Quantcast
Channel: Oracle Database – OraDBA
Viewing all 115 articles
Browse latest View live

Help I lost my brand new Unified Audit Policy?

March 16, 2023, 8:00 am
$
0
0

I am currently working on audit concepts as well as corresponding Unified Audit Policies for various customer projects. That’s why today I once again had a closer look at Oracle Unified Audit.

One requirement in the security concept is to be able to track if someone accesses the operating system via Oracle DIRECTORY OBJECTS. To do this, you can either work with an explicit object action on a specific directory or you can generally audit the object actions on directories. An audit policy with one or more explicit object actions must of course be managed accordingly. Therefore I decided to monitor actions on Oracle directories in general. I.e. READ, WRITE and EXECUTE.

The Problem

My audit policy looks as follows:

CREATE AUDIT POLICY tvdlm_dir_access
  ACTIONS
    READ DIRECTORY,
    WRITE DIRECTORY,
    EXECUTE DIRECTORY
  ONLY TOPLEVEL;

Cheerfully we check once in the data dictionary view audit_unified_policies our policy

SET pagesize 200
SET linesize 160
COL policy_name FOR A25
SELECT policy_name FROM audit_unified_policies
GROUP BY policy_name ORDER BY policy_name;

As you can see the new policy is not shown in the data dictionary view audit_unified_policies.

POLICY_NAME
-------------------------
ORA_ACCOUNT_MGMT
ORA_CIS_RECOMMENDATIONS
ORA_DATABASE_PARAMETER
ORA_DV_AUDPOL
ORA_DV_AUDPOL2
ORA_LOGON_FAILURES
ORA_RAS_POLICY_MGMT
ORA_RAS_SESSION_MGMT
ORA_SECURECONFIG

9 rows selected.

But when you try to create it once more you get an error ORA-46358.

CREATE AUDIT POLICY tvdlm_dir_access
  ACTIONS
    READ DIRECTORY,
    WRITE DIRECTORY,
    EXECUTE DIRECTORY
  ONLY TOPLEVEL;
CREATE AUDIT POLICY tvdlm_dir_access
*
ERROR at line 1:
ORA-46358: Audit policy TVDLM_DIR_ACCESS already exists.

But where is it? Lets see if we found it in dba_objects.

SET pagesize 200
SET linesize 160
COL object_name FOR A25
COL object_type FOR A25
SELECT object_name, object_type FROM dba_objects
  WHERE object_name LIKE 'TVD%' ORDER BY object_name;
OBJECT_NAME		  OBJECT_TYPE
------------------------- -------------------------
TVDLM_DIR_ACCESS	  UNIFIED AUDIT POLICY

OK in dba_objects we can see the policy. Can we also use / enable it?

Test Case

Let’s setup a simple test case to see if this audit policy does work even when it is not shown as valid audit policy in audit_unified_policies. As a first step we do enable the audit policy for all user.

AUDIT POLICY tvdlm_dir_access;

Verify all active unified audit policies by quering audit_unified_enabled_policies.

SET linesize 160 pagesize 200
COL policy_name FOR A20
COL entity_name FOR A10

SELECT * FROM audit_unified_enabled_policies;
POLICY_NAME          ENABLED_OPTION  ENTITY_NAM ENTITY_ SUC FAI
-------------------- --------------- ---------- ------- --- ---
ORA_SECURECONFIG     BY USER         ALL USERS  USER    YES YES
ORA_LOGON_FAILURES   BY USER         ALL USERS  USER    NO  YES
TVDLM_DIR_ACCESS     BY USER         ALL USERS  USER    YES YES

3 rows selected.

This looks promising. At least the active audit policy is shown correctly. Now, to test access, we create an Oracle directory object. For the test I use the user scott.

CREATE OR REPLACE DIRECTORY exttab AS '/u01/app/oracle/admin/TSEC02/adhoc';
GRANT READ, WRITE ON DIRECTORY exttab TO scott;

In the adhoc folder we do create a csv file scott.emp.csv with the following content.

SELECT empno||','||ename||','||job csv_output FROM scott.emp;
CSV_OUTPUT
-------------------------------------------------------------
7369,SMITH,CLERK
7499,ALLEN,SALESMAN
7521,WARD,SALESMAN
7566,JONES,MANAGER
7654,MARTIN,SALESMAN
7698,BLAKE,MANAGER
7782,CLARK,MANAGER
7788,SCOTT,ANALYST
7839,KING,PRESIDENT
7844,TURNER,SALESMAN
7876,ADAMS,CLERK
7900,JAMES,CLERK
7902,FORD,ANALYST
7934,MILLER,CLERK

14 rows selected.

And finally we do create a simple external table on this csv file.

CREATE TABLE scott.emp_external(
    EMPNO NUMBER(4),
    ename VARCHAR2(10),
    job VARCHAR2(9)
)
ORGANIZATION EXTERNAL(
    TYPE oracle_loader
    DEFAULT DIRECTORY exttab
    ACCESS PARAMETERS 
    (FIELDS TERMINATED BY ',')
    LOCATION ('scott.emp.csv'));

Before we query the external table, we purge the audit trail to have a clean trail 😊

EXEC dbms_audit_mgmt.clean_audit_trail( audit_trail_type => dbms_audit_mgmt.audit_trail_unified,use_last_arch_timestamp => FALSE);

Run the query on the external table scott.emp_external.

SELECT * FROM scott.emp_external;
     EMPNO ENAME      JOB
---------- ---------- ---------
      7369 SMITH      CLERK
      7499 ALLEN      SALESMAN
      7521 WARD       SALESMAN
      7566 JONES      MANAGER
      7654 MARTIN     SALESMAN
      7698 BLAKE      MANAGER
      7782 CLARK      MANAGER
      7788 SCOTT      ANALYST
      7839 KING       PRESIDENT
      7844 TURNER     SALESMAN
      7876 ADAMS      CLERK
      7900 JAMES      CLERK
      7902 FORD       ANALYST
      7934 MILLER     CLERK

14 rows selected.

Verify what we do have in the unified_audit_trail. 

COL event_timestamp FOR A26
COL entry_id FOR 999
COL dbusername FOR A5
COL dbproxy_username FOR A10
COL action_name FOR A18
COL return_code FOR 999999
COL object_schema FOR A10
COL object_name FOR A16
COL unified_audit_policies FOR A20
SET LINES 200
SET PAGES 999
SELECT
   to_char(event_timestamp,'DD.MM.YY HH24:MI:SS') "Timestamp",
   entry_id,
   action_name,
   object_name
   --, unified_audit_policies
FROM
    unified_audit_trail
ORDER BY
    event_timestamp ,
    entry_id;
Timestamp         ENTRY_ID ACTION_NAME        OBJECT_NAME                                                                                                                                               
----------------- -------- ------------------ ----------------                                                                                                                                          
16.03.23 15:52:17       42 EXECUTE            DBMS_AUDIT_MGMT                                                                                                                                           
16.03.23 15:52:36        1 READ DIRECTORY     EXTTAB                                                                                                                                                    
16.03.23 15:52:36        2 EXECUTE DIRECTORY  EXTTAB                                                                                                                                                    
16.03.23 15:52:36        3 WRITE DIRECTORY    EXTTAB                                                                                                                                                    
16.03.23 15:52:36        4 READ DIRECTORY     EXTTAB                                                                                                                                                    
16.03.23 15:52:36        5 EXECUTE DIRECTORY  EXTTAB                                                                                                                                                    
16.03.23 15:52:36        6 WRITE DIRECTORY    EXTTAB                                                                                                                                                    
16.03.23 15:52:36        7 READ DIRECTORY     EXTTAB                                                                                                                                                    
16.03.23 15:52:36        8 EXECUTE DIRECTORY  EXTTAB                                                                                                                                                    
16.03.23 15:52:36        9 WRITE DIRECTORY    EXTTAB                                                                                                                                                    
16.03.23 15:52:36       10 READ DIRECTORY     EXTTAB                                                                                                                                                    
16.03.23 15:52:36       11 EXECUTE DIRECTORY  EXTTAB                                                                                                                                                    
16.03.23 15:52:36       12 WRITE DIRECTORY    EXTTAB                                                                                                                                                    
16.03.23 15:52:36       13 READ DIRECTORY     EXTTAB                                                                                                                                                    
16.03.23 15:52:36       14 EXECUTE DIRECTORY  EXTTAB                                                                                                                                                    
16.03.23 15:52:36       15 WRITE DIRECTORY    EXTTAB                                                                                                                                                    
16.03.23 15:52:36       16 READ DIRECTORY     EXTTAB                                                                                                                                                    
16.03.23 15:52:36       17 EXECUTE DIRECTORY  EXTTAB                                                                                                                                                    
16.03.23 15:52:36       18 WRITE DIRECTORY    EXTTAB                                                                                                                                                    

19 rows selected.

Conclusion

So the whole thing is not as bad as it looked at the beginning. The audit policy is created, can be activated and the corresponding audit records are created. Nevertheless, not seeing the audit policy in audit_unified_policies is a bit confusing. Especially since according to Oracle documentation this view should list all available audit policies. After a bit of research and a service request, it sure turned out that this is a known issue. A corresponding bugfix seems to be in the works. Until then you have to query dba_objects to check if a policy really exists.

A few final facts…

  • Oracle Support Document 30769454.8 Bug 30769454 – Policy Created For Some Actions Are Not Showing In Audit_Unified_Policies.
  • Oracle Support Document 2419064.1 Audit Policy is Not Seen in AUDIT_UNIFIED_POLICIES After Dropping Objects.
  • Oracle Database Enterprise Edition up to 21.3 is affected. Testing with 21c RU January 2023 (21.9.0.0) showed that in this version the problem is fixed.
  • Audit policies on directory action do create a couple of audit records. It seems that this is related to how external tables are accessed. This can be reduced by explicitly set NOLOGFILE, NOBADFILE or NODISCARDFILE. But still then there will always be more than just one single entry.
Search

Great, I found my Audit Policies again

April 4, 2023, 1:52 pm
$
0
0

A while ago I wrote a blog post about issues with some Oracle Unified Audit Policies see Help I lost my brand new Unified Audit Policy? In the meantime, the whole thing no longer looks so tragic. The problem is an official bug for which Oracle has already released a one-off patch. See Oracle Support Document 30769454.8 Bug 30769454 – Policy Created For Some Actions Are Not Showing In Audit_Unified_Policies.

Install and Test

Let’s see how our system looks before we install the patch. The output of OPatch shows that nothing special has been installed except RU 19.18.

oracle@db19:~/ [TSEC02] $cdh/OPatch/opatch lspatches
34777391;JDK BUNDLE PATCH 19.0.0.0.230117
34786990;OJVM RELEASE UPDATE: 19.18.0.0.230117 (34786990)
34765931;Database Release Update : 19.18.0.0.230117 (34765931)
29585399;OCW RELEASE UPDATE 19.3.0.0.0 (29585399)

I’ll create an other audit policy to verify that we still have the issue.

CREATE AUDIT POLICY tvdlm_dir_access
  ACTIONS
    READ DIRECTORY,
    WRITE DIRECTORY,
    EXECUTE DIRECTORY
  ONLY TOPLEVEL;

And as expected, we do not see these in AUDIT_UNIFIED_POLICIES.

SET pagesize 200
SET linesize 160
COL policy_name FOR A25
SELECT policy_name FROM audit_unified_policies
  WHERE policy_name LIKE 'TVD%' 
  GROUP BY policy_name ORDER BY policy_name;
no rows selected

But in the view DBA_OBJECTS.

SET pagesize 200
SET linesize 160
COL object_name FOR A25
COL object_type FOR A25
SELECT object_name, object_type FROM dba_objects
  WHERE object_name LIKE 'TVD%' ORDER BY object_name;
OBJECT_NAME		  OBJECT_TYPE
------------------------- -------------------------
TVDLM_DIR_ACCESS	  UNIFIED AUDIT POLICY

Run opatch apply to install the one-off patch

oracle@db19:/tmp/30769454/ [TSEC02] $cdh/OPatch/opatch apply
Oracle Interim Patch Installer version 12.2.0.1.36
Copyright (c) 2023, Oracle Corporation.  All rights reserved.


Oracle Home       : /u01/app/oracle/product/19.0.0.0
Central Inventory : /u01/app/oraInventory
   from           : /u01/app/oracle/product/19.0.0.0/oraInst.loc
OPatch version    : 12.2.0.1.36
OUI version       : 12.2.0.7.0
Log file location : /u01/app/oracle/product/19.0.0.0/cfgtoollogs/opatch/opatch2023-04-04_22-41-48PM_1.log

Verifying environment and performing prerequisite checks...
OPatch continues with these patches:   30769454  

Do you want to proceed? [y|n]
y
User Responded with: Y
All checks passed.
Backing up files...
Applying interim patch '30769454' to OH '/u01/app/oracle/product/19.0.0.0'

Patching component oracle.rdbms.dbscripts, 19.0.0.0.0...
Patch 30769454 successfully applied.
Log file location: /u01/app/oracle/product/19.0.0.0/cfgtoollogs/opatch/opatch2023-04-04_22-41-48PM_1.log

OPatch succeeded.

And finally datapatch

oracle@db19:/tmp/30769454/ [TSEC02] $cdh/OPatch/datapatch
SQL Patching tool version 19.18.0.0.0 Production on Tue Apr  4 22:43:53 2023
Copyright (c) 2012, 2023, Oracle.  All rights reserved.

Log file for this invocation: /u01/app/oracle/cfgtoollogs/sqlpatch/sqlpatch_8785_2023_04_04_22_43_53/sqlpatch_invocation.log

Connecting to database...OK
Gathering database info...done
Bootstrapping registry and package to current versions...done
Determining current state...done

Current state of interim SQL patches:
Interim patch 30769454 (POLICY CREATED FOR SOME ACTIONS ARE NOT SHOWING IN AUDIT_UNIFIED_POLICIES):
  Binary registry: Installed
  SQL registry: Not installed
Interim patch 31668882 (OJVM RELEASE UPDATE: 19.9.0.0.201020 (31668882)):
  Binary registry: Not installed
  SQL registry: Rolled back successfully on 30-MAR-23 04.22.06.093772 PM
Interim patch 34786990 (OJVM RELEASE UPDATE: 19.18.0.0.230117 (34786990)):
  Binary registry: Installed
  SQL registry: Applied with errors on 30-MAR-23 04.25.21.102732 PM

Current state of release update SQL patches:
  Binary registry:
    19.18.0.0.0 Release_Update 230111171738: Installed
  SQL registry:
    Applied 19.18.0.0.0 Release_Update 230111171738 with errors on 30-MAR-23 04.25.21.097389 PM

Adding patches to installation queue and performing prereq checks...done
Installation queue:
  No interim patches need to be rolled back
  Patch 34765931 (Database Release Update : 19.18.0.0.230117 (34765931)):
    Apply from 19.9.0.0.0 Release_Update 200930183249 to 19.18.0.0.0 Release_Update 230111171738
  The following interim patches will be applied:
    34786990 (OJVM RELEASE UPDATE: 19.18.0.0.230117 (34786990))
    30769454 (POLICY CREATED FOR SOME ACTIONS ARE NOT SHOWING IN AUDIT_UNIFIED_POLICIES)

Installing patches...
Patch installation complete.  Total patches installed: 3

Validating logfiles...done
Patch 34765931 apply: SUCCESS
  logfile: /u01/app/oracle/cfgtoollogs/sqlpatch/34765931/25078403/34765931_apply_TSEC02_2023Apr04_22_44_17.log (no errors)
Patch 34786990 apply: SUCCESS
  logfile: /u01/app/oracle/cfgtoollogs/sqlpatch/34786990/25032666/34786990_apply_TSEC02_2023Apr04_22_44_16.log (no errors)
Patch 30769454 apply: SUCCESS
  logfile: /u01/app/oracle/cfgtoollogs/sqlpatch/30769454/25157729/30769454_apply_TSEC02_2023Apr04_22_47_53.log (no errors)
SQL Patching tool complete on Tue Apr  4 22:48:16 2023

opatch now lists the oneonf patch

oracle@db19:/tmp/30769454/ [TSEC02] $cdh/OPatch/opatch lspatches
30769454;POLICY CREATED FOR SOME ACTIONS ARE NOT SHOWING IN AUDIT_UNIFIED_POLICIES
34777391;JDK BUNDLE PATCH 19.0.0.0.230117
34786990;OJVM RELEASE UPDATE: 19.18.0.0.230117 (34786990)
34765931;Database Release Update : 19.18.0.0.230117 (34765931)
29585399;OCW RELEASE UPDATE 19.3.0.0.0 (29585399)

OPatch succeeded.

