Oracle startup/security question
I am new to Oracle and am being tasked with a security lockdown. One of the questions I am being asked is if this:
The DBMS opens data files and reads configuration files at system startup. If the DBMS does
not verify the trustworthiness of the files at startup, it is vulnerable to malicious alterations of its
configuration or unauthorized replacement of data.
I have searched around and cannot find anything about this. Does anyone know if there is an integrity check or other procedure that Oracle does (or can be configured to do) at startup to make sure the files are as expected?
Thanks
Jim
In my opinion, if Oracle DB opens, then files are intact & can be trusted.
Similar Messages
-
HA Oracle startup/shutdown question
Environment:
2 Sunfire V890's running solaris 2.9 and SC3.1U4
Hello All,
I am having a problem with oracle startup and shutdown in my cluster. In order to get oracle to startup after a failover, shutdown what have you, I need to implement the following procedure as a pre/post oracle startup operation/script. Can anyone tell me if there is a place or hook in the HAOracle agent where I can add my own operation? I would rather avoid having to write a GDS agent in order to do this, if it is at all possilble.
Thanks,
George Cebulka
PS
Please Note: (This is a DBA thing, not mine!)
************** Begin *********************
After a failover or startup we need following to avoid the �authentication error�
1. remove the sqlnet.ora soft link from $ORACLE_HOME/network/admin
1. rm /global/oracle/oracledb/oraclev10201/network/admin/sqlnet.ora
2. Create a new soft link to sqlnet.ora in $ORACLE_HOME/network/admin as following
1. ln �s /global/pitt/dba/network/net8/sqlnet.ora /global/oracle/oracledb/oraclev10201/network/admin/sqlnet.ora
3. startup the database and listeners (using cluster database).
4. Now database is up and running and we need to turn on radius authentication for which we need this post stuff
5. Remove the sqlnet.ora link
1. rm /global/oracle/oracledb/oraclev10201/network/admin/sqlnet.ora
6. Create a new soft link to replace sqlnet.ora with radius sqlnet.ora
1. ln �s /global/pitt/dba/network/net8/sqlnet.ora.radius /global/oracle/oracledb/oraclev10201/network/admin/sqlnet.ora
*************** End ******************You could also try the following:
Create two GDS agents, where you need to include the steps to disable the pmf action script, which I describe in a blog at
http://blogs.sun.com/TF/entry/disabling_pmf_action_script_with .
This is needed since your scripts will not leave a process running for PMF.
1. GDS resource (for this example I call it ora-prestart-rs):
Start_command: It will do the steps to implement the original sqlnet.ora file + the steps from the blog
Probe_command: /bin/true
Stop_command: not needed
2. GDS resource (for this example I call it ora-poststart-rs):
Start_command: It will do the steps to setup the link for the radius sqlnet.ora file + the steps from the blog
Probe_command: /bin/true
Stop_command: It will do the steps to re-implement the original sqlnet.ora file
Then you create the following resource dependencies (here I assume the name for the SUNW.oracle_server resource is ora-rs):
scrgadm -c -j ora-rs -y Resource_dependencies=ora-prestart-rs
scrgadm -c -j ora-poststart-rs -y Resource_dependencies=server-dwdd-rs
Maybe you need to setup the same dependencies to include the SUNW.oracle_listerner resource. You did not mention which of those is facing problems.
Of course, I never tried this. But this would enable you to use the HA Oracle agent unchanged.
Greets
Thorsten
PS: I forgot to also mention that you need to set the Restart_type extension property for the SUNW.oracle_server resource to RESOURCE_GROUP_RESTART:
scrgadm -c -j ora-rs -y Restart_type=RESOURCE_GROUP_RESTART
That way a triggered restart by ora-rs will allways force the RG to go through stop/start - and only then the link will get set back to the sqlnet.ora the SUNW.oracle_server needs to work correctly.
Note again - this is theory and needs proper testing.
Message was edited by:
Thorsten.Frueauf -
Filevault encryption: no security questions, no recovery code; how to revert?
Running the latest Yosemite (10.10.2) on an iMac (upgraded from Mavericks) ...
