Oracle Security Baseline

Let´s start my first post in this blog with a very important subject that everybody seems to care for but it´s hard to see a good implementation. The subject is security and all the precautions that we must do to prevent or minimize any gaps that a database environment could have.

We can break the security concerns in a lot of differents perspectives from applications issue to infrastructure but as a Database Administrator (DBA) we should focuses on the database software and it´s configurations first. With this priority in mind the first thing that every DBA should guarantee is that the database software version is up-to-date and when we talk about Oracle Databases we mean have all the CPUs and PSUs applied as soon as possible.

Beyond some know issues and myths about the Oracle "Unbreakable" campain and any David Litchfield´s article (one of the main database security authority) that are no excuses if you have your database exploited because you didn´t follow the 4 days that Oracle releases his softwares security updates during a year (with all the vulnerabilities that it should correct).

Some days just before the July 2010 CPU (Critical Patch Update) I decided to publish an easy how to procedure to show a guide to apply the last 10gR2 Patchset, 10.2.0.5. That are some issues in this procedure and is always good to read the official "Readme" that comes with this patch, and don´t forget that if you want to download any patch from Oracle you must have your Support Contract up-to-date and a valid account in My Oracle Support tool.

First you should verify what is your current database version because a lot of steps depends on it, to verify it just run the select command and check if you are in any 10.2.x version (this guide is based on this assumption, if you want further information access the Readme):

SELECT *

FROM v$version;

Now access the My Oracle Support site and goes to "Patchs & Updates", click on "Product or Family (Advanced Search)" and fill the blanks just as follow (assuming that you are on x86_64 platform)

Product is: RDBMS Server
Release is: 10.2.0.5
Platform is: Linux x86-64
Type is: Patchset

After that you must download the binary and the Readme document and transfer them to your database server preferable in your OFA strutucture. Once you did that now unzip the patchset:

unzip p8202632_10205_Linux-x86-64.zip

Now we have some pre-installation steps to perform but first it is important to know that some of the following steps is applicable only in stand alone installation (if your are in a RAC enviroment read the office Readme).

Check if your time zone version is ok:

SELECT version

FROM v$timezone_file;

If the result you get is different than 4 read the Readme (that are some notes about this and if you use the Time Zone and Local Time Zone data types you could have trouble).

Now is recommended that you perform a physical backup of your database and a filesystem backup that include your $ORACLE_HOME and oraInventory directories.

After this stop all oracle process (off course we have a downtime to update the software, unless you have an Enterprise Edition and a Dataguard Configuration), you must have sysdba privileges.

SHUTDOWN IMMEDIATE;

Stop the listener process (assuming that you are on a Unix/Linux enviroment, and the default listener name):

lsnrctl stop;

Now start the installation process (this step is considering that you are performing an interactive installation using a graphical client software, you can optimize this step using a response file). Access the source directory where you downloaded the file, access the Disk1 directory and start the installation:

./runInstaller

During the installation process some information will be missing and you should fill it in information where the Oracle software was installed and in what Oracle home name. Before the installation begins some pre-check configuration will be made and it is very common that you should tuning you kernel parameters following the instructions given by this check, if you need to tune some parameters here is an example of how to do it:

Edit the following file:

vi /etc/sysctl.conf

net.core.rmem_default = 1048576

Apply the modifications

sysctl -p /etc/sysctl.conf

Now retry the configurations checks and if no warning popup begin the installation. At the end of the process you´ll be asked to execute the famous root.sh script as root:

After the installation process end you should perform some pos-installation step. The first one is to change some file permissions to grant access to some client software, to do that execute the following script

cd $ORACLE_HOME/install

./changePerm.sh

Now run the database upgrade check, first start the database in the UPGRADE mode (as a sysdba user) and run the Pre-Upgrade Information Tool:

cd $ORACLE_HOME

sqlplus sys as sysdba

STARTUP UPGRADE;

@./rdbms/admin/utlu102i.sql

This script will give you all the possible adjusts that you must do to performe the database upgrade, once you guarantee that it´s ok then upgrade your database:

@./rdbms/admin/catupgrd.sql

Restart the database and verify if all the components is ok:

SHUTDOWN IMMEDIATE;

STARTUP;

SELECT comp_name, version, status

FROM sys.dba_registry;

Recompile any invalid objects:

@./rdbms/admin/utlrp.sql

Upgrade you recovery catalog if you have one:

$ORACLE_HOME/bin/rman catalog username@alias

UPGRADE CATALOG;

You must execute the command above twice. After that you can start the listener process again and finnaly you are ready to start using the database again.

lsnrctl start

The last know issue that I should mention is that if you have any monitoring deamon that greps your alert log file just as I do you will see that the date mask in alert log file after you patched your database will change, do the test and you´ll see.

Remember that this is just the first thing you should do when talking about implementing an Oracle security baseline and altought it is very simple to apply that are a lot of companies that doesn´t.