Without further adjustments the created policy is now visible in AUDIT_UNIFIED_POLICIES.

SET pagesize 200
SET linesize 160
COL policy_name FOR A25
SELECT policy_name FROM audit_unified_policies
  WHERE policy_name LIKE 'TVD%' 
  GROUP BY policy_name ORDER BY policy_name;
POLICY_NAME
-------------------------
TVDLM_DIR_ACCESS

Conclusion

As written in the original blog post, the issue is not critical, but can cause problems during automated deployment. Especially if you check in AUDIT_UNIFIED_POLICIES if a policy already exists. The workaround is to query DBA_OBJECTS directly instead of AUDIT_UNIFIED_POLICIES. Or install the One-Off patch. It is a pleasure when issues are fixed quickly by a bugfix. The probability is by the way relatively high, that this bugfix will be fixed with the next release update in April. We’ll see…

Get Oracle Database 23c for free on your Mac M1

April 5, 2023, 2:59 am
$
0
0

Oracle Database 23c Free – Developer Release is all over since Oracle released it yesterday. See the Official Oracle pages Oracle Database Free or the blog post by Gerald Venzl Introducing Oracle Database 23c Free – Developer Release. Connor McDonald even got a special delivery from Oracle.

A few important web pages related to Oracle Database 23c Free.

Ok, so what do we do now in order to be able to use Oracle Database 23c Free on a Mac with Apple Silicon? Setup a Vagrant VM, Docker Container or rather use a cloud based solution? Below I show you how to do this relatively easily using a Docker container that runs reasonably well.

Requirements

Basically, x86-64 based Docker containers also run on Apple Silicon / ARM. However, these are emulated with Rosetta2 and are not as stable / performant. But the whole thing is a bit more complex than described there. Docker and colima can both use Rosetta 2, although Rosetta 2 is always slower than native ARM code but faster than QEMU. Because Rosetta 2 does not know or provide all instructions, it can lead to problems depending on the container. Therefore certain containers are less stable. QEMU on the other hand interprets every instruction. Thus it is more stable but slower. Therefore things are somewhat better when using colima with x86-64. In the end, the performance is not that great. However, it is sufficient for simple tests on the road. Maybe I will find some time to go deeper into the topics of ARM/x86-64 with Rosetta 2, QEMU etc.

Setup and Run

You can either configure all the stuff mentioned above manual or use brew. I do prever brew whenever possible. So let’s install brew first 

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Update and upgrade your brew installation

brew update
brew upgrade

Install colima and Docker for MacOS

brew install colima docker

We are now ready to start colima. See GitHub repository abiosoft/colima for full usage

colima start --arch x86_64 --memory 4

Start up the Oracle Database 23c Free Docker container. As Docker has to pull about 3GB, it will take a while depending on the networkspeed.

docker run -d --name db23c -P container-registry.oracle.com/database/free

As usual, you have to wait a month for an Oracle database to be created. With Docker logs you can check when the database is available.

docker logs -f db23c
Starting Oracle Net Listener.
Oracle Net Listener started.
Starting Oracle Database instance FREE.
Oracle Database instance FREE started.

The Oracle base remains unchanged with value /opt/oracle
#########################
DATABASE IS READY TO USE!
#########################
The following output is now a tail of the alert.log:
===========================================================
Dumping current patch information
===========================================================
No patches have been applied
===========================================================
2023-04-05T06:35:33.856200+00:00
FREEPDB1(3):Opening pdb with Resource Manager plan: DEFAULT_PLAN
2023-04-05T06:35:40.175165+00:00
Completed: Pluggable database FREEPDB1 opened read write 
Completed: ALTER DATABASE OPEN

Set a new SYS password using setPassword.sh

docker exec db23c ./setPassword.sh <PASSWORD>

And here we go let’s connect via sqlplus as SYSDBA

docker exec -it db23c sqlplus / as sysdba
SQL*Plus: Release 23.0.0.0.0 - Developer-Release on Wed Apr 5 09:11:04 2023
Version 23.2.0.0.0

Copyright (c) 1982, 2023, Oracle.  All rights reserved.


Connected to:
Oracle Database 23c Free, Release 23.0.0.0.0 - Developer-Release
Version 23.2.0.0.0

SQL> select sysdate;

SYSDATE
---------
05-APR-23

SQL>

If you prefer, you can also use SQL Developer. Just login to localhost, port and service name. If you started the container with -P like me, docker ps or docker ports shows the corresponding port.

docker port db23c
1521/tcp -> 0.0.0.0:49153
1521/tcp -> :::49153

SQL Developer configuration for the local Docker container. Port must be adjusted accordingly.

And here we go…

First Steops

Installation of the SCOTT schema. But first update the script to connect to the pluggable database.

docker exec db23c sed -i "s|CONNECT SCOTT/tiger$|CONNECT SCOTT/tiger@freepdb1|" \
/opt/oracle/product/23c/dbhomeFree/rdbms/admin/utlsampl.sql

Run SQLPlus to create the SCOTT schema

docker exec -it db23c sqlplus / as sysdba
ALTER SESSION SET CONTAINER=freepdb1;
@?/rdbms/admin/utlsampl.sql

Create a new user and grant him read access to the tables of the SCOTT schema.

ALTER SESSION SET CONTAINER=freepdb1;
CREATE USER king IDENTIFIED BY tiger;
GRANT CREATE SESSION TO king;
GRANT READ ANY TABLE ON SCHEMA scott TO king;

And test it as KING

CONNECT king/tiger@freepdb1
SET PAGESIZE 200
SET LINESIZE 120
SET PAGESIZE 200
SELECT * FROM scott.emp;
     EMPNO ENAME      JOB	       MGR HIREDATE	    SAL       COMM     DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
      7369 SMITH      CLERK	      7902 17-DEC-80	    800 		   20
      7499 ALLEN      SALESMAN	      7698 20-FEB-81	   1600        300	   30
      7521 WARD       SALESMAN	      7698 22-FEB-81	   1250        500	   30
      7566 JONES      MANAGER	      7839 02-APR-81	   2975 		   20
      7654 MARTIN     SALESMAN	      7698 28-SEP-81	   1250       1400	   30
      7698 BLAKE      MANAGER	      7839 01-MAY-81	   2850 		   30
      7782 CLARK      MANAGER	      7839 09-JUN-81	   2450 		   10
      7788 SCOTT      ANALYST	      7566 19-APR-87	   3000 		   20
      7839 KING       PRESIDENT 	   17-NOV-81	   5000 		   10
      7844 TURNER     SALESMAN	      7698 08-SEP-81	   1500 	 0	   30
      7876 ADAMS      CLERK	      7788 23-MAY-87	   1100 		   20
      7900 JAMES      CLERK	      7698 03-DEC-81	    950 		   30
      7902 FORD       ANALYST	      7566 03-DEC-81	   3000 		   20
      7934 MILLER     CLERK	      7782 23-JAN-82	   1300 		   10

14 rows selected.

Excellent, full READ access to a schema respectively the tables of a schema with only one statement.

Conclusion

The Developer Release of Oracle Database 23c is great. A unique opportunity to test various Oracle features very early without having to join the Oracle Beta Program. But be aware, do not expect light speed when runing an Oracle Database Container on Apple Silicon. This workaround is ideal when you are on the road and want to test nes stuff. For reliable speed, there is no way around running Oracle Database 23c on an x86-64 system. Either you have an old Mac lying around or you build a small environment in the cloud. But who knows, maybe Oracle will surprise us with an ARM version of Oracle Database 23c…

Oracle Security EUS Snippets – Setup Proxy User Privileges

November 5, 2020, 4:23 am
$
0
0

Since I’m always short of time for a longer blog post, I’ll just try a short one. Intended as a mini-series, I will show different configuration examples for Oracle Enterprise User Security. Today I’ll start with the configuration of EUS based proxy privileges. The environment I use is DOE, my Docker based Oracle Engineering environment. In particular the EUS configuration. For more information, see the corresponding GitHub repository oehrlis/doe respectively in the folder eus for the EUS specific environment.

Background

Database proxy privileges are used relatively often to give certain users rights to access a different schema. The user authenticates himself with his credentials and becomes a proxy user in the database. Below an example where the user RMAN, gets access to a different schema, specifically an other RMAN catalog schema (see also blog post about SEPS and RMAN).

CREATE USER rman IDENTIFIED BY welcome1;
CREATE USER rman19000 NO AUTHENTICATION QUOTA UNLIMITED ON rman_data;
GRANT RECOVERY_CATALOG_OWNER TO rman19000;
ALTER USER rman19000 GRANT CONNECT THROUGH rman; 
ALTER USER rman19000 DEFAULT TABLESPACE rman_data;

The following users were created

  • RMAN1900 is the schema owner for an Oracle 19c RMAN catalog stored in the tablespace RMAN_DATA. The user is created without any authentication but with a proxy privilege for the user RMAN.
  • RMAN is the user which will be used to connect to the catalog. There are other catalogs as well but not shown in this example
SQL> connect rman[RMAN19000]/welcome1@CATALOG
Connected.
SQL> show user
USER is "RMAN19000"
SQL> SELECT sys_context('userenv','PROXY_USER') PROXY_USER,
sys_context('userenv','SESSION_USER') SESSION_USER from dual;

PROXY_USER SESSION_USER
---------- ---------------
RMAN	   RMAN19000D

With pure database authentication or authorisation, the configuration of proxy users is easy. With Enterprise User Security, proxy privileges are no longer managed in the database but in the directory. Let’s take a look at that.

Database Configuration

For Enterprise User Security based proxy privileges, only ENTERPRISE USERS is specified in the database. The rest is done in the OracleContext of the directory. See also ALTER USER in Oracle® Database SQL Language Reference 19c.

ALTER USER scott GRANT CONNECT THROUGH ENTERPRISE USERS;

Enterprise User Security Configuration

The configuration can be either done via Oracle Enterprise Manager Cloud Control as documented in Oracle® Database Enterprise User Security Administrator’s Guide 19c or with the command line utility eusm. I prefer the command line utility as I often do not have an OEM by hand.

  • Create the proxy permission in the directory.
eusm createProxyPerm proxy_permission="Scott Proxy" \
domain_name="OracleDefaultDomain" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)
  • Define a target user for this proxy permission.
eusm addTargetUser proxy_permission="Scott Proxy" \
database_name="TEUS01" \
target_user="SCOTT" dbuser="system" \
dbuser_password=$(cat /u00/app/oracle/admin/TEUS01/etc/TEUS01_password.txt) \
dbconnect_string="eusdb.trivadislabs.com:1521/TEUS01.trivadislabs.com" \
domain_name="OracleDefaultDomain" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)
  • Explicit granting of proxy permission to the user KING. Can also be assigned to a group.
eusm grantProxyPerm proxy_permission="Scott Proxy" \
user_dn="cn=Ben King,ou=Senior Management,ou=People,dc=trivadislabs,dc=com" \
domain_name="OracleDefaultDomain" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)
  • Display the proxy permissions defined for the EUS default domain.
eusm listProxyPermissions domain_name="OracleDefaultDomain" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)
  • Display information for the proxy permission Scott Proxy
eusm listProxyPermissionInfo proxy_permission="Scott Proxy" \
domain_name="OracleDefaultDomain" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)
  • Display proxy permissions for the user KING.
eusm listProxyPermissionsOfUser \
user_dn="cn=Ben King,ou=Senior Management,ou=People,dc=trivadislabs,dc=com" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)

Using the Proxy Permissions

Let’s test the permissions and connect as user KING.

  • Regular connection to the database as schema owner SCOTT.
SQL> connect SCOTT/tiger@TEUS01
Connected.
SQL> show user
USER is "SCOTT"
SQL> select sys_context('userenv','PROXY_USER') PROXY_USER,
sys_context('userenv','SESSION_USER') SESSION_USER from dual;

PROXY_USER	SESSION_USER
--------------- ---------------
                SCOTT
  • Regular connection to the database as KING.
SQL> connect king/welcome1@TEUS01
Connected.
SQL> show user
USER is "KING"
SQL> select sys_context('userenv','PROXY_USER') PROXY_USER,
sys_context('userenv','SESSION_USER') SESSION_USER from dual;

PROXY_USER	SESSION_USER
--------------- ---------------
                KING
  • Proxy connection to the database
SQL> connect king[SCOTT]/welcome1@TEUS01
Connected.
SQL> show user
USER is "SCOTT"
SQL> select sys_context('userenv','PROXY_USER') PROXY_USER,
sys_context('userenv','SESSION_USER') SESSION_USER from dual;

PROXY_USER	SESSION_USER
--------------- ---------------
KING            SCOTT

Conclusion

Configuration of proxy permissions in connection with Oracle Enterprise User Security is not as complicated as you might think. It is also useful if shared global users need access to certain schemas. For example, a power user is allowed to access the application schema.

Security Best Practice: Oracle passwords, but secure!

December 1, 2020, 1:03 pm
$
0
0
Beach view in Brighton at the UKOUG Techfest 2019

Today I held my presentation about Oracle security best practice “Oracle passwords, but secure!” at the virtual UKOUG event. Unfortunately, this year the beautiful view of Brighton beach and the active exchange with colleagues was missing. Ok, on the other hand I was able to enjoy the first snow in Switzerland with my children. 😊

The following blog post is a summary of my presentation with some examples, notes, references and slides.

Oracle Password Hashes

The different Oracle Database releases do provide various password verifiers. Although the older password verifiers are no longer state of the art, they are still used relatively frequently. It is therefore essential to take the appropriate measures to make password-based authentication secure. Oracle currently offers the following password hash functions:

  • Oracle 10g Hash Function based on DES and an Oracle specific algorithm. It is case insensitive and does use a weak password salt i.e. the username is used as salt.
  • MD5 based Hash Function used for digest authentication in XDB
  • Oracle 11g Hash Function based on the SHA1 hash algorithm. But since 2005 SHA1 is no longer considered as safe. The hash function does supports case sensitive and multibyte character passwords.
  • Oracle 12c Hash Function based on a de-optimised algorithm involving PBKDF2 and SHA-512. It supports case sensitive and multibyte character passwords.

