORA-7445 Lookup tool

You need to Choose database version ( 4 digit ) and First argument in the error, also for more information how to use this tool :

 Note 1082674.1 : A Video To Demonstrate The Usage Of The ORA-600/ORA-7445 Lookup Tool [Video]

Notice when you check the alert log and see this error, a trace file is generated and an entry is written to the alert.log with details of the trace file location, trace file provide you with more information about the error that could help you to solve it. you can check the below document how to use trace file :

Note 453125.1 11g Diagnosability Frequently Asked Questions
Note 443529.1 11g Quick Steps to Package and Send Critical Error Diagnostic Information to Support[Video]

Most Common Reason for ORA-00600 File-Corruption, Failure in Hardware, I/O , or memory, to solve this error you need to do some steps before Open Services Request :

  1. Check Alert Log .
  2. Don’t forget to look at the Ora-00600 Tools.
  3. If you find any Notes related to your problem  use it and read it carefully.
  4. The last option you could help is contact Oracle Support by open Services Request but provide the full information such as:
      1. alertlog for database.
      2. Traces.
      3. If any change happened lately included with SR.
      4. I post About RDA it’s useful to use it when you open SR.

Thank you
Osama Mustafa

ORA-01031: insufficient privileges When Start Windows Services

Posted on by Osama Mustafa in Database
this common error in windows, and you can be occur for more than one reason and you need to check them all to make sure you did everything is right, the error prevent the oracle services to start automatically and if you check

ORADIM.LOG….
**************************
C:\Oracle\Ora11g\bin\oradim.exe -startup -sid ptdb -usrpwd * -log oradim.log -nocheck 0
Thu Nov 15 15:16:15 2012
ORA-01031: insufficient privileges

You have to check :

1- startup type for the services ( if it’s set automatically )
2- Group to user ( the user should be in ORA_DBA Group )
3 – you can check log on tab in the service properties and set the username and password who responsible about this services and can do it by:

Go to Control Panel -> Administrative Tools -> Services .

Choose oracle services and then
click “properties”. Select the “Log On” tab and note the account that is set to run the service.

Thank you
Osama mustafa

Remote Diagnostic Agent

Posted on by Osama Mustafa in Database
RDA : It’s utility collect diagnostics information about an Oracle environment, And could be downloaded from https://support.oracle.com for every Operating system there’s specific version for RDA.

RDA is Command Line diagnostic tool that is executed by an engine written in the Perl programming language,The data captured provides Oracle Support with a comprehensive picture of the customer’s environment which aids in problem diagnosis, You can check the below MOS Note :
Remote Diagnostic Agent (RDA) 4 – FAQ [ID 330363.1]

Oracle Support encourages the use of RDA because it greatly reduces service request resolution time by minimizing the number of requests from Oracle Support for more information.RDA Support Most Of Operating system.and also it’s supported for Most Oracle Products.

But why should i use RDA, as i mention before oracle support encourages to use RDA to collect information and also there’s another reasons to use it :

  •  Oracle Fusion Middleware issues
  • Oracle Collaboration products.
  • Oracle Application issues.
  • Installation/configuration issues
  • Performance issues
  • ORA-600, ORA-7445, ORA-3113.
  • Upgrade and migration.
  • Developer issues
  • Oracle Database issues

The Simplest way to review RDA Output is using Html , Web browsing since after run rda.sh the output will generate on the same RDA Folder. (RDA_Output).

After review MOS note :
RDA 4 – Health Check / Validation Engine Guide [ID 250262.1]

after finishing from  a prerequisite system you need to need check before installation of an oracle product.This special check should be done in addition to the installation document and the check inside the installer,The utility called RDA with a module for Health Check called HCVE.

./rda.sh -T hcve

The sample output could be like the below :

Test Results
~~~~~~~~~~~~
ID NAME RESULT VALUE
===== ====================

20 User in /etc/passwd? PASSED userOK
30 Group in /etc/group? PASSED GroupOK

 Thank you
Osama Mustafa

 

Nmap and Oracle – Security Topics

Posted on by Osama Mustafa in Others
The First Question came to my mind when post this topic, What is the relation between NMAP and Oracle ? for the people who doesn’t know what is the NMAP i will talk about it but it will not be enough to give this amazing tool what its deserve .

Nmap is a powerful tool that is capable of generating a multitude of signatures depending on how it is used. However, if we understand the operation of the tool in general, it is easier to recognize its overall signature in network traffic. Dissecting the signature into sub-patterns one can differentiate between fingerprinting attempts that were successful and those that were not. It is important to understand that we have examined only one of the scan types that nmap can perform, the SYN half-open stealth scan. Several other scans are supported by Nmap: Tcp connect, FIN, Xmas, NULL, udp, ping, and even ftp-bounce. Expect to see these in the near future.

There’s lot of features Nmap can provide it to you : Host discovery, Port Scanning , OS detection , Auditing the security of a device by identifying the network connections, and Version detection

They Are two version of this Tools Command line version ( powerful one ) and GUI Version This tools available on  Windows and Linux and if you decide to go with Command line you need to be experts to do that since its need lot of practice.

You can check how the GUI and Command line look like in the below pictures :

provides all the information that is needed for a well-informed, full-fledged, precisely targeted assault on a network. Such an attack would have a high probability of success, and would likely go unnoticed by organizations that lack intrusion detection capabilities.

But how can i use Nmap with Oracle, when i do some penetration testing i use this tool as command line to dicover the vulnerability, when oracle database installed on server it‘s allow to use ports in server which maybe cause vulnerability ( the simplest Way to describe ) I cannot post everything about NMAP here since i will need new book to talk about it.
  
the Below some examples that you could use note that I use command line version, For Example something Called Oracle Query runs a given query against the Oracle database server and returns the results   

nmap -p 1521 –script oracle-query –script-args 

another one could be used called Oracle hash dump which dump the database password hashes from Oracle and MS-SQL. The results are returned in format suitable and could be store in file.

For Example : CVE-2012-3137 vulnerability,. The vulnerability exists in Oracle 11g R1/R2 and allows linking the session key to a password hash. When initiating an authentication attempt as a valid user the server will respond with a session key and salt. Once received the script will disconnect the connection thereby not recording the login attempt. The session key and salt can then be used to brute force the users password, there’s patch to fix this security issue.

To avoid such an issue you should Apply Oracle security Patches, CPU patches , And OS Patches by doing maintenance like this you can minimize Vulnerability that could be happened

Thank you 
Osama Mustafa

AWR Vs StatPack

Posted on by Osama Mustafa in Database
When you face performance issue in database the first thing coming to your mind is Automatic Workload Repository (AWR) or STATPACK reports but what is the difference between them, in this article i will try to mention as much as i can the difference between them.

1-you should be aware that AWR not exists in database 9i so you forced to use statepack, include to that steps to generate AWR much easier than STATPACK.

2-AWR hold all the information and statistics that exists in STATPACK, include to that AWR hold Additional Information.

3- in AWR you will find information called Active Session History ( ASH ) which is not exists in STATPACK.

4- To generate STATPACK you should Run Procedure to enable snapshot, you can use DBMS_JOB or schedule it using crontab.

5- AWR snapshots provide a persistent view of database statistics. A snapshot is a collection of performance statistics that are captured at a specific point in time,AWR snapshots are scheduled every 60 minutes by default.

 6- Statspack snapshot purges must be scheduled manually otherwise AWR snapshots are purged automatically using MMON.

Thank you
Osama Mustafa