I decided I wanted to encrypt the boot drive on our iMac, so I clicked to turn on Filevault. Here's what happened:
I was NOT offered a recovery key. (As this point, I didn't know when the key is normally offered.)
I DID get a window that asked if I wanted Apple to save my key, and I clicked on the radio button to do so. Then I clicked on CONTINUE.
I did NOT get any security questions to answer, just a RESTART button. I thought, maybe the security questions come after the restart.
I clicked on RESTART and the iMac restarted and encrypted the drive (17 hours).
Concerned that I didn't have a recovery key, I read up on the forums. Sounded like if I simply used my user password, I could turn off Filevault to decrypt the drive, and I'd be back to where I started. I did so, and watched as it decrypted the drive (6 hours). Filevault indicates that is is "now off."
I thought I'd try again, so I clicked to turn on Filevault. This time, I did NOT get a recovery key (same as before) and I did NOT get the window asking if I wanted Apple to save my key — only an immediate RESTART button. I canceled.
I restarted the iMac, noting that the startup graphics were different — the iMac now starts immediately with an all-white screen, something that one forum participant said is evidence that your boot drive IS encrypted regardless of what Filevault says.
This concerned me because it now seemed like the drive might be encrypted and I had no recovery key and hadn't been asked any security questions.
I thought if I turned on Filevault I could generate a fresh recovery key that would supplant anything Apple was storing for me — and give me a chance to answer security questions.
I turned on Filevault and was, for the third time, NOT offered a recovery key but this time I DID get the window that asked if I wanted Apple to save my key. Apparently the restart at least added this screen. I cancelled.
So while Filevault says it is off, the immediate white start-up screen suggests the drive may be encrypted. Regardless, Filevault is not offering a recovery key or security questions.
I have sketchy ideas about how to rectify things:
I could start up from an external backup (unencrypted) of the boot drive, erase the boot drive, and clone the backup to the boot drive. Will that create a bootable (non-encrypted) startup drive? I don't think so ...
I could start up from the external backup (unencrypted) of the boot drive, erase the boot drive, then do a clean install of Yosemite on the boot drive. Would that clear any existing encryption? I don't know ...
Or I read about using Terminal to un-encrypt a drive?
Any advice would be much appreciated.
Thanks,
BradleyClick here for information. If you can't get the answers emailed to you for some reason, contact the iTunes Store staff via the link in that article.
(80111) -
Whenever I want to download a free app, it asks me for 3 security questions. I answer them. Then it says "session has timed out". Then the whole process starts over. How can I get around this?
Hey everyone in Apple world!
I figured out how to fix the flashing yellow screen problem that I've been having on my MBP! Yessssss!!!
I found this super handy website with the golden answer: http://support.apple.com/kb/HT1379
I followed the instructions on this page and here's what I did:
Resetting NVRAM / PRAM
Shut down your Mac.
Locate the following keys on the keyboard: Command (⌘), Option, P, and R. You will need to hold these keys down simultaneously in step 4.
Turn on the computer.
Press and hold the Command-Option-P-R keys before the gray screen appears.
Hold the keys down until the computer restarts and you hear the startup sound for the second time.
Release the keys.
I went through the 6 steps above twice, just to make sure I got rid of whatever stuff was holding up my bootup process. Since I did that, my MBP boots up just like normal. No flashing yellow screen anymore!!
(Note that I arrived at this solution when I first saw this page: http://support.apple.com/kb/TS2570?viewlocale=en_US)
Let me know if this works for you!
Elaine -
Where to find the doc for Oracle server security
I am preparing for Oracle 9i upgrade OCP and looking for
the document which talks about Oracle server security
which includes Application context, Security Role and etc.
Thankshi,
this is the portal content management forum. for your database question please use the database forums:
http://forums.oracle.com/forums/index.jsp?cat=18
thanks,
christian -
Is there any guide lines how you can secure windows 7 gpo enable system services startup security settings?
For example like many do with Forefront Client Security Anti-Malware service, and there is lots of other service that you would like to have control over to get an secure and stable Windows 7.
/SaiTechHi,
Since there is no response from you, we considered that you have gotten what you want in previous post.