The different password verifiers can be controlled by SQLNET.ALLOWED_LOGON_VERSION_SERVER respectively SQLNET.ALLOWED_LOGON_VERSION_CLIENT or by setting the passwords explicitly using ALTER USER ... IDENTIFIED BY VALUES.

Create different users with different password verifiers

CREATE USER test_10g IDENTIFIED BY VALUES 'AF310E4D20D06950';
CREATE USER test_11g IDENTIFIED BY VALUES 'S:6702B83E88D277BFC378AD6B22DD1AE01895A254470F8124A9D3C5347056';
CREATE USER test_12c IDENTIFIED BY VALUES 'T:45738A7B75C9E31ED0C533BCF4931084658A143FD7CF826B980A88EA6C4F0BE66C28DA7085BCAE386723029BA967DC4F45E9C146F6FA7C22E44BA2C1BD2F56F8C22291D417E26D4B810003F3F055EDFF';
CREATE USER test_all IDENTIFIED BY Welcome1;

In DBA_USERS you will see the different password versions

SET LINESIZE 160 PAGESIZE 200
COL username FOR a10
COL password_versions FOR a20
SELECT username, password_versions 
FROM dba_users WHERE username LIKE 'TEST_%';

USERNAME    PASSWORD_VERSIONS
----------- --------------------
TEST_10G    10G
TEST_11G    11G
TEST_ALL    10G 11G 12C
TEST_12C    12C

Or in USER$ you can find the corresponding hashes:

SET LINESIZE 160 PAGESIZE 200
COL name FOR a10
COL password FOR a16
COL spare4 FOR a64
SELECT name,password,spare4 
FROM user$ WHERE name LIKE 'TEST_%' ORDER BY 1;

NAME       PASSWORD         SPARE4
---------- ---------------- ----------------------------------------------------------------
TEST_10G   AF310E4D20D06950
TEST_11G                    S:6702B83E88D277BFC378AD6B22DD1AE01895A254470F8124A9D3C5347056
TEST_12C                    T:45738A7B75C9E31ED0C533BCF4931084658A143FD7CF826B980A88EA6C4F0B
                            E66C28DA7085BCAE386723029BA967DC4F45E9C146F6FA7C22E44BA2C1BD2F56
                            F8C22291D417E26D4B810003F3F055EDFF

TEST_ALL   4932A1B4C59EC3D0 S:ABF25107166264C8EAFE72BF02152DE17000F359CB5BAF21A6AF41477633;T
                            :62FEE108652A56D940813F54EC72D1494ACAD99F2BBDD0A578BF1F97FAB4A7E
                            B468A98B6B553E460DE21E57F6C35A930DEE027D20B33ED13D56EA0ECACB1CEA
                            94EEC8AC389561346052BB0BFF2C06647

Manually create a Oracle 10g password verifier:

SQL> @create_password_hash.sql system ieShae0

Username : system
Password : ieShae0
Hash	 : 0AD56CF5F1CB8D2A
SQL	 : alter user system identified by values '0AD56CF5F1CB8D2A';

PL/SQL procedure successfully completed.

Testing the Password Verifier

There are a couple of possibilities and tools to “verify” password hashes. Among the best known are the tools Hashcat and John the Ripper. These tools doe support a wide range of hashes as well attack methods. Below you find an example of a brute force attack for the Oracle hash we created above.

  • --increment will start to brute force with shorter length e.g 4 characters
  • -custom-charset1 to define numbers and characters
  • -hash-type Oracle 7+ respectively password verifier 10g
  • --show show the password
echo "0AD56CF5F1CB8D2A" >demo.hash
hashcat --attack-mode 3 --increment --increment-min 4 \
--custom-charset1 ?l?d --hash-type 3100 ./demo.hash ?1?1?1?1?1?1?1
hashcat --hash-type 3100 ./demo.hash --show

Good Practice

Here are a few good practices on Oracle passwords.

  • Keep your Oracle Clients and Server up to date. Stay updated by following Critical Patch Updates, Security Alerts and Bulletins. Install security fixes in a reasonable time frame
  • Consider using strong Authentication like Kerberos and SSL based authentication.
  • Don’t use legacy password verifier
    • Use Oracle password file version 12.2
    • Explicitly configure ALLOWED_LOGON_VERSION_SERVER to 12a and exclusively use 12c hash values
    • Start using PBKDF2 SHA-512 for directory-based password authentication with EUS and CMU
  • Revise your password policies
    • NIST, CIS, STIG and other standards are continuously adjusted.
    • Does the complexity rule still make sense or does it just reduce the amount of possibilities.
  • User awareness training. Make sure your user know the principle of good and bad Use of phase phrase rather than password

Slides of the UKOUG Presentation

UKOUG Presentation Security Best Practice: Oracle passwords, but secure!

References

Links and references related to this blog post

Unleash the Power of the User Home SQLNet Config

June 28, 2023, 5:49 am
$
0
0

Introduction

A crucial functionality of databases is that they are accessible via a network. This also applies to Oracle databases, where network access is controlled by the Oracle Net Service components. The two files sqlnet.ora and tnsnames.ora belong to the key configuration files and can be used on both the client machines and the database server. While you may be familiar with the essential configuration files, did you know that there’s a hidden path to unlock greater flexibility in Oracle Net Service?

  • tnsnames.ora is a configuration file that contains network service names mapped to connect descriptors for the local naming method, or net service names mapped to listener protocol addresses.
  • sqlnet.ora is the SQLNet configuration file. It resides on the client machines and the database server. Among other things, sqlnet.ora is used to enable the following configurations:
    • Specify the client domain to append to unqualified names
    • Prioritize naming methods
    • Enable logging and tracing features
    • Configure parameters for external naming
    • Configure Oracle Advanced Security

By default, both files are stored in the ORACLE_HOME/network/admin directory, or in ORACLE_BASE_HOME/network/admin for a read-only Oracle Home. The environment variable TNS_ADMIN can also be used to specify an alternative directory. This is especially useful on systems where you have several Oracle Home directories, but only want to work with one central Oracle Net Service configuration.

The order in which these files are searched is documented in Oracle® Database Database Net Services Reference 19c and in the Oracle Support Document 464410.1. All right, so that brings us to the end of this blog post, doesn’t it? Of course not, there is one small detail that is not in the documentation, or at least not any more. Oracle searches for sqlnet.ora and tnsnames.ora will also include other locations. So lets discover a less known path to greater flexibility and efficiency for Oracle Net Service.

Exploring the Alternative tnsnames.ora and sqlnet.ora Location

The easiest way to figure out which path or files are being read is to use strace when calling an Oracle tool like tnsping or sqlnet. The strace utility is very powerful and provides us with all kinds of trace information about a programme or process. In our case, however, we are only interested in seeing which files are being accessed. If strace is not available on your system, you can simply install it with yum or dnf.

sudo yum install -y strace

Below you find a simple example to call tnsping using strace. Since strace is quite chatty, we limit the output to open and access events and froward the output to a file. 

strace -e trace=open,access,stat,openat -o strace_tnsping.out \
tnsping TDB01

The output of tnsping is irrelevant in our case. Let’s take a look at the file generated by strace and search for tnsnames.ora.

grep -in tnsnames.ora strace_tnsping.out
274:access("/home/oracle/.tnsnames.ora", F_OK) = -1 ENOENT (No such file or directory)
275:access("/u01/app/oracle/network/admin/tnsnames.ora", F_OK) = 0
276:stat("/u01/app/oracle/network/admin/tnsnames.ora", {st_mode=S_IFREG|0644, st_size=484, ...}) = 0
277:openat(AT_FDCWD, "/u01/app/oracle/network/admin/tnsnames.ora", O_RDONLY) = 6

Eureka there is something. We can see, that tnsping was tring to access to files. One is tnsnames.ora, which is in my TNS_ADMIN directory, and the other is .tnsnames.ora, which is in my user home directory. The same applies to sqlnet.ora. Let’s check this with a call to sqlplus.

strace -e trace=open,access -o strace_sqlplus.out  \
sqlplus /@TEASPARX_pdbadmin <<EOFSQL
    SHOW USER
EOFSQL

Again, the effective output of sqlplus is irrelevant. Let’s take a look at the file created by strace and search for sqlnet.ora.

grep -in sqlnet.ora strace_sqlplus.out
61:access("/u01/app/oracle/network/admin/sqlnet.ora", F_OK) = 0
62:open("/u01/app/oracle/network/admin/sqlnet.ora", O_RDONLY) = 6
63:access("/home/oracle/.sqlnet.ora", F_OK) = -1 ENOENT (No such file or directory)
76:access("/u01/app/oracle/network/admin/sqlnet.ora", F_OK) = 0
77:open("/u01/app/oracle/network/admin/sqlnet.ora", O_RDONLY) = 8

We see, also here a hidden sqlnet.ora is accessed in the User Home.

Configuring the Alternative Location

The configuration is rather simple. You just have to create a hidden tnsnames.ora or sqlnet.ora file in the user home directory. Files are hidden in Linux if their name begins with a dot (.).

Lets create a Oracle net service entry for the database TDB01.

cat << EOF >$HOME/.tnsnames.ora
TDB01_system.trivadislabs.com=
   (DESCRIPTION=
     (ADDRESS=
       (PROTOCOL=TCP)
       (HOST=db19)
       (PORT=1521)
     )
     (CONNECT_DATA=
       (SERVER=DEDICATED)
       (SERVICE_NAME=TDB01.trivadislabs.com)
     )
     (UR=A)
   )
EOF

Then we test with tnsping whether the hidden tnsnames.ora is being read.

strace -e trace=open,access,stat,openat -o strace_tnsping.out \
tnsping TDB01_system
TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 28-JUN-2023 09:41:39

Copyright (c) 1997, 2023, Oracle.  All rights reserved.

Used parameter files:
/u01/app/oracle/network/admin/sqlnet.ora


Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION= (ADDRESS= (PROTOCOL=TCP) (HOST=db19) (PORT=1521)) (CONNECT_DATA= (SERVER=DEDICATED) (SERVICE_NAME=TDB01.trivadislabs.com)) (UR=A))
OK (10 msec)

We see tnsping finds the new Oracle Net Service entry and returns a correct response. What about the output of strace?

grep -in tnsnames.ora strace_tnsping.out
275:access("/home/oracle/.tnsnames.ora", F_OK) = 0
276:access("/u01/app/oracle/network/admin/tnsnames.ora", F_OK) = 0
277:stat("/home/oracle/.tnsnames.ora", {st_mode=S_IFREG|0644, st_size=245, ...}) = 0
278:openat(AT_FDCWD, "/home/oracle/.tnsnames.ora", O_RDONLY) = 6

As expected, the new Oracle Net Service entry is read from the hidden tnsnames.ora file in the user home directory. If we do another tnsping on the Net Service Name TDB01 as we did at the beginning, we see that both files are read. First the hidden file .tnsnames.ora and because TDB01 is not found, the central tnsnames.ora from the TNS_ADMIN directory.

strace -e trace=open,access,stat,openat -o strace_tnsping.out \
tnsping TDB01
grep -in tnsnames.ora strace_tnsping.out
269:access("/home/oracle/.tnsnames.ora", F_OK) = 0
270:access("/u01/app/oracle/network/admin/tnsnames.ora", F_OK) = 0
271:stat("/home/oracle/.tnsnames.ora", {st_mode=S_IFREG|0644, st_size=245, ...}) = 0
272:openat(AT_FDCWD, "/home/oracle/.tnsnames.ora", O_RDONLY) = 6
273:stat("/u01/app/oracle/network/admin/tnsnames.ora", {st_mode=S_IFREG|0644, st_size=484, ...}) = 0
274:openat(AT_FDCWD, "/u01/app/oracle/network/admin/tnsnames.ora", O_RDONLY) = 6

If we do another tnsping on the net service name TDB01, as we did at the beginning, we see that both files are read. First the hidden file .tnsnames.ora and because TDB01 is not found, the central tnsnames.ora from the $TNS_ADMIN directory.

The examples shown above were all with tnsnames.ora. But for sqlnet.ora the whole thing works analogously.

Use Cases and Advantages

With this undocumented functionality of Oracle Net Services, a wide range of use cases can be covered.

  • Personal Oracle Net service names or aliases
  • Test Adhoc SQL Net configurations. E.g. for troubleshooting, tracing or testing special functions, etc.
  • Overrule or extend central SQL Net configurations
  • Use of a local wallet for Secure External Password Store (SEPS)

Let’s take a look at the example of Secure External Password Store, where we use a wallet for authentication. First, we generate a password using pwgen and create an Oracle wallet using mkstore.

mkdir -p $HOME/.pwd $HOME/wallet
pwgen -s -1 15 >$HOME/.pwd/.wallet_password.txt
chmod 600 $HOME/.pwd/.wallet_password.txt
chmod 700 $HOME/.pwd
mkstore -wrl $HOME/wallet -create <<CREATE
$(cat $HOME/.pwd/.wallet_password.txt)
$(cat $HOME/.pwd/.wallet_password.txt)
CREATE
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2023, Oracle and/or its affiliates. All rights reserved.

Enter password:   
Enter password again:

For testing, we create a simple user SEPS_TEST in the DB TDB01. The password is generated using pwgen and temporary stored in a text file for easier deployment. The following SQL statements are packed in a here doc. Convenient way to execute SQL directly with a copy/paste. The prerequisite is, of course, that the corresponding Oracle environment is set.

pwgen -s -1 15 >$HOME/.pwd/.seps_test_password.txt
chmod 600 $HOME/.pwd/.seps_test_password.txt
${ORACLE_HOME}/bin/sqlplus -S -L /nolog <<EOFSQL 
    CONNECT / AS SYSDBA
    DROP USER seps_test;
    CREATE USER seps_test IDENTIFIED BY "$(cat $HOME/.pwd/.seps_test_password.txt)";
    GRANT create session TO seps_test;
    GRANT select_catalog_role TO seps_test;
EOFSQL

Next, we create a TNS entry TDB01_seps_test.trivadislabs.com in the hidden tnsnames.ora

cat << EOF >>$HOME/.tnsnames.ora
TDB01_seps_test.trivadislabs.com=
   (DESCRIPTION=
     (ADDRESS=
       (PROTOCOL=TCP)
       (HOST=db19)
       (PORT=1521)
     )
     (CONNECT_DATA=
       (SERVER=DEDICATED)
       (SERVICE_NAME=TDB01.trivadislabs.com)
     )
     (UR=A)
   )
EOF

Don’t forget to test if we can connect to the database using this new net service name.

tnsping TDB01_seps_test
TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 28-JUN-2023 13:27:41

Copyright (c) 1997, 2023, Oracle.  All rights reserved.

