How to Enable Minimal Auditing in Oracle ?

In Oracle 10g Audit is not enable by default.
For new Oracle 11g database auditing is enabled by default. Unfortunately Oracle does not setup a housekeeping. To make sure, that you do not end up with a full AUDIT_TRAIL you have to either switch off auditing or define some housekeeping jobs. With DBMS_AUDIT_MGMT this is a pretty easy job. It is that easy, that it is worth to think about having some kind of rolling audit window. Define a short retention time to save disk space, but long enough to have access to the audit information of the last hours or days.
Refer – Database Audit and Audit trail purging

 

 

 

Guideline for hiding EncryptionKey while using DBMS_CRYPTO.

HI

F.Y.I. Only

There are single custom user developed package which will having two customized function like encrypt and decrypt.

Four Simple steps to configure the PLSQL – DBMS_CRYPTO
1. You have to modify the EncryptionKey in this package inside encrypt function.
2. Wrapping the Package code completed and generate the sql file using Wrap Utility, (a standalone programming utility that encrypts PL/SQL source code)

3. Package source code is unreadable to anyone, even the owner of the package like DBA or Developer.
4. This way we can hide the encryption logic completely from every one.

Demo
http://oracleflash.com/41/Encrypt-or-Decrypt-sensitive-data-using-PLSQL—DBMS_CRYPTO.html

Reference
http://www.dba-oracle.com/t_dbms_crypto.htm

How to Protect your Server Against the Shellshock Bash Vulnerability ?

There’s latest security flaw Bash Bug called Shellshock affecting Linux nodes. It’s a major vulnerability related to Bash.

Please check/review if Linux nodes are affected by this security flaw, and prepare plan for patching it.
The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems include the following:
 Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
 Certain DHCP clients
 OpenSSH servers that use the ForceCommand capability
Various network-exposed services that use Bash

For more details, please refer below link –

Resolution

[root@kvmpri01-vm05 ~]# rpm -qa | grep bash
bash-4.1.2-14.el6.x86_64
[root@kvmpri01-vm05 ~]#
[root@kvmpri01-vm05 ~]#
[root@kvmpri01-vm05 ~]# bash --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
[root@kvmpri01-vm05 ~]#
[root@kvmpri01-vm05 ~]#
[root@kvmpri01-vm05 ~]# env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
Bash Test

sftp> put bash-4.1.2-15.el6_5.2.x86_64.rpm
Uploading bash-4.1.2-15.el6_5.2.x86_64.rpm to /root/bash-4.1.2-15.el6_5.2.x86_64.rpm
100% 905KB 905KB/s 00:00:00

[root@kvmpri01-vm05 ~]# rpm -Uvh bash-4.1.2-15.el6_5.2.x86_64.rpm
warning: bash-4.1.2-15.el6_5.2.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Preparing... ########################################### [100%]
1:bash ########################################### [100%]
[root@kvmpri01-vm05 ~]#
[root@kvmpri01-vm05 ~]# env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash Test

[root@kvmpri01-vm05 ~]# which bash
/bin/bash

[root@kvmpri01-vm05 ~]# bash --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Hiding the password

Initialization parameter

NAME TYPE VALUE
—————————— ——- ——————–
os_authent_prefix string ops$

in my init.ora. I then:

create user ops$tkyte identified externally;

grant connect to ops$tkyte;

useradd tkyte
usermod -G oinstall,dba tkyte
passwd tkyte

cd /home/oracle
cp .bash_profile /home/tkyte

su – tkyte

bash-3.2$ sqlplus /

SQL*Plus: Release 11.2.0.3.0 Production on Mon Mar 3 18:48:08 2014

Copyright (c) 1982, 2011, Oracle. All rights reserved.

ERROR:
ORA-12547: TNS:lost contact

-3.2$ cd $ORACLE_HOME/bom
-bash: cd: /home/oracle/u01/app/oracle/product/11.2.0/db_1/bom: No such file or directory
-bash-3.2$ cd $ORACLE_HOME/bin
-bash-3.2$ ls oracle
oracle
-bash-3.2$ ls -ltr oracle
-rwxr-x–x 1 oracle oinstall 232399473 Aug 9 2013 oracle

-bash-3.2$ sqlplus /

SQL*Plus: Release 11.2.0.3.0 Production on Mon Mar 3 19:08:31 2014

Copyright (c) 1982, 2011, Oracle. All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show user
USER is “OPS$TKYTE”
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

-bash-3.2$ expdp userid=/ full=y

http://www.dadbm.com/how-to-fix-ora-12547-tns-lost-contact-when-try-to-connect-to-oracle/
http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:142212348066

ORA-24247: network access denied by access control list (ACL)

TEST_USER @DB11> SELECT utl_inaddr.get_host_name FROM dual;
SELECT utl_inaddr.get_host_name FROM dual
*
ERROR at line 1:
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "SYS.UTL_INADDR", line 4
ORA-06512: at "SYS.UTL_INADDR", line 35
ORA-06512: at line 1

http://oraexplorer.com/2010/02/oracle-11g-network-access-denied-by-access-control-list-acl-when-using-utl_inaddr/