For further question, please don't hesitate to come back here and let's discuss again.
If you have any feedback on our support, please click here
Kate Li
TechNet Community Support -
Trying to use Oracle Label Security with a XMLType
Hi everybody.
I'm trying to apply some of the Oracle Label Security functionalities to a table created from the annotations of a XML Schema
(Below I show part of this XML Schema:
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xdb="http://xmlns.oracle.com/xdb"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
attributeFormDefault="unqualified">
<xs:element name="FILE_INFO" xdb:SQLType="FILE_INFO" xdb:defaultTable="TABLE_FILE_INFO">
<xs:complexType>
<xs:choice>
<xs:element name="FILE_INFO_DICOM"
type="FILE_INFO_DICOM_TYPE" />
<xs:element name="FILE_INFO_ANALYZE"
type="FILE_INFO_ANALYZE_TYPE" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:complexType name="FILE_INFO_DICOM_TYPE" xdb:SQLType="FILE_INFO_DICOM_TYPE">
<xs:sequence>
<xs:element name="ELEMENT_INFO_DICOM"
type="ELEMENT_INFO_DICOM_TYPE"
minOccurs="0"
maxOccurs="unbounded"
xdb:defaultTable="TABLE_ELEMENT_INFO_DICOM"
xdb:SQLInline ="false"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ELEMENT_INFO_DICOM_TYPE" xdb:SQLType="ELEMENT_INFO_DICOM_TYPE">
<xs:all>
<xs:element name="Description" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="GroupTag" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="ElementTag" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="VR" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Value" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:all>
</xs:complexType>
................etc
I've created a security policy that I have tested on relational tables (not based on any object type) and works correctly.
BEGIN
SA_POLICY_ADMIN.APPLY_TABLE_POLICY(policy_name => 'policy1',
schema_name => 'oe',
table_name => 'TABLE_FILE_INFO',
table_options => 'LABEL_DEFAULT, READ_CONTROL, WRITE_CONTROL',
label_function => NULL,
predicate => NULL);
END;
When I try to apply this policy to the XMLSchema-created table (TABLE_FILE_INFO) I get next error messages:
ORA-22856: cannot add columns to object tables
ORA-00604 error occurred at recursive SQL level 1
ORA-12445: cannot change HIDDEN property of column.
ORA-06512: in "LBACSYS.LBAC_POLICY_ADMIN", line 257
ORA-06512: in line 2
I suppose that the main problem is that the apply_plicy procedure is trying to add an extra column to a table created from a defined type.
So my questions are: It's that true? Is it possible to apply a policy to the content of XML documents, I mean, if I want to restrict that some users see some subset of a XML document based on a specific policy, is there anything similar to Oracle Label security for XML? (as defined with the annotations in the XML Schema, some elements will be mapped to rows of a XMLType-based table when a XML document is inserted into the XMLDB repository (marked to follow the previous XML Schema of course)
Hope someone can help to solve my doubts...
Thanks,
Marcos.Have you ever answered this question? If not, have you tried to use the "HIDE" property on your table_options?
-
Every time I try to download an app it tells me I need to update my security questions, but once I click to make the questions the box goes white. So I'm not sure how to fix it
The new questions show on your account on http://appleid.apple.com ? If they do then try logging out and back into your account on your phone (assuming that is where you are trying to purchase from) and see if the new questions then show on it.
-
For some reason, an old iD is stuck on my phone. My iPhone 4s is nearly filled with documents and data, to the point where I cannot take pictures, and I can't reset it without using this old iD. I don't know why this is now popping up instead of the one I am registered with. I gained access to the old email the iD is under, but none of the iTunes emails are coming in so I assume it is set up under a different email. For the security question of birthdays, I tried every household member's birthday, and none worked. I have tried the password we used on that account when it was active, along with every other possiblility. I don't know what to do anymore and I have very limited use of my phone if I don't get this sorted out and deleted from my phone.
Thank you for any help!Not without password.
-
My old email account is disabled and I can't remember my itunes password - how can I reset my password or move $ to a new itunes/email account? It seems I must have mis-typed my account information because I can't answer the security questions correctly...