Used parameter files:
/u01/app/oracle/network/admin/sqlnet.ora


Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION= (ADDRESS= (PROTOCOL=TCP) (HOST=db19) (PORT=1521)) (CONNECT_DATA= (SERVER=DEDICATED) (SERVICE_NAME=TDB01.trivadislabs.com)) (UR=A))
OK (0 msec)

We store the credentials using mkstore in the previously created wallet.

mkstore -wrl $HOME/wallet -createCredential \
 TDB01_seps_test seps_test <<ADD
$(cat $HOME/.pwd/.seps_test_password.txt)
$(cat $HOME/.pwd/.seps_test_password.txt)
$(cat $HOME/.pwd/.wallet_password.txt)
ADD
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2023, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line 
Enter your secret/Password:   
Re-enter your secret/Password:   
Enter wallet password:

For SEPS to work, we still need to create a WALLET entry in sqlnet.ora. We now do this in the hidden sqlnet.ora file.

cat >> $HOME/.sqlnet.ora <<CAT
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY="$HOME/wallet")))
SQLNET.WALLET_OVERRIDE=TRUE
CAT

With the help of Secure External Password Store, we can now log on directly to the database without entering the password. To do this, we use the defined TNS entry. SQLPlus then reads the corresponding information from the wallet. Lets to a simple test.

${ORACLE_HOME}/bin/sqlplus /@TDB01_seps_test <<EOFSQL 
    SHOW USER
EOFSQL
SQL*Plus: Release 19.0.0.0.0 - Production on Wed Jun 28 13:49:19 2023
Version 19.19.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.


Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.19.0.0.0

SQL> USER is "SEPS_TEST"
SQL> Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.19.0.0.0

And now let’s control the whole stuff with strace and run grep to verify the output.

strace -e trace=open,access,stat,openat -o strace_sqlplus.out \
${ORACLE_HOME}/bin/sqlplus /@TDB01_seps_test <<EOFSQL 
    SHOW USER
EOFSQL
grep -in tnsnames.ora strace_sqlplus.out
69:access("/u01/app/oracle/network/admin/sqlnet.ora", F_OK) = 0
70:openat(AT_FDCWD, "/u01/app/oracle/network/admin/sqlnet.ora", O_RDONLY) = 6
71:access("/home/oracle/.sqlnet.ora", F_OK) = 0
72:openat(AT_FDCWD, "/home/oracle/.sqlnet.ora", O_RDONLY) = 6
96:access("/u01/app/oracle/network/admin/sqlnet.ora", F_OK) = 0
97:openat(AT_FDCWD, "/u01/app/oracle/network/admin/sqlnet.ora", O_RDONLY) = 8
402:access("/home/oracle/.tnsnames.ora", F_OK) = 0
403:access("/u01/app/oracle/network/admin/tnsnames.ora", F_OK) = 0
404:stat("/home/oracle/.tnsnames.ora", {st_mode=S_IFREG|0644, st_size=493, ...}) = 0
405:openat(AT_FDCWD, "/home/oracle/.tnsnames.ora", O_RDONLY) = 12
407:stat("/home/oracle/.tnsnames.ora", {st_mode=S_IFREG|0644, st_size=493, ...}) = 0
408:stat("/home/oracle/.tnsnames.ora", {st_mode=S_IFREG|0644, st_size=493, ...}) = 0

As expected, the files from TNS_ADMIN as well as the hidden files in the user home directory are being read.

Do not forget to save the password for the wallet and the test user in a password manager and remove the temporarily created files.

rm -rf $HOME/.pwd/.seps_test_password.txt $HOME/.pwd/.wallet_password.txt

Best Practices, Considerations and Common Issues

First of all, it is important to know that you can use these hidden Net Service configuration files to control the behaviour. It is a bit unfortunate when someone else creates such files without your knowledge. e.g. to direct you to another database or to switch off a configuration such as encryption. Therefore, the feature should be used wisely.

  • Avoid using it in shared user environment where multiple user login into the same OS user e.g. like oracle software owner
  • Douple check whats stored in your home folder
  • Be aware, that you can disable settings which are centrally defined in a TNS_ADMIN folder
  • If necessary you can also user INFILE to include additional tnsnames.ora or sqlnet.ora files

Conclusion

Especially for ad hoc tests and troubleshooting of Oracle SQL Net, the hidden configuration files in the User Home are extremely helpful. It is relatively easy to verify certain configurations with a local user. There are only restrictions where the Oracle server process also requires certain information, e.g. the server-side Kerberos and SSL configuration with corresponding reference to the keytab or wallet file. There is no way around working with TNS_ADMIN. For things like Secure External Password Store, however, this feature is worth its weight in gold. You can configure and use a local wallet relatively easily. Yet an other reason why you should work with personal and not shared accounts on the database server 😉.

Additional Resources

A few links and references to relevant documentation, blog posts and other external resources for further reading.

SQL Toolbox for simplified Oracle Unified Audit Data Analysis

August 28, 2023, 1:42 am
$
0
0

On my journey through the area of database security, Oracle Unified Audit has been a constant companion. I not only created audit concepts, but also often had the opportunity to implement them. Besides the configuration, the administration and evaluation of the audit data was always part of it. Occasionally I used scripts for this. However, I often evaluated the audit data ad hoc. There are only a handful of data dictionary views that have to be taken into account. So that was usually enough. Nevertheless, creating a collection of scripts for Unified Audit has been on my bucket list for a long time. At least until today. I finally found the time to put together a small toolbox of scripts, which I would like to show you in this blog post.

The scripts for the database audit are among others part of my GitHub repository oehrlis/oradba and are available to everyone. You are welcome to share them, use them, improve them or just like them.

What is currently covered by my scripts for Oracle Unified Audit?

  • Configuration of the audit infrastructure, i.e. tablespace, housekeeping jobs, etc.
  • Information on audit trails and storage usage
  • Administration of audit policies. This includes the creation, deletion, activation and display of policies.
  • Assessment of the unified audit trail showing various top events, e.g. policy, user, objects, etc.
  • Overview of the audit session and analysis of the statements per session

Current list of scripts

The following SQL scripts are currently available for the assessment of Oracle Unified Audit data. Further information on the scripts can be found in the comments of the file headers.

scriptPurpose
saua_info.sqlShow information about the audit trails
daua_pol.sqlDisable all audit policies and drop all non-Oracle maintained policies
cdua_init.sqlInitialize Audit environment (create tablespace, reorganize tables, create jobs)
caua_pol.sqlCreate custom local audit policies policies
iaua_pol.sqlInitialize / Enable custom local audit policies policies
saua_pol.sqlShow local audit policies policies. A join of the views AUDIT_UNIFIED_POLICIES and AUDIT_UNIFIED_ENABLED_POLICIES
saua_teact.sqlShow top unified audit events by action for current DBID
saua_tecli.sqlShow top unified audit events by client_program_name for current DBID
saua_tedbid.sqlShow top unified audit events by DBID
saua_teusr.sqlShow top unified audit events by dbusername for current DBID
saua_teobj.sqlShow top unified audit events by object_name for current DBID
saua_teobjusr.sqlShow top unified audit events by Object Name without Oracle maintained schemas for current DBID
saua_teown.sqlShow top unified audit events by object_schema for current DBID
saua_teosusr.sqlShow top unified audit events by os_username for current DBID
saua_tepol.sqlShow top unified audit events by unified_audit_policies for current DBID
saua_tepoldet.sqlShow top unified audit events by unified_audit_policies, dbusername, action for current DBID
saua_tehost.sqlShow top unified audit events by userhost for current DBID
saua_asdbv.sqlShow audit sessions for audit type Database Vault
saua_asdp.sqlShow audit sessions for audit type Datapump
saua_asfga.sqlShow audit sessions for audit type Fine Grained Audit
saua_asbck.sqlShow audit sessions for audit type RMAN
saua_asstd.sqlShow audit sessions for audit type Standard
saua_as.sqlShow audit sessions for audit any type
saua_asdet.sqlShow entries of a particular audit session with unified_audit_policies
saua_asdetsql.sqlShow entries of a particular audit session with SQL_TEXT
sdua_usage.sqlShow Unified Audit trail storage usage
saua_tabsize.sqlShow Unified Audit trail table and partition size
sdua_enpolstm.sqlGenerate statements to enable all audit policies as currently set in AUDIT_UNIFIED_ENABLED_POLICIES
sdua_crpolstm.sqlGenerate statements to create all audit policies as currently set in AUDIT_UNIFIED_ENABLED_POLICIES
sdua_drpolstm.sqlGenerate statements to drop all audit policies as currently set in AUDIT_UNIFIED_ENABLED_POLICIES
sdua_dipolstm.sqlGenerate statements to disable all audit policies as currently set in AUDIT_UNIFIED_ENABLED_POLICIES
sdua_prgstm.sqlGenerate Unified Audit trail storage purge statements
sdua_stostm.sqlGenerate Unified Audit trail storage usage modification statements
List of SQL Scripts

A few Examples and Use Cases

Overview of Audit Trails saua_info.sql

Some information on the different audit trails and there size. Some data depend on up to date statistics.

Overview of Unified Audit Trail Storage Usage sdua_usage.sql

Summary of various information about the unified audit trail, e.g. number of records, oldest records, size etc. The output is always for the current DBID. If audit records are also available for other DBIDs, they are displayed as foreign DBIDs. These audit data can potentially be deleted. There is also the script saug_tabsize.sql, which displays information about the partitions.

Generate Unified Audit Trail purge statements sdua_prgstm.sql

Generate dbms_audit_mgmt statements based on the current setting / configuration. These statements can be used as a copy template directly or adapted to maintain the audit trail. There is also the script sdua_stostm.sql to create modification statements.

Show local audit policies policies saua_pol.sql

Show current audit policy settings. This script does join the views AUDIT_UNIFIED_POLICIES and AUDIT_UNIFIED_ENABLED_POLICIES. There are also corresponding script to create (caua_pol.sql), drop (daua_pol.sql) and enable/initialize (iaua_pol.sql) the audit policies.

Show Top Audit Events

There are several scripts to show top audit events e.g. by user (saua_teusr.sql), action (saua_teact.sql), policy (saua_tepol.sql), object name (saua_teobj.sql) and more. These script can be used to find the root cause of hig amout of audit data.

Below you see an example for top audit actions.

Audit Session Overview saua_as.sql

Show an overview of audit sessions in the audit trail, where the information is grouped by the session ID. This script also accepts parameters to limit the information based on days or fractions thereof. The following query limits the output to the last 2h. In addition, there are variants of this script that limit the information to the individual audit types, e.g. Datapump (saua_asdp.sql), RMAN (saua_asbck.sql) or Fine Grained Audit (saua_asfga.sql).

Audit Session Details saua_asdet.sql

This script does show all audit records for a specific audit session id. You can see what somebody did during its session. There is also a version of the script (saua_asdetsql.sql) which does show the sql_text. Below we see an example what session ID (scott) has done during its session. This script does also perfectly work for proxy sessions.

Naming Concept

A little confused by the script names? I have tried to somehow bring a bit of order to my scripts in the GitHub repository oehrli/oradba. That is an attempt. But I’m not sure I’ve been successful. Enclosed the information about the different abbreviations and prefixes.

The script names follow the format:

<script_qualifier><privileges_qualifier><topic_qualifier>_<use_case>.sql

Script Qualifier

The script qualifier is used to determine whether a script is used to read information or to configure, e.g. create, modify, activate, etc.

QualifierStands ForComment
sShowOutput only on screen
dDeleteDelete any objects, configuration etc
iInitializeInitializes or enable a configuration
cCreateCreate any objects, configuration etc.
uUpdateUpdate any object
gGrantGrants some objects or system privileges
Script Qualifier

Privileges Qualifier

The privilege qualifier is used to determine what privileges are required by a script.

QualifierStands ForComment
sSYSSYS, SYSDBA or Internal
dDBASYSTEM or any other user with DBA role
oOwnerObject owner
pCreateNeeds some special privileges according to the scripts inline comments
aAuditAudit roles like AUDIT_ADMIN or AUDIT_VIEWER
Privileges Qualifier

Topic Qualifier

Topic Qualifier is used to assign the different scripts to a certain topic and thus to be able to sort them better.

QualifierStands ForComment
uaUnified AuditEverything related to Oracle Unified Audit
taTraditional AuditEverything related to Oracle traditional Audit
secSecurityOracle security related stuff
encEncryptionOracle Transparent DataEncryption
aAdminDatabase Administration
Topic Qualifier

Conclusion

This collection of SQL scripts around Oracle Unified Audit is certainly not perfect or conclusive. Nevertheless, it is helpful for the configuration and a first analysis of the audit data in the Unified Audit Trail. As already mentioned, you can find the scripts on GitHub under oehrlis/oradba. I would be happy if you share or like them. Feedback and ideas as comments to this blogpost or better directly as a GitHub issue are very welcome.

Simplified Keytab creation using Linux Tools #JoelKallmanDay

October 11, 2023, 1:55 pm
$
0
0

Today’s  #JoelKallmanDay, my topic is about simplifying the configuration of Kerberos authentication of Oracle databases using Linux tools. I have already written a few things about Kerberos in the past. The blog posts on this topic are usually tagged with Kerberos. Today I want to show you an alternative method how to create the keytab file directly on the database server without the help of a domain admin. This is especially helpful in larger environments or when troubleshooting. You have a new keytab file immediately, without having to first create an incident ticket and wait for support from your Windows administration colleagues. As a rule, they are not bored either and are glad to have one task less.

Some Basics

Kerberos is a networked authentication system that Oracle uses authenticate Oracle Database users. The following graphic shows the Kerberos authentication process at a glance. The complete configuration is described in detail in Oracle® Database Security Guide 23c – Configuring Kerberos Authentication or Oracle Support Document 1996329.1. Further links can be found in the Reference chapter. This blog post is only about an alternative creation of the keytab file.

The Kerberos authentication Process at a Glance

The keytab file plays a vital role in securely managing service keys, especially service principals, for the host’s various services, including those associated with Kerberos authentication for the Oracle database. This important file equips the Oracle database with the necessary information to interact with the Key Distribution Center (KDC) and perform user authentication.

Traditionally, the keytab file is generated on the KDC server. In the context of Windows Active Directory, the ktpass tool stands as the go-to utility for this task. Detailed guidance and examples for using ktpass can be found in official documentation.

For instance, here’s an example of how I create a keytab file using ktpass in my test lab. In this case, I’m associating the service principal with the user DB19. The resulting keytab file includes all available cryptographic keys for enhanced security.

ktpass.exe -princ oracle/db19.trivadislabs.com@TRIVADISLABS.COM
  -mapuser db19 -pass <PASSWORD> -crypto AL
  -ptype KRB5_NT_PRINCIPAL
  -out C:\stage\db19.trivadislabs.com.keytab

In a test lab you can do everything yourself. This is not possible in productive environments. You need admin access to the Active Directory or have a Windows admin at hand who can do it. Afterwards you have to copy the file partially over detours on the database server. The whole thing is cumbersome and error-prone.

Requirements

The following requirements must be met in order to use the Linux tools for configuration:

  • Tools Installing Kerberos client utilities on the database server. Whereas we don’t do Kerberos configuration for the operating system, we just use the tools. Kerberos is only used for database authentication in this example.
  • AD User Creating a service account in Active Directory and set the service principal name (SPN) for this account.
  • Configuration have the basic Kerberos configuration ready in your database environment e.g., $TNS_ADMIN/sqlnet.ora and $TNS_ADMIN/krb5.conf

Example of Tools Installation

Command line commands to install Kerberos client utilities on OEL8

sudo dnf install krb5-workstation

Command line commands to install Kerberos client utilities on OEL7

sudo yum -y install krb5-workstation

Example of AD User Creation

PowerShell commands to create service principal account with the flags set for This account supports Kerberos AES 128 bit encryption and This account supports Kerberos AES 256 bit encryption. This ensures that the keytab file can be created with the encryption type for AES respectively that an authentication then also works with such a keytab file. Additionaly we do set the SPN using setspn.

$Hostname = "db19"
$sPWD = ConvertTo-SecureString -AsPlainText "<PASSWORD>" -Force
$UsersDN  = "cn=Users," + (Get-ADDomain).DistinguishedName
$DNSRoot  = (Get-ADDomain).DNSRoot
$Domain   = (Get-ADDomainController).Domain.ToUpper()

if (!(Get-ADUser -Filter "sAMAccountName -eq '$Hostname'")) {
  Write-Host "INFO : User does not exist."
} else  {
  Write-Host "INFO : Remove existing User."
  Remove-ADUser -Identity $Hostname -Confirm
} 

Write-Host "INFO : Create service account for DB server $Hostname."
New-ADUser -SamAccountName $Hostname -Name $Hostname
  -DisplayName $Hostname
  -Description "Kerberos Service User for $Hostname"
  -Path $UsersDN -AccountPassword $sPWD
  -Enabled $true
  -KerberosEncryptionType "AES128, AES256"

Additionaly we do set the SPN using setspn.

setspn $Hostname -s oracle/$Hostname.$DNSRoot@$Domain
PS C:\Windows\system32> setspn $Hostname -s oracle/$Hostname.$DNSRoot@$Domain
Checking domain DC=trivadislabs,DC=com

Registering ServicePrincipalNames for CN=db19,CN=Users,DC=trivadislabs,DC=com
        oracle/db19.trivadislabs.com@TRIVADISLABS.COM
Updated object

Example Kerberos Configuration

Basic krb5.conf file in the $TNS_ADMIN folder. This example does configure ad.trivadislabs.com as KDC for the realm / domain TRIVADISLABS.COM.

# ----------------------------------------------------------------
# OraDBA - Oracle Database Infrastructur and Security, 5630 Muri,
# Switzerland
# ----------------------------------------------------------------
# Name.......: krb5.conf
# Author.....: Stefan Oehrli (oes) stefan.oehrli@oradba.ch
# Editor.....: Stefan Oehrli
# Date.......: 2023.05.04
# Version....: --
# Purpose....: Kerberos Configuration File
# Notes......: --
# Reference..: Oracle Database Security Guide 19c
# ----------------------------------------------------------------
[libdefaults]
forwardable = true
default_realm = TRIVADISLABS.COM
 
[realms]
  TRIVADISLABS.COM = {
    kdc = ad.trivadislabs.com
  }
 
[domain_realm]
.trivadislabs.com = TRIVADISLABS.COM
trivadislabs.com = TRIVADISLABS.COM

Extract from sqlnet.ora in $TNS_ADMIN with the Kerberos configuration

# ----------------------------------------------------------------
# Kerberos settings
# ----------------------------------------------------------------
SQLNET.AUTHENTICATION_SERVICES=(beq,tcps,kerberos5pre,kerberos5)
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle
SQLNET.FALLBACK_AUTHENTICATION = TRUE
SQLNET.KERBEROS5_KEYTAB = /u01/app/oracle/network/admin/krb5.keytab
SQLNET.KERBEROS5_CONF = /u01/app/oracle/network/admin/krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE

Using the Kerberos Utilities

Lets use the different commandline utilities to create the keytab file on the database server as user oracle.

Step 1: Create a TGT for the service principal

To verify the service account and simplify the following steps we do get a ticket granting ticket (TGT) using okinit. Whereby okinit is an Oracle tool and does require the sqlnet.ora configuration mentioned before.

oracle@db19:~/ [rdbms19] okinit db19

Kerberos Utilities for Linux: Version 19.0.0.0.0 - Production on 11-OCT-2023 21:33:35

Copyright (c) 1996, 2019 Oracle.  All rights reserved.

Configuration file : /u01/app/oracle/network/admin/krb5.conf.
Password for db19@TRIVADISLABS.COM:

Step 2: Check the ticket cache

Verify the ticket cache using oklist

oracle@db19:~/ [rdbms19] oklist

Kerberos Utilities for Linux: Version 19.0.0.0.0 - Production on 11-OCT-2023 21:34:54

Copyright (c) 1996, 2019 Oracle.  All rights reserved.

Configuration file : /u01/app/oracle/network/admin/krb5.conf.
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: db19@TRIVADISLABS.COM

Valid starting     Expires            Service principal
10/11/23 21:33:39  10/12/23 07:33:39  krbtgt/TRIVADISLABS.COM@TRIVADISLABS.COM
	renew until 10/12/23 21:33:35

Step 3: Get the kvno for the Service Principle

We need the key version number (kvno) of the service principle. this can be queried using the kvno utility. Verify above which ticket cache is used. Optionally specify the ticket cache explicitly using -c. The kvno will be used when creating the keytab file.

oracle@db19:~/ [rdbms19] kvno -c /tmp/krb5cc_1000 db19@TRIVADISLABS.COM 
db19@TRIVADISLABS.COM: kvno = 2

Step 4: Create a keytab file using ktutil

We now create a keytab file with ktutil. The tool must be used interactively to read, create and write the keytab file. See the ktutil man page for full usage. In the following example, we use the aes256-cts-hmac-sha1-96 encryption type. Update the addent command accordingly with the correct kvno and encryption type. Optionally, you can add multiple encryption types to a keytab by running addent multiple times. The list of encryption types can be found at Kerberos Parameters. Make sure to use encryption types which are supported by your KDC.

oracle@db19:~/ [rdbms19] mv $TNS_ADMIN/krb5.keytab $TNS_ADMIN/krb5.keytab.orig
oracle@db19:~/ [rdbms19] ktutil
ktutil:  addent -password -p oracle/db19.trivadislabs.com@TRIVADISLABS.COM -k 2 -e aes256-cts-hmac-sha1-96
Password for oracle/db19.trivadislabs.com@TRIVADISLABS.COM:
ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 oracle/db19.trivadislabs.com@TRIVADISLABS.COM (aes256-cts-hmac-sha1-96)
ktutil:  wkt /u01/app/oracle/network/admin/krb5.keytab
ktutil:  q

Step 5: Verify the new keytab File

Verify the new keytab file using oklist

oracle@db19:~/ [rdbms19] oklist -e -k

Kerberos Utilities for Linux: Version 19.0.0.0.0 - Production on 11-OCT-2023 22:41:00

Copyright (c) 1996, 2019 Oracle.  All rights reserved.

Configuration file : /u01/app/oracle/network/admin/krb5.conf.
Keytab name: FILE:/u01/app/oracle/network/admin/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 oracle/db19.trivadislabs.com@TRIVADISLABS.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)

Conculsion

Especially in large environments, where you sometimes have to wait several days for a service ticket to be processed, the alternative method for creating a keytab file is a relief. The keytab file is immediately where you need it. No need for cumbersome copying via SSH, fileshare, tunnels etc. You need another or an additional encryption type in the keytab file? Nothing simpler than that. One call of ktutil and addent and you have an additional entcryption type in the keytab file.

Have fun configuring Kerberos

References

Some links related to this topic.

  • Oracle® Database Security Guide 23c – Configuring Kerberos Authentication
  • Oracle Support Document 1375853.1 Primary Note For Kerberos Authentication
  • Oracle Support Document 1996329.1 How To Configure Kerberos Authentication In A 12c Database
  • Oracle Support Document 1304004.1 Configuring Kerberos Authentication with a Microsoft Windows Active Directory KDC
  • Oracle Support Document 132804.1 Enabling Kerberos Authentication
  • Oracle Support Document 185897.1 Kerberos Troubleshooting Guide
  • Oracle Support Document 1523651.1 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
  • Oracle Support Document 1609359.1 How To Use Kerberos Authentication to connect to a database with SQL Developer with thin JDBC
  • Oracle Support Document 294136.1 Kerberos: High Level Introduction and Flow
  • Microsoft Windows Server Documentation ktpass
  • Linux Man Pages ktutil
  • Linux Man Pages kvno
  • IANA Kerberos Encryption Type Numbers
  • OraDBA Kerberos related blog posts see Kerberos
Search

Latest Critical Patch Updates from Oracle – October 2023

October 18, 2023, 1:02 am
$
0
0

On October 17, Oracle released its quarterly Critical Patch Update Advisory. This comprehensive advisory contains details about 387 new security patches for various Oracle product families. Among them are some serious vulnerabilities that can be exploited remotely over the network, i.e. with a CVSS rating of 9 or more. The entire advisory can be found at CPU October 2023. In this blog, we will focus on the products that are relevant to my ongoing projects. Let’s take a closer look at them.

Oracle Database

For the Oracle database there are security patches for 10 vulnerabilities in the current update. Two of these vulnerabilities can be exploited remotely without authentication. None of the vulnerabilities affect the client-only installations, i.e. the security patches only affect the database server. The highest CVSS rating is 6.5, so this patch update is moderately rated. Nevertheless, it makes sense to patch the database environments promptly.

The essential database patches and release updates:

Fusion Middleware

Do I really need to mention Fusion Middleware? As always, there are relatively many and very critical security vulnerabilities. There are 46 in total, and 35 of these vulnerabilities can be exploited remotely without authentication. So better patch yesterday than tomorrow.

For me, the security updates for the Weblogic Server and Oracle Unified directory are particularly relevant in this context. The whole bouquet of patches can be found in the Oracle Support Document 2806740.2.

  • Oracle Unified Directory 12.2.1.4.0 Expected to be released on October 20. See Oracle Support Document 2640772.1
  • Oracle WebLogic Server 14.1.1.0 and 12.2.1.4 see Oracle Support Document 2806740.2

What Else?

As always, the list is very long. Despite all kinds of summaries, blog posts, reports, etc., you can’t avoid studying the Oracle Critical Patch Update Advisory and checking the patches for your specific products. Especially with products like Oracle Enterprise Manager, which combines several products, you have to be careful. You have to apply patch updates for Oracle Enterprise Manager Base Platform as well as for Weblogic Server, Repository Database etc.

Conclusion

Is it necessary to consider the Critical Patch Update and install the patches? In short, yes. As Miss Sophie used to say in Dinner for One, ‘Same procedure as every year, James.’

Cheerio, and happy patching!

The essential Links

  • Oracle Critical Patch Update Advisory – October 2023
  • Oracle Support Document 2962256.1 October 2023 Critical Patch Update – Executive Summary and Analysis
  • Oracle Support Document 2966413.1 Critical Patch Update (CPU) Program Oct 2023 Patch Availability Document (DB-only)
  • Oracle Support Document 2978467.2 Fusion Middleware Critical Patch Update (CPU) Program October 2023 Patch Availability Document (PAD)
  • Oracle Support Document 2806740.2 Critical Patch Update (CPU) Patch Advisor for Oracle Fusion Middleware – Updated for October 2023
  • Critical Patch Updates, Security Alerts and Bulletins
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle
  • CVE ID’s by MITRE
  • Wikipedia Dinner for One “Same procedure as every year, James” Somehow a very popular catchphrase in Germany, Switherland,…

Easy setup of Kerberos Authentication for Oracle Databases

November 8, 2023, 8:37 am
$
0
0

I have previously published a couple of blog posts related to Kerberos authentication for databases. In this post, I want to provide a simple, step-by-step tutorial for configuring Kerberos authentication. This tutorial is based on my lab setup within Oracle Cloud Infrastructure (OCI). Within this environment, I run both a database server and a corresponding Windows server configured as an Active Directory server. It should be noted that this tutorial is designed for a basic environment. The configuration must be adapted accordingly for special cases such as clusters, multiple AD forests or domains, OS configuration, etc.

Prerequisites and Requirements

Configuring Kerberos authentication for Oracle databases involves a number of tasks, each of which requires specific permissions. In my lab environment, of course, I have all the necessary permissions. In other environments, certain tasks may need to be delegated to other administrators. Essentially, the following steps need to be performed:

  • DB Server Install software component for Kerberos client tools as root user.
  • AD Server Create a service account in AD as a domain administrator.
  • DB Environment Configure the SQLNet environment as the Oracle user.
  • DB Instance Adjust the init.ora parameters and establish Kerberos accounts.

The subsequent Kerberos configuration relies on the following values:

  • AD Domain / KDC Realm: TRIVADISLABS.COM
  • AD Server / KDC: ad.trivadislabs.com (10.0.1.4)
  • Database Server (FQDN): db23.trivadislabs.com (10.0.1.23)
  • Database Server OS: Oracle Enterprise Linux 8 (Version: 8.8)
  • SamAccountName: db23
  • User Principal Name (UPN): db23.trivadislabs.com
  • Service Principle Name (SPN): oracle/db23.trivadislabs.com
  • Database SID: CDB23B with pluggable database PDB1B and PDB2B

Please note that for different environments and operating systems, the commands may need to be adjusted accordingly.

Step 1 Preparation Database Server

Command line commands to install Kerberos client utilities on OEL8/REL8

sudo dnf install krb5-workstation

Step 2 Service Account Configuration

The following steps should be performed on the AD server by a domain administrator or an administrative account with the required privileges. Essentially, the choice of the tool used for these tasks is not relevant; however, the following section describes only the relevant PowerShell commands.

If the service account already exists, we will delete it first. This step is optional. Nevertheless, it is not a bad idea to start the configuration from scratch. This will certainly make troubleshooting a bit easier.

$Hostname = "db23"
if (!(Get-ADUser -Filter "sAMAccountName -eq '$Hostname'")) {
  Write-Host "INFO : Service Account ($Hostname) does not exist."
} else  {
  Write-Host "INFO : Remove existing Service Account ($Hostname)."
  Remove-ADUser -Identity $Hostname -Confirm
}

The PowerShell command provided below is used to create a service account with the appropriate flags set to support Kerberos encryption using both AES 128 and 256-bit methods. This guarantees that the keytab file can be generated with the necessary encryption types for AES, and authentication will function properly with such a keytab file. Update the service account name, password and UserDN accordingly.

$PWD      = "<PASSWORD>"
$Hostname = "db23"
$sPWD     = ConvertTo-SecureString -AsPlainText "$PWD" -Force
$UsersDN  = "cn=Users," + (Get-ADDomain).DistinguishedName
$DNSRoot  = (Get-ADDomain).DNSRoot

Write-Host "INFO : Create service account for DB server $Hostname."
New-ADUser -SamAccountName $Hostname -Name $Hostname 
  -UserPrincipalName "oracle/$Hostname.$DNSRoot" 
  -DisplayName $Hostname 
  -Description "Kerberos Service User for $Hostname"
  -Path $UsersDN -AccountPassword $sPWD
  -Enabled $true
  -KerberosEncryptionType "AES128, AES256"

The final step on Windows involves creating a Service Principal Name (SPN) for the service user. If ktpass.exe is used to generate the keytab file, this is done automatically. However, as we are creating the keytab file on the database server using ktutil, we need to create the Service Principal Name (SPN) manually using setspn.