➡ https://iforgot.apple.com/
-
I set up an email account with " @me.com". I get a wrong password message when I try to log in. When I try to change my password I get an INcorrect answer message to the security question I'm asked my birth date so I know I have it right, unless I did a typo when I set up the account. When I choose email me the reset password lnk I cannot retrieve the email because it won't accept the password. I wanted to justemail Apple for instructions but cannot find an email address for that. Any help would be appreciated.
I tried that without any luck. I was hoping I could get Apple to reset it for me or delete the account so I could recreate it or at least tell me what is listed as my birth date, the security question answer.
-
Help.. I've had this issue for over a month, i have over five dollars on my iTunes account and i want to buy music and games but Itunes continuously requests for my Itunes security questions. Is there any possible way i can CHANGE then without having to make a new itunes account?
You need to contact Apple to get the questions reset, which can be done by clicking here and picking a method for your country, or if that's not an option, by filling out and submitting this form.
(95930) -
How can you change your security question for I tunes?
How can you change your security question for I tunes?
If you have a rescue email address (which is not the same thing as an alternate email address) set up on your account then the steps half-way down this page give you a reset link on your account : http://support.apple.com/kb/HT5312
If you don't have a rescue email address (you won't be able to add one until you can answer 2 of your questions) then you will need to contact iTunes Support / Apple to get the questions reset.
Contacting Apple about account security : http://support.apple.com/kb/HT5699
When they've been reset (and if you don't already have a rescue email address) you can then use the steps half-way down the HT5312 link above to add a rescue email address for potential future use -
Please help!! I can't remember any of the answers to my security questions (I made them approximately four years ago and don't know what I was thinking).
How can I change my questions without answering my security questions that I don't know?!??You need to ask Apple to reset your security questions; this can be done by phoning AppleCare and asking for the Account Security team, or clicking here and picking a method, or if your country isn't listed in either article, filling out and submitting this form.
They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
(105971) -
I have bought a new iphone 5s a week ago. Today I wanted to purchase an app. And the security system asked me for an answer for my security questions. But I don't remember them. What should I do?
Frequently asked questions about Apple ID - http://support.apple.com/kb/HE37 --> Can I change the answers to the security questions for my Apple ID? --> Yes. You can change the answers to the security questions provided when you originally signed up for your Apple ID. Go to My Apple ID (http://appleid.apple.com/) and click Manage your account.
Some Solutions for Resetting Forgotten Security Questions - https://discussions.apple.com/docs/DOC-4551
Rescue email address and how to reset Apple ID security questions - http://support.apple.com/kb/ht5312 - "If you can't recall your Apple ID security questions and answers, the optional rescue email provides a way to reset them. Additionally, all future security-related emails for your Apple ID will be sent to the rescue email address."
Jan 2014 post about contacting Apple to reset security questions - https://discussions.apple.com/message/24543247 and https://discussions.apple.com/message/24671039
If you can't remember them over the space of a week you had better write them down.
Maybe you are looking for
-
After the update to Android 5.0.1 on my Galaxy Note 4, my Galaxy Gear S will not install apps, I get an error message that says "Installation Failed. Try Later. (WO:WO:-1002). I am glad it was a free app I was trying to install (I tried a couple of d
-
Is there a size limit on Zip files.
Hi, I'm trying to archive a large amount of files. For example one folder is over 5GB. Is is it safe to zip a 5GB folder? Is there a limit to zip file sizes?
-
Itunes could not connect to the itunes music store.
I have been reading the posts and though this issue has been reported repeatedly, I cannot seem to find an answer of how to solve the problem. I am using a Gateway desktop computer (550GR) Windows XP Home Edition, iTunes (latest edition) and unfortun
-
Subscription not active although I paid
hi i have a problem i bought 400 min to call iran but i can't see it in my account i sent you on your facebook page as a message but i didn't get any reply can you please check that for me ??
-
I have an HP G60 Notebook PC, Product # NW144UA#ABA The computer got a virus and couldnt open Microsoft Office applications so I wanted to restore it to the original factory settings. I created my own set of recovery disks (used 3 DVD-Rs). I started