$Hostname = "db23"
$DNSRoot  = (Get-ADDomain).DNSRoot
setspn $Hostname -s oracle/$Hostname.$DNSRoot

Example output of the command.

PS C:\Windows\system32> setspn $Hostname -s oracle/$Hostname.$DNSRoot@$Domain
Checking domain DC=trivadislabs,DC=com

Registering ServicePrincipalNames for CN=db23,CN=Users,DC=trivadislabs,DC=com
        oracle/db23.trivadislabs.com
Updated object
PS C:\Windows\system32>

Step 3 Oracle SQLNet Configuration

It is recommended to set up the SQLNet configuration for each database server in the $TNS_ADMIN directory. This is especially important if you are working with multiple Oracle Homes. Otherwise, multiple Kerberos configurations must be maintained for each database server.

Add the following kerberos configuration section to you sqlnet.ora file. Adjust the path to keytab and krb5.conf file accordingly.

# ----------------------------------------------------------------
# Kerberos settings
# ----------------------------------------------------------------
SQLNET.AUTHENTICATION_SERVICES=(beq,tcps,kerberos5pre,kerberos5)
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle
SQLNET.FALLBACK_AUTHENTICATION = TRUE
SQLNET.KERBEROS5_KEYTAB = /u01/app/oracle/network/admin/krb5.keytab
SQLNET.KERBEROS5_CONF = /u01/app/oracle/network/admin/krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE

Create a new Kerberos configuration file, krb5.conf, in your $TNS_ADMIN folder. Adjust the KDC realm, domain, etc., as needed.

# ----------------------------------------------------------------
# OraDBA - Oracle Database Infrastructur and Security, 5630 Muri,
# Switzerland
# ----------------------------------------------------------------
# Name.......: krb5.conf
# Author.....: Stefan Oehrli (oes) stefan.oehrli@oradba.ch
# Editor.....: Stefan Oehrli
# Date.......: 2023.05.04
# Version....: --
# Purpose....: Kerberos Configuration File
# Notes......: --
# Reference..: Oracle Database Security Guide 19c
# ----------------------------------------------------------------
[libdefaults]
forwardable = true
default_realm = TRIVADISLABS.COM
 
[realms]
  TRIVADISLABS.COM = {
    kdc = ad.trivadislabs.com
  }
 
[domain_realm]
.trivadislabs.com = TRIVADISLABS.COM
trivadislabs.com = TRIVADISLABS.COM

It is advisable to restart both the listener and the databases afterward to ensure that the new sqlnet.ora configuration is applied universally. However, this restart does not necessarily need to occur immediately.

Step 4 Create keytab File

Generate a Ticket Granting Ticket (TGT) for the service principal. To confirm the service account and streamline the subsequent steps, obtain a TGT using okinit, an Oracle tool that relies on the previously mentioned sqlnet.ora configuration.

okinit db23@TRIVADISLABS.COM

Example output of the command.

oracle@db23:~/ [CDB23B] okinit db23@TRIVADISLABS.COM

Kerberos Utilities for Linux: Version 23.0.0.0.0 - Beta on 08-NOV-2023 16:17:13

Copyright (c) 1996, 2023 Oracle.  All rights reserved.

Configuration file : /u01/app/oracle/network/admin/krb5.conf.
Password for db23@TRIVADISLABS.COM:
oracle@db23:~/ [CDB23B]

Obtain the Key Version Number (kvno) for the Service Principal. We need the key version number (kvno) for the service principal, which can be retrieved using the kvno utility. You also have the option to explicitly specify the ticket cache using the -c flag. The kvno is crucial for creating the keytab file.

By default, Linux Kerberos tools require a krb5.conf file in /etc. Since we do not intend to configure Kerberos for Linux authentication, we can specify the krb5.conf file from TNS_ADMIN by using the environment variable KRB5_CONFIG.

export KRB5_CONFIG=$TNS_ADMIN/krb5.conf
kvno -c /tmp/krb5cc_1000 db23@TRIVADISLABS.COM

Example output of the command.

oracle@db23:~/ [rdbms] export KRB5_CONFIG=$TNS_ADMIN/krb5.conf
oracle@db23:~/ [rdbms] kvno -c /tmp/krb5cc_1000 db23@TRIVADISLABS.COM
db23@TRIVADISLABS.COM: kvno = 2

We now create a keytab file with ktutil. The tool must be used interactively to read, create and write the keytab file. See the ktutil man page for full usage. In the following example, we use the aes256-cts-hmac-sha1-96 encryption type. Update the addent command accordingly with the correct kvno and encryption type. Optionally, you can add multiple encryption types to a keytab by running addent multiple times. The list of encryption types can be found at Kerberos Parameters. Make sure to use encryption types which are supported by your KDC.

oracle@db23:~/ [rdbms19] export KRB5_CONFIG=$TNS_ADMIN/krb5.conf
oracle@db23:~/ [rdbms19] mv $TNS_ADMIN/krb5.keytab $TNS_ADMIN/krb5.keytab.orig
oracle@db23:~/ [rdbms19] ktutil
ktutil:  addent -password -p oracle/db23.trivadislabs.com@TRIVADISLABS.COM -k 2 -e aes256-cts-hmac-sha1-96
Password for oracle/db23.trivadislabs.com@TRIVADISLABS.COM:
ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 oracle/db23.trivadislabs.com@TRIVADISLABS.COM (aes256-cts-hmac-sha1-96)
ktutil:  wkt /u01/app/oracle/network/admin/krb5.keytab
ktutil:  q

Verify the new keytab file using oklist.

oracle@db23:~/ [rdbms] oklist -e -k

Kerberos Utilities for Linux: Version 23.0.0.0.0 - Beta on 08-NOV-2023 16:18:31

Copyright (c) 1996, 2023 Oracle.  All rights reserved.

Configuration file : /u01/app/oracle/network/admin/krb5.conf.
Keytab name: FILE:/u01/app/oracle/network/admin/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 oracle/db23.trivadislabs.com@TRIVADISLABS.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)

Step 5 Database Configuration

To enable Kerberos database authentication, it is necessary to modify the init.ora parameters os_authent_prefix=” and for system older als 23c also remote_os_authent=FALSE in each database. Both parameters require a database restart.

ALTER SYSTEM SET os_authent_prefix='' SCOPE=spfile;

Furthermore, it is essential to create or modify the appropriate database users for Kerberos authentication. In the following example, we will create a user named King and grant them the necessary privileges to establish a connection to the database and select information from V$SESSION.

ALTER SESSION SET CONTAINER=pdb1b;
CREATE USER king IDENTIFIED EXTERNALLY AS 'king@TRIVADISLABS.COM';
GRANT create session TO king;
GRANT SELECT ON v_$session TO king;

Step 6 Test Kerberos Authentication

We initially create a Ticket Granting Ticket (TGT) for a specific user, such as King.

okinit king

Example output of the command.

oracle@db23:~/ [CDB23B] okinit king

Kerberos Utilities for Linux: Version 23.0.0.0.0 - Beta on 03-NOV-2023 15:47:27

Copyright (c) 1996, 2023 Oracle.  All rights reserved.

Configuration file : /u01/app/oracle/network/admin/krb5.conf.
Password for king@TRIVADISLABS.COM:

Now, we can connect directly to the PDB1B database using SQL*Plus without specifying a username and password.

oracle@db23:~/ [CDB23B] sqlplus /@pdb1b

SQL*Plus: Release 23.0.0.0.0 - Beta on Wed Nov 8 16:20:43 2023
Version 23.2.0.0.0

Copyright (c) 1982, 2023, Oracle.  All rights reserved.

Connected to:
Oracle Database 23c Enterprise Edition Release 23.0.0.0.0 - Beta
Version 23.2.0.0.0

SQL>

By querying the system context USERENV, you can find relevant information about the user, authentication method and more.

SET linesize 160 pagesize 200
COL db_user FOR A20
COL auth_method FOR A20
COL auth_id FOR A40

SELECT 
   sys_context('userenv','SESSION_USER') db_user,
   sys_context('userenv','AUTHENTICATION_METHOD') auth_method,
   sys_context('userenv','AUTHENTICATED_IDENTITY') auth_id
FROM dual;

Example output of the query.

SQL> SELECT
  2     sys_context('userenv','SESSION_USER') db_user,
  3     sys_context('userenv','AUTHENTICATION_METHOD') auth_method,
  4     sys_context('userenv','AUTHENTICATED_IDENTITY') auth_id
  5  FROM dual;

DB_USER 	     AUTH_METHOD	  AUTH_ID
-------------------- -------------------- ----------------------------------------
KING		     KERBEROS		  king@TRIVADISLABS.COM

Tips and Best Practices

Once Kerberos is up and running, the experience is generally smooth. However, it’s important to consider these best practices:

  • Start Simple: Begin with an uncomplicated setup. A multi-domain Oracle Maximum Availability Architecture (MAA) environment isn’t necessary for initial implementation.
  • Ensure Basic Infrastructure: Verify that the foundational configurations are in place, such as network access, open ports, proper name resolution, and synchronized time settings.
  • Avoid Ad-hoc Tweaks: If issues arise, resist the urge to make random changes. Certain details may be cached, complicating the troubleshooting process. Instead, systematically revert to the last working configuration and proceed cautiously.
  • Regenerate Keytab Files When Needed: Many issues can be resolved with a fresh and correctly configured keytab file. Don’t hesitate to recreate it.
  • Adopt Secure Practices Early: Begin with robust security measures, such as employing strong encryption algorithms and setting secure passwords. The mindset of ‘I’ll secure it later‘ often leads to vulnerabilities. 🤪
  • Document Troubleshooting Steps: Keeping a record of the steps and solutions can be invaluable for future reference.
  • Distinguish Between OS and DB Authentication: It’s critical to understand the differences between OS-level Kerberos authentication and Oracle database-specific Kerberos authentication. Do not confuse the two.

Common Errors and Troubleshooting

The Oracle Support Document 185897.1 Kerberos Troubleshooting Guide provides a comprehensive overview of potential issues you might encounter with database Kerberos authentication. Additionally, my blog post Kerberos Troubleshooting – A few approaches outlines practical troubleshooting examples. When addressing Kerberos authentication problems, enabling Oracle SQLNet Tracing is often indispensable; without it, you might find yourself groping in the dark.

Below a couple of common Database Kerberos Authentication issues

  • Incorrect Keytab File: The keytab file may be outdated or incorrectly configured.
  • Service Principal Name (SPN) Mismatches: The SPN registered in Active Directory doesn’t match the one the Oracle server is expecting.
  • Clock Skew: There’s too much time difference between the client and server machines, or between the server and the domain controller.
  • DNS Resolution Problems: The client or server may be unable to resolve the domain names to their IP addresses.
  • Expired Credentials: User credentials or service tickets may have expired.
  • Kerberos Realm Confusion: Incorrect configuration of the Kerberos realm can lead to failed authentication.
  • Version Mismatch: The version of Kerberos on the client does not match with what the Oracle Database expects.
  • Access Denied: Improper permissions set for the Oracle service account within Active Directory.
  • SQLNet Configuration: sqlnet.ora or krb5.conf file may have incorrect entries or lack necessary Kerberos parameters.
  • Kerberos Ticket Issues: Problems obtaining or using a valid Kerberos ticket due to cache issues or misconfigurations.
  • Network Issues: Latency or connectivity problems can prevent proper communication between the client, server, and Kerberos Key Distribution Center (KDC).
  • Case Sensitivity: Kerberos is case-sensitive; mismatches in case between configurations can cause failures.
  • Client Configuration Errors: The Kerberos client may not be configured correctly on the user’s machine, leading to authentication errors.
  • Multi-Domain Environments: Additional complexities when the database and users are in different domains or forests.
  • KVNO Mismatch: Discrepancies between the KVNO in the keytab file and the KVNO for the service principal in the KDC can result in authentication failures. This often happens after a password change for a service account where the keytab file was not simultaneously updated

Unfortunately, I keep running into a new problem every time I try to configure Kerberos. When writing this blog post, it took me a relatively long time to figure out that the User Principal Name (UPN) of my service account was not set. The error was of course an ORA-01017 and ORA-12631, although this can easily be checked with the following LDAP query.

ldapsearch -h ad.trivadislabs.com -p 389 \
-D king@TRIVADISLABS.COM -q \
-b "cn=Users,dc=trivadislabs,dc=com" \
-s sub "(sAMAccountName=db23)" \
userPrincipalName servicePrincipalName

Conclusion

As you can see, it is clear that setting up and configuring Kerberos is a straightforward process. It provides a relatively simple way to increase the security of database accounts and at the same time significantly improve the user-friendliness of single sign-on (SSO). However, the devil is in the detail. In complex Active Directory domains or Key Distribution Centers (KDCs), additional configuration, such as setting up domain trust, can involve a certain amount of complexity. Furthermore, not all tools and clients are Kerberos-capable out of the box. Therefore, it is important to understand the database users and their access methods. Even with the integration of Kerberos, a well thought-out user and role concept remains essential. However, Kerberos integrates seamlessly with Oracle’s Centrally Managed Users (CMU) and can coexist with other authentication methods, such as password-based authentication. Why don’t you start by configuring Kerberos for your DBAs and power users?

Additional Resources

Some links and references related to this topic.

Easy Audit Data Analysis with SQL Developer Reports

December 21, 2023, 6:29 am
$
0
0

In one of my last blog post SQL Toolbox for simplified Oracle Unified Audit Data Analysis, I introduced a set of scripts designed to streamline Oracle Unified Audit data analysis. These scripts, now available on my GitHub repository oehrlis/oradba, have received positive feedback. Building on that, I’d like to explore an alternative approach to augment your audit data analysis process with SQL Developer Reports.

SQL Plus is available on any database server, so you can quickly perform an initial analysis of audit data using the SQL scripts presented without any additional requirements. It should be noted, however, that while SQLPlus-based scripts are valuable tools, they are not always perfectly suited to all analytical requirements. In certain scenarios, more graphical analysis and the ability to drill down on specific data points are more helpful. This also includes simply getting an overview and drilling down in some cases. To fulfill these differentiated requirements, I use Oracle SQL Developer, a versatile tool that offers the ability to create custom reports. These reports provide a graphical and interactive way to analyze your audit data. In this blog post, I will provide an overview of the reports available and briefly explain how you can seamlessly integrate them into your audit data analysis workflow.

SQL Developer Reports

The Unified Audit Asessment Reprorts for SQL Developers are divided into the following categories:

  • Audit Charts A series of audit reports with diagrams and drill-downs, e.g. audit events per day and hour. These reports are ideal for an initial visual overview of the audit events. However, the runtime of the queries depends heavily on the amount of audit data. In some cases, the reports can be limited to a few days.
  • Audit Configuration Reports on audit configuration, memory usage, segments, audit policies, cleanup events, cleanup jobs and more. These reports provide a good overview of what is configured and how much audit data is already available.
  • Audit Sessions Overview of the various audit sessions with drill-down to the individual events of a session. Reports are available for the various audit types, e.g. proxy session, standard, RMAN, DataPump and more. These reports are ideal for checking what exactly was executed within a single session.
  • Generate Statements These are not really reports as such, but queries to generate the various statements for creating, deleting, enabling or disabling the audit policies. Corresponding authorization on DBMS_METADATA is required.
  • Miscellaneous All types of audit reports that have not yet been categorized. Mainly things that are still under development.
  • Top Audit Events Provide information about audit events that are selected and organized according to various criteria. This information can help you to identify audit events that occur more frequently than expected or generate more data than expected.

The queries were created to the best of our knowledge and belief. Nevertheless, the individual queries may take a little more time, depending on the amount of data. If necessary, you can copy the reports and optimize / modify them accordingly. Suggestions for improvements are of course always welcome.

Audit Reports in Detail

Audit Charts

ReportDescription
Audit Events by DayChart for the number of audit events per day with the option to drill down by audit events per hour.
Audit Events by UserChart for the number of audit events per database user with the option to drill down audit events by audit policy, action, user host and audit policy with actions.
Audit Chart Reports
Audit events by day with drill-down by hour

Audit Configuration

ReportDescription
Storage UsageThis report provides comprehensive details about the usage and configuration of the audit store, focusing especially on the DB ID and the archiving timestamp. It enables you to assess whether audit data can be deleted based on its age or if it originates from a different database. Additionally, the report offers a drill-down feature to view partition information, storage details, and purge statements. Similar to sdua_usage.sql, sdua_stostm.sql and sdua_prgstm.sql.
Clean up EventsDisplays the audit cleanup event from DBA_AUDIT_MGMT_CLEAN_EVENTS.
Clean up JobsDisplays the audit cleanup jobs from DBA_AUDIT_MGMT_CLEANUP_JOBS
ConfigurationDisplays the audit configuration from DBA_AUDIT_MGMT_CONFIG_PARAMS
Last Archive TimestampDisplays the audit archive timestamp from DBA_AUDIT_MGMT_LAST_ARCH_TS
Unified Audit PoliciesThis report offers a comprehensive overview of unified audit policies, drawing data from the views AUDIT_UNIFIED_POLICIES and AUDIT_UNIFIED_ENABLED_POLICIES. It facilitates a deeper understanding of the configuration and current status of audit policies within the system, similar to the script saua_pol.sql. The report includes extensive drill-down options, allowing for detailed analysis based on comments, actions, and statements such as AUDIT, NOAUDIT, CREATE, and DROP, as well as events and inactive policies.
Audit Configuration Reports
Audit Storage Usage

Audit Sessions

ReportDescription
by any typeDisplays audit sessions for any audit type, similar in function to the script saua_as.sql. With drill-down to session details.
by type DataPumpDisplays audit sessions for audit type DataPump, similar in function to the script saua_asdp.sql. With drill-down to session details.
by type DB VaultDisplays audit sessions for audit type Database Vault, similar in function to the script saua_asdbv.sql. With drill-down to session details.
by type Direct path APIDisplays audit sessions for audit type Direct path API based on UNIFIED_AUDIT_TRAIL. With drill-down to session details.
by type FGADisplays audit sessions for audit type FGA, similar in function to the script saua_asfga.sql. With drill-down to session details
by type ProtocolDisplays audit sessions for audit type Protocol. With drill-down to session details.
by type RMAN_AUDITDisplays audit sessions for audit type RMAN_AUDIT, similar in function to the script saua_asbck.sql. With drill-down to session details.
by type StandardDisplays audit sessions for audit type standard, similar in function to the script saua_asstd.sql. With drill-down to session details.
Proxy SessionsDisplays audit proxy sessions for audit type Standard based on UNIFIED_AUDIT_TRAIL. With drill-down to session details.
Session DetailsList detail of a particular session.
Session OverviewDisplays audit sessions for any audit type, similar in function to the script saua_as.sql.
Audit Session Reports

Generate Statements

ReportDescription
Create all audit policiesGenerates statements to recreate all audit policies as currently configured in AUDIT_UNIFIED_ENABLED_POLICIES.
Disable all audit policiesGenerates statements to disable all audit policies as currently configured in AUDIT_UNIFIED_ENABLED_POLICIES.
Drop all audit policiesGenerates statements to remove all audit policies, excluding those maintained by Oracle.
Enable all audit policiesGenerates statements to enable all audit policies as currently configured in AUDIT_UNIFIED_ENABLED_POLICIES.
Generate Statements Reports

Top Audit Events

ReportDescription
Events by UsersThis query generates a summary of audit events grouped by database username in the unified audit trail. It counts the total number of events for each user and sorts the results in descending order, showcasing the users with the highest frequency of audit events.
Top Events by ActionDisplays a ranking of Action based on the frequency of their associated events in the unified audit trail, offering insights into the most audited databases. Comparable to the script saua_teact.sql.
Top Events by Application ContextDisplays a ranking of Application Context based on the frequency of their associated events in the unified audit trail, offering insights into the most audited databases.
Top Events by Audit TypeDisplays a ranking of Audit Type based on the frequency of their associated events in the unified audit trail, offering insights into the most audited databases.
Top Events by ClientDisplays a ranking of Client Program based on the frequency of their associated events in the unified audit trail, offering insights into the most audited databases. Comparable to the script saua_tehost.sql.
Top Events by Client ProgramDisplays a ranking of Client Program based on the frequency of their associated events in the unified audit trail, offering insights into the most audited databases. Comparable to the script saua_tecli.sql.
Top Events by DBIDDisplays a ranking of database IDs (DBIDs) based on the frequency of their associated events in the unified audit trail, offering insights into the most audited databases. Comparable to the script saua_tedbid.sql.
Top Events by External User IDPresents a ranking of External User IDs by the frequency of their associated events in the unified audit trail, providing insights into the most audited user identities.
Top Events by Global User IDPresents a ranking of Global User IDs by the frequency of their associated events in the unified audit trail, providing insights into the most audited user identities.
Top Events by none Oracle Object NameShows a ranking of non-Oracle object names based on the frequency of associated audit events in the unified audit trail, highlighting the most audited non-Oracle objects. Comparable to the script saua_teobj.sql.
Top Events by Object NameDisplays a ranking of object names based on the frequency of associated events in the unified audit trail, offering insights into the most audited objects. Similar to the script saua_teobj.sql.
Top Events by Object SchemaShows a ranking of Object Schemas by event frequency, emphasizing the policies most often triggered in the unified audit trail. Comparable to the script saua_teown.sql.
Top Events by OS UserDisplays a ranking of OS User based on the number of associated events, highlighting the most frequently triggered policies in the unified audit trail. Comparable to the script saua_teosusr.sql.
Top Events by policesDisplays a ranking of audit policies based on the number of associated events, highlighting the most frequently triggered policies in the unified audit trail. Similar in function to the script saua_tepol.sql.
Top Events by SQL TextSummarizes and ranks SQL statements from the unified audit trail by their event frequency, highlighting the most frequently executed queries.
Top Audit Event Reports

Add Custom Reports in SQL Developer

The SQL Developer already offers many predefined reports. Unfortunately not many in the database security area. However, it is possible to extend the predefined reports with your own reports. See also SQL Developer Reports. The Unified Audit Assessment Reports presented here are bundled in an XML file and available via xx. This XML file can be added relatively easily in SQL Developer. You have the choice to do this as a User Defined Report or Shared Report.

User Defined Reports

Adding user defined reports is relatively simple. Just select the context menue in User Defined Reports and click Open Reports… and select your XML file.

User-defined reports can be modified, renamed, and saved after changes. However, updating these reports directly from an XML file is not straightforward. To incorporate updates from an XML file, the reports must first be removed and then reloaded.

Database / Shared Reports

Database respectivily Shared Reports have a distinct setup process. They must be added through preferences, after which they appear under the Shared Reports tree. Unlike other reports, these cannot be modified directly in SQL Developer, as it only loads the XML file during startup. However, if the XML file is updated — for instance, by downloading a new version — the reports will be updated upon the next restart. For further customization, these reports can still be copied to User Defined Reports for individual modifications.

To add a Shared Report, follow these steps:

  1. Open Preferences in SQL Developer
  2. Navigate to User Defined Extensions
  3. Click Add Row and configure the following:
    • Set Type to REPORT
    • Provide the location path to your XML file.

The screenshot below illustrates an example of this process

SQL Developer Preferences – User Defined Extenstions

Conclusion

The SQL Developer reports presented here, as well as the SQL scripts, are ideal tools for evaluating local audit data quickly and easily. Especially when it comes to getting a first insight into the collected information or when developing new audit policies. For a company-wide overview in the area of database security and auditing, however, there is no way around a central solution. This includes the following solution approaches:

  • Oracle Data Safe A cloud-based security service that automates sensitive data discovery, data masking, database security assessments, and user risk assessments. It’s designed to secure Oracle databases and enhance overall data protection.
  • Oracle Audit Vault and Database Firewall Provides a comprehensive security solution that includes monitoring, analysis, and blocking of unauthorized database activities. It consolidates audit data from multiple sources and offers real-time alerts and reports.
  • Custome Solution Involves developing a bespoke Data Warehouse (DWH) for audit data or utilizing powerful tools like Splunk or Elasticsearch. This approach allows for tailored data aggregation, reporting, and analysis, meeting specific organizational needs. Splunk and Elasticsearch offer advanced data indexing, search capabilities, and visualization tools, making them ideal for handling complex audit data.

I intend to go into more detail about centralized audit solutions in future posts. In the meantime, I hope you can use my scripts to analyze local audit data.

Additional Resources

Some links and references related to this topic.

Dive into the Latest Enhancements of DBSat 3.1.0

January 15, 2024, 9:41 pm
$
0
0

Today, my initial plan was simply to finalize my article on DBSat 3.0.0 for the Oraworld Magazine. However, while checking the links to the DBSat documentation, Oracle Support Notes, and download sources, I discovered that Oracle has, almost simultaneously, released the latest version 3.1.0 of the Oracle Database Security Assessment Tool (DBSAT). Once again, this presents an opportunity to write about the tool and its newest release. I have already covered the major release of DBSAT 3.0.0 in my blog post What You Need to Know About Oracle DB SAT Release 3.0. Now, let’s explore what’s new in version 3.1.0.

Key Features in Release 3.1.0

With the major release of version 3.0.0, Oracle had already made significant improvements to DBSat. This included support for Oracle 23c and over 30 new STIG findings, to name just a few enhancements. Now, with the most recent update, Oracle has introduced several improvements and added new findings, especially for the 23c version.

The latest version focuses on the following improvements:

  • Alignment with CIS Benchmark v1.2: Included 10 new findings based on CIS recommendations for Oracle Database 19c, with updated references.
  • New Finding for Autonomous Database Serverless: Introduction of a finding related to pre-authenticated URL requests.
  • Comprehensive Security Checks: New checks for user profile limits, EXECUTE permissions on various packages to PUBLIC, and database security and administration-related permissions.
  • Auditing and Operating System User Configurations: Addition of checks for auditing actions on synonyms and operating system user configurations in pluggable databases.
  • Enhanced Existing Findings: Improved logic in user expiry checks, optimizations in application owner assessments, and updated TDE recommendations for Oracle Database 23c.

New Findings

Seven of the new findings focus on EXECUTE privilege grants to Public, assessing whether critical packages have been inappropriately granted to Public. The selection of packages for these checks is guided by recommendations from the CIS and encompasses a range of areas including network, file system, encryption, Java, job scheduling, helper functions, and credentials packages.

The following example demonstrates how the finding PRIV.NETPACKAGEPUBLIC identifies network packages that have been granted EXECUTE privileges to PUBLIC.

Information about Network Packages Granted to PUBLIC

Additional findings are detailed in the report’s ‘Privileges and Roles’ chapter. Beyond the network packages mentioned earlier, the report also examines other critical packages, such as DBMS_JAVA, DBMS_JAVA_TEST, JAVA_ADMIN, DBMS_LOB, UTL_FILE, and DBMS_ADVISOR, among others. Furthermore, it assesses other crucial permissions that may have been granted to Public, like CREATE ANY DIRECTORY and DROP ANY DIRECTORY, where relevant.

The additional new checks introduced in DBSAT cover several key aspects:

  • USER.DEFAULTPROFILE: This check details the limitations defined in the DEFAULT user profile.
  • AUDIT.SYNONYMS: It determines if actions such as creating, altering, or dropping SYNONYMs are audited.
  • CONF.DEFAULTPDBOSUSER: This evaluates the operating system user designated in the PDB_OS_CREDENTIAL.
  • CONF.PREAUTHREQUESTURL: It provides insights into pre-authenticated URLs for Autonomous Database Serverless, including which users are authorized to manage these URLs via the DBMS_DATA_ACCESS package.
  • USER.DEFAULTPROFILE: Enumerates the limits set in the DEFAULT user profile.
  • AUDIT.SYNONYMS: Verifies whether actions like create, alter, or drop SYNONYM are being audited.
  • CONF.DEFAULTPDBOSUSER: Evaluates the operating system user specified in the PDB_OS_CREDENTIAL. Particularly important if DB users are allowed to use DBMS_SCHEDULER in a multitenant environment.
  • CONF.PREAUTHREQUESTURL: Shows details of pre-authenticated URLs for Autonomous Database Serverless, including identification of users who can manage them through the DBMS_DATA_ACCESS package.

Below are more examples of these new findings and their representation in the DBSAT report.

Information about Users with DEFAULT Profile
Information about Audit Synonym Management Activities

In addition to the new findings, existing checks have also been revised and updated. These include the following three:

  • USER.APPOWNER: Optimizations have been made to enhance performance and streamline the level of detail.
  • USER.NOEXPIRE: The logic and summary of this check have been improved for better clarity.
  • ENCRYPT.TDE: The remarks have been updated to clarify the use of the TABLESPACE_ENCRYPTION parameter, providing specific recommendations for those upgrading to Oracle Database 23c and transitioning away from deprecated algorithms.

Missing Stuff

The major release 3.0.0 and its latest update 3.1.0 of DBSAT largely fulfill all expectations. DBSAT covers the latest standards and best practices and is also ready for Oracle 23c. However, there are minor issues that one might encounter during initial use. For instance, when gathering information with dbsat collect, warnings may appear if FIPS configuration files are not found. Generally, these can be safely ignored.

Additionally, DBSAT requires Java for the Report or Discover Mode. If a JAVA_HOME variable is not set, DBSAT will terminate with an error. It would be beneficial if DBSAT could default to using the JVM in ORACLE_HOME, at least on the Oracle database server. You can find more on this in my blog post What You Need to Know About Oracle DB SAT Release 3.0.

Conclusion

DBSAT 3.0.0 and its update 3.1.0 represent a significant development and improve both functionality and usability. One of the most important improvements is the independence from Python, which allows for easier deployment. The tool is now ready for Oracle Database 23c with updated security checks, STIG-V2R6 compliance and Oracle Best Practice tagging for result interpretation. The revised report format with clear explanations and guidance simplifies the identification and resolution of security issues. DBSAT also enables customized assessments by excluding specific users or areas. In addition, integration with Oracle Data Safe, Oracle Audit Vault and Database Firewall extends the standalone capabilities and strengthens the security framework of these Oracle products.

If you haven’t reviewed your database security configuration yet, now is the perfect time to begin with DBSAT 3.1.0.

Additional Resources

Some links and references related to this topic.

Latest Critical Patch Updates from Oracle – January 2024

January 17, 2024, 11:27 pm
$
0
0

On January 18, Oracle unveiled its first quarterly Critical Patch Update Advisory of the year. This advisory, a pivotal resource for Oracle users, details an array of 389 new security patches across various Oracle product families. This update includes several high-severity vulnerabilities, notably those that can be exploited remotely over the network, with some having a CVSS rating of 9 or above. The complete advisory is accessible at CPU January 2024. In this post, I’ll delve into the updates pertinent to my current projects, offering insights on what to expect.

Oracle Database

This update contains security patches that fix 3 vulnerabilities in the Oracle database. These are not vulnerabilities that can be exploited remotely without authentication. It is important to note that these vulnerabilities do not affect client-only installations, i.e. the patches are specifically intended for the database server. The most critical of these vulnerabilities has a CVSS rating of 6.5, which classifies the update as non-urgent. Nevertheless, it is advisable to apply these patches promptly to ensure the continued security of the database.

The essential database patches and release updates:

The patches for Oracle on Linux x86-64 are available immediately. For other operating systems like Linux ARM, Windows etc. the patches will be released step by step within the estimated time frame of the next days. A detailed schedule and more detailed information can be found in the Oracle support document 2986269.1 Critical Patch Update (CPU) Program Jan 2024 Patch Availability Document (DB-only)

A side note: Oracle Database 23c will also receive a targeted patch in this cycle. It is important to note that this patch is not a full release update. Instead, it specifically addresses the security fixes from the October 2023 and January 2024 advisories and currently only applies to the cloud database version of Oracle Database 23c.

Fusion Middlerware

As far as Fusion Middleware is concerned, the situation remains unchanged compared to previous updates. The current version fixes 39 vulnerabilities, 29 of which can be exploited remotely without any form of authentication. The urgency of installing these patches cannot be overstated.

I will focus here on the security updates for WebLogic Server. There is no security update for Oracle Unified Directory included in this Critical Patch Update. The full range of patches is listed in the Oracle support document 2806740.2.

What Else?

The update is very comprehensive and covers a wide range of Oracle products. While summaries, blog posts and reports provide an overview, it is essential to read the Oracle Critical Patch Update Advisory thoroughly and evaluate the patches relevant to your specific Oracle products. This is especially important for multi-component products such as Oracle Enterprise Manager where patch updates need to be applied to the base platform, WebLogic Server, repository database, etc.

Conclusion

Patches for Linux x86-64 are now available with the latest Oracle Critical Patch Update. Other platforms such as Linux ARM and Windows will receive the updates in the next few days (details in the Oracle support document 2986269.1). My tests confirm that these patches are successfully installed and ensure reliable updates.

The urgency of the Oracle Database patches is moderate, with the highest vulnerability rated CVSS 6.5, indicating a balanced approach to the updates. However, the patches for Oracle Fusion Middleware require immediate action due to their typical severity, underlining the importance of prioritizing these updates.

In summary, while the urgency varies by Oracle product, prompt and vigilant application of patches remains critical to maintaining secure and efficient Oracle environments.

The essential Links

It’s a Wrap: Insights from the SOUG Espresso on Oracle Audit

January 26, 2024, 12:20 am
$
0
0

In my latest SOUG Espresso session, Easy Audit Data Analysis with SQL Developer Reports, I focused on Oracle Unified Audit Analysis. This was an opportunity to share my experience and insights into database security and audit data workflow enhancement.

Event Highlights

Based on my considerable experience with Oracle databases, I emphasized the critical importance of analyzing audit events to uncover security risks and refine audit policies. In my presentation, I introduced both SQL scripts and SQL Developer Reports developed for simple ad hoc analysis of the Unified Audit Trail.

Key Takeaways

  • Audit Configuration: I discussed the significance of setting up policies, storage, and jobs correctly.
  • SQL*Plus Reporting: I showcased various scripts, which attendees can download from my GitHub, for auditing data analysis directly from the command line.
  • SQL Developer Reporting: I demonstrated using SQL Developer for more interactive and graphical analysis.
  • Best Practices: The session highlighted essential practices like least privilege, dedicated user and role concepts, and proper data retention.

Discussion and Feedback

Although the event was rich in information, the time for our discussion was unfortunately limited, indicating the need for further discussions at the next SOUG day. The session was well attended by participants from within and outside the SOUG community.

Further Resources and Next Steps

For those who want to dive deeper into Oracle Unified Audit Data Analysis, I’ve compiled a list of valuable resources:

  • My blog post about SQLPlus scripts: I have written an in-depth blog post titled SQL Toolbox for Simplified Oracle Unified Audit Data Analysis. This post provides insights into using SQLPlus to analyze audit data. Read the blog post here.
  • SQL Developer Audit Analysis: Another blog post of mine, Easy Audit Data Analysis with SQL Developer Reports, is about using SQL Developer for this purpose. It’s a guide to using the power of SQL Developer for audit analysis. Read the blog post here.
  • The slides: To get an overview of the session, you can download the slides of the event. They summarize the key points and methods that were discussed. Download the slides here.
  • GitHub repository: All the scripts that were discussed in the session are available in my GitHub repository. They are handy tools that you can use for your audit data analysis. Access the scripts on GitHub.
  • Oracle documentation: For official guidelines and deeper technical insights, I recommend the Oracle documentation on Unified Audit Data Analysis. It is an excellent resource for understanding the basics and advanced concepts. Visit the official documentation from Oracle or the whitepaper Oracle Database Unified Audit: Best Practice Guidelines.

Building Oracle 23ai Free on ARM64

September 17, 2024, 3:39 pm
$
0
0

Earlier this week, Oracle quietly released the RPM packages for Oracle 23ai Free Edition for ARM64 systems. This release is very interesting for developers using Macs with ARM processors as it allows them to create Oracle 23ai containers for their development and engineering environments. In this blog post, I’ll walk you through the steps of creating a Docker image for Oracle 23ai Free Edition on ARM64, customising the build process and dealing with common errors along the way.

New RPMs for Oracle Enterprise Linux 8 on ARM64

Oracle has introduced several RPM packages for ARM64, including:

  • oracle-database-preinstall-23ai-1.0-2.el8.aarch64.rpm
  • oracle-database-free-23ai-1.0-1.el8.aarch64.rpm
  • A client zip file: LINUX.ARM64_235000_client_home.zip

These packages are designed for Oracle Enterprise Linux 8 on ARM (aarch64) systems and can be downloaded from the official Oracle Database Free page

While these RPMs can be directly installed on an ARM-based Oracle Linux 8 system, my particular use case required creating a Docker image to streamline the development process.

Installation Options: Direct or Docker

For those who prefer to work directly on Oracle Linux 8 ARM64 systems, the RPMs can be installed using standard package management tools like dnf. However, since I often work on ARM-based MacBook Pros, I have opted to create a Docker image for better portability and easier management. This method allows me to run Oracle 23ai in isolated environments without changing my base system.

Using the Official Docker Build Script

I have my own build scripts for Oracle databases on github oehrlis/docker. However, these scripts are primarily intended for regular Oracle installations with the official Oracle Enterprise Edition releases, with options to include Release Updates (RUs) and Release Update Revisions (RURs). They offer flexibility and are typically used for full Oracle database installations, not for RPM-based installations like Oracle 23ai Free Edition. Since I didn’t want to switch my scripts to RPM packages first, I used the official Docker build scripts from Oracle available on GitHub oracle/docker-images. These scripts are maintained by Oracle and give container build files for various Oracle Database versions, including the Free Edition.

I attempted to build the image using the Containerfile.free Dockerfile, passing the URL for the ARM64 RPM package as a build parameter. Here’s the docker build command I used:

docker build -t oracle/database:23.5.0-free \
-f Containerfile.free \
--no-cache --build-arg \
INSTALL_FILE_1="https://download.oracle.com/otn-pub/otn_software/db-free/oracle-database-free-23ai-1.0-1.el8.aarch64.rpm" .

The build process ran successfully, and I create the image. However, when I tried to run the container, I encountered issues, which I’ll cover in the next section.

Error During Container Run

After successfully building the Docker image, I attempted to run the container using the next command:

docker run --name 23aiFree \
-p 2521:1521 \
-e ORACLE_PWD=Welcome1 \
-e ORACLE_CHARACTERSET=AL32UTF8 \
-e ENABLE_ARCHIVELOG=true \
-e ENABLE_FORCE_LOGGING=true  \
-v ${DOCKER_VOLUME_BASE}/data:/opt/oracle/oradata \
oracle/database:23.5.0-free

Unfortunately, the container not create the database, displaying the error messages below:

Copying database files
8% complete
[WARNING] ORA-00443: background process "OFSD" did not start

9% complete
[FATAL] ORA-01034: The Oracle instance is not available for use.
Start the instance.

29% complete
100% complete
[FATAL] ORA-01034: The Oracle instance is not available for use.
Start the instance.

7% complete
0% complete
Look at the log file "/opt/oracle/cfgtoollogs/dbca/FREE/FREE.log"
for further details.

When examining the alert log and trace files, I found that certain required packets were missing. For example, you can find this error:

kgslaInitCtx: skgdllOpen /opt/oracle/product/23ai/dbhomeFree/lib/libora_netlib.so
OS error: 79 Error message: Cannot access a needed shared library
OtherInfo: libgfortran.so.5: cannot open shared object file:
No such file or director

Fixing the Missing Packages Issue

I first try to manually fix the missing lib’s, but finally I dot change the setupLinuxEnv.sh script to include the necessary packages. Here’s what I changed:

Original script setupLinuxEnv.sh :

dnf install -y oraclelinux-developer-release-el8 && \
dnf -y install oracle-database-preinstall-23ai openssl hostname file expect

Updated script setupLinuxEnv.sh :

dnf install -y oraclelinux-developer-release-el8 && \
dnf -y install libgfortran && \
dnf -y install oracle-database-preinstall-23ai openssl hostname file expect

By adding the required libraries like libgfortran, I managed to successfully build and run the Docker image. Running the container with the same docker run command as before worked without issues.

Simplifying the Build Process with buildContainerImage.sh

To simplify the image creation process, Oracle provides a script called buildContainerImage.sh. This script automates many of the creation steps and simplifies the creation of container images.

But, when I tried to use this script with Oracle 23.5.0 Free Edition on ARM64, I encountered an error stating that only Oracle 19c Enterprise Edition was supported:

Currently only 19c Enterprise Edition is supported on
the ARM64 platform.

Tweaking the Build Script for Oracle 23ai Free

To work around this limitation, I had to change the buildContainerImage.sh script to include support for Oracle 23ai Free Edition. The original script only checked for Oracle 19c Enterprise Edition, so I updated the version check to allow Oracle 23.5.0 Free Edition.

Here is the relevant change:

Original:

if { [ "${VERSION}" == "19.3.0" ] && [ "${ENTERPRISE}" -eq 1 ]; }; then
  BUILD_OPTS=("--build-arg" "INSTALL_FILE_1=LINUX.ARM64_1919000_db_home.zip" "${BUILD_OPTS[@]}")
else
  echo "Currently only 19c enterprise edition is supported on ARM64 platform.";
  exit 1;
fi;

Updated:

if { [ "${VERSION}" == "19.3.0" ] && [ "${ENTERPRISE}" -eq 1 ]; }; then
  BUILD_OPTS=("--build-arg" "INSTALL_FILE_1=LINUX.ARM64_1919000_db_home.zip" "${BUILD_OPTS[@]}")
elif { [ "${VERSION}" == "23.5.0" ] && [ "${FREE}" -eq 1 ]; }; then
  BUILD_OPTS=("--build-arg" "INSTALL_FILE_1=https://download.oracle.com/otn-pub/otn_software/db-free/oracle-database-free-23ai-1.0-1.el8.aarch64.rpm" "${BUILD_OPTS[@]}")
else
  echo "Currently only 19c enterprise edition or 23ai free edition is supported on ARM64 platform.";
  exit 1;
fi;

With this change I was capable of creating the image with the script buildContainerImage.sh.

Simplifying Docker Container Use with Docker Compose

To further simplify the use of the Docker container, I have created a docker-compose.yml file. This file makes it easier to manage the container and set up its environment without having to execute lengthy docker-run commands every time.

Here is the docker-compose.yml file I created:

services:
  23aifree:
    image: ${DOCKER_USER}/${DOCKER_REPO}:23.5.0-free
    container_name: 23aifree
    hostname: 23aifree
    restart: unless-stopped
    volumes:
      - ${DOCKER_VOLUME_BASE}/data:/opt/oracle/oradata
      - ${DOCKER_VOLUME_BASE}/config/startup:/opt/oracle/scripts/startup
      - ${DOCKER_VOLUME_BASE}/config/setup:/opt/oracle/scripts/setup
    ports:
      - 2521:1521
    environment:
      ORACLE_CHARACTERSET: AL32UTF8
      ENABLE_ARCHIVELOG: true
      ENABLE_FORCE_LOGGING: true

Explanation of the docker-compose.yml File:

  • Image: The image parameter specifies the Docker image to use. In this case, it uses the custom image built earlier (oracle/database:23.5.0-free).
  • Volumes: The volumes section mounts host directories to specific paths within the container:
  • /opt/oracle/oradata is where the database data will be stored.
  • /opt/oracle/scripts/startup is where you can place scripts to be executed on container startup.
  • /opt/oracle/scripts/setup is for setup scripts that run during container creation.
  • Ports: This section exposes port 2521 on the host, mapping it to port 1521 inside the container (the default Oracle listener port).
  • Environment Variables:
  • ORACLE_CHARACTERSET=AL32UTF8 sets the character set for the database.
  • ENABLE_ARCHIVELOG=true enables archive logging.
  • ENABLE_FORCE_LOGGING=true ensures that all operations are logged, useful for recovery scenarios.

More information on GitHub oracle/docker-images

Running the Container with Docker Compose

Once the docker-compose.yml file is created, starting the Oracle container is as simple as running the

docker-compose up -d

This command starts the container in the background using the configuration defined in the docker-compose.yml file. Docker Compose makes managing the Oracle container much easier, especially when it comes to startup configurations and persistence across system restarts.

To access the container, you can either use sqlplus, SQL Developer or the command line to work with the container or database as usual. As we have not specified a password in the Docker Compose File, we have to set it explicitly in any case. After that, nothing stands in our way of using the new ARM-based Oracle 23ai container on a Mac Book Pro.

docker exec 23aifree /opt/oracle/setPassword.sh <PASSWORD>

Conclusion

In this blog post, I showed how to quickly build and run an Oracle 23ai Free Edition container on ARM64 using Docker and Docker Compose. We went through the entire process, from downloading the RPM packages and using the official build scripts, to handling bugs and missing packages, to customising the build process with docker-compose.

While this guide provides a solution to get Oracle 23ai Free running on ARM64 systems out of the box, it is important to note that Oracle plans to adapt its build scripts in the GitHub repository oracle/docker-images to officially support Oracle 23ai on ARM64. This means that in the future you can use the official scripts directly without the need for manual changes.

This guide is intended to help Oracle DBAs and developers who want to run Oracle 23ai Free on ARM64 platforms, especially on MacBook Pros. If you are working with similar configurations or have any questions, please feel free to contact me or browse my Docker resources on GitHub oehrlis/docker.

Just One more Thing…
… the ARM64 packages also run on a Raspberry Pi 5 with enough memory. I will test this as soon as I get my hands on a Pi5.

Search
Viewing all 115 articles
Browse latest View live
Search