但我们还是有必要关注一些第三方的 安全工具， 这些安全工具的主要用途 包括：　漏洞扫描，风险评估，安全建议，审计等。

Secure Oracle Auditor　－　 Secure Bytes 的产品 图形化的集中式审计工具， 可以自定义审计策略； 并分析数据库风险，
产品主页： http://www.secure-bytes.com/soa.php

软件截图：

Oracle Database Encryption Wizard For Oracle  – Relational Database Consultants, Inc (RDC)的产品  主要功能是 数据加密，  支持 AES256 and DES3 Encryption加密算法  ， 在从版本7开始支持Oracle 11gR2 及HSM( Hardware Security Modules )。
产品主页：http://www.relationalwizards.com/html/ora_encyrption.html

软件截图：

DB  Protect  – AppSecInc  的产品 ， 提供企业级 的数据安全方案， 功能包括 隔离敏感数据库， 发现及修正可能存在的数据风险， 控制企业员工的数据访问权限,  监控越权行为等。
产品主页： http://www.appsecinc.com/products/dbprotect/index.shtml

软件截图：

NGS SQuirreL for Oracle -  NGS secure 的产品 ， 算是已经在国内比较知名的 oracle 风险评估漏洞扫描工具， 支持从oracle 7.3 到 11g的主要版本。
产品主页： http://www.ngssecure.com/services/information-security-software/ngs-squirrel-for-oracle.aspx

产品介绍：

Oracle数据库安全漏洞扫描工具——NGSSQuirreL for Oracle

NGSSQuirrel for Oracle是国际顶级的数据库安全漏洞扫描工具。深圳市九州安域科技有限公司是NGSSQuirrel for Oracle数据库安全漏洞扫描工具中国区授权代理。

NGSSQuirreL for Oracle支持Oracle 8i,9i和10g，并且可以检查几千个可能存在的安全威胁、补丁状况、对象和权限信息、登陆和密码机制、存储过程以及启动过程。NGSSQuirrel提供强大的密码审计功能，包括字典和暴力破解模式。

NGSSQuirrel

1.         专业数据库漏洞评估工具；

支持MSSQL Server，Oracle，Informix，DB2，MySQL ，Sybase ASE数据库

支持对数据库所有实例的特权、角色、表单、视图、存储过程等进行安全检测。

2.         用于保护基础数据库平台安全并确保数据库满足安全法规的要求；

3.         创建Lockdown脚本，用于自动修复数据库扫描中未发现的漏洞

4.         通过check selection功能，可实行具体扫描或针对目标客户的扫描。

可以为特定目标扫描存储某一定制模板

可根据具体合规性扫描选择合规性模板

5.     提供业界专业的数据库安全资讯以及安全教材。

NGS SQuirreL 数据库扫描检测内容：

1.  扫描数据库默认口令、弱口令

2.     检测触发器、存储程序、表单、包等的访问权限

3.     识别默认Object的漏洞

4.     利用密码哈希值运行密码审计

5.     审查密码策略

6.     审查数据库的版本以及补丁情况

7.     检查数据库所有安全配置以及安全审计配置

8.     针对所有发现的安全问题提供修复建议

9.     可针对单一数据库或单一实例进行扫描

NGS SQuirreL for Oracle, SQL Server, MySQL, DB2 & Informix 行业合规性审计

NGS扫描器其内置有如下所有的合规性模块：

PCI DSS(支付款行业数据安全标准V1.2或V2.2）

SOX

HIPAA

Gramm-Leach Bliley Act

FISMA

SANS Top 20

CIS Benchmark for Oracle 9i/10g Ver. 2.0

CIS Benchmark for SQL Server 2005 v1.0

CIS Benchmark for MySQL v1.0.2

Oracle 基准

NSA SQL Server 2000 V1.5 安全配置和管理指南

这些模板都会保持持续更新；NGS 审计客户将满足这些标准的要求

NGSSQuirrel for Oracle 目前在国内有 九州安域 和   XLSoft  2家代理。

软件截图：

DB Audit – SoftTree的产品    功能强大的数据库安全和审计产品， 支持Oracle, Sybase, DB2, MySQL， Microsoft SQL Server等主流数据库。  DB Audit Expert是一款专业的数据库安全评估，审计和提供解决方案的数据库管理系统。DB Audit Expert允许数据库及系统管理员，安全管理员，审计人员和操作人患跟踪和分析数据库的活动，包括对数据库的访问，使用，对象的建立，修改和删除等。 DB Audit真正独特的是它内置多个审计方式，让您灵活地选择最适合你的数据库安全性要求的审计方式。
产品主页：http://www.softtreetech.com/

产品介绍

   DB Audit Expert是一款专业的数据库安全评估，审计和提供解决方案的数据库管理系统。DB Audit Expert允许数据库及系统管理员，安全管理员，审计人员和操作人患跟踪和分析数据库的活动，包括对数据库的访问，使用，对象的建立，修改和删除等。DB Audit真正独特的是它内置多个审计方式，让您灵活地选择最适合你的数据库安全性要求的审计方式。

主要优势：

提高系统的安全性并确保系统问责制。
捕获常规和“后门”访问被审计的数据库系统。
从易于管理的单一位置，集中了安全和审计控制多个数据库系统的功能，
统一审计的图形界面功能，缩短了学习曲线，很容易使用。
提供分析报告，全面总结概括，减少审核大量数据从而使轻松地识别各种数据库的安全性侵犯。
提供分析报告，以确定哪些进程和用户占用系统资源。
提供本地数据库审计不可用的审计线索的细节。
当敏感数据发生变化时，提供能够生成对关键人员生成电子邮件警报。
解放了DBA，不再需要创建和管理用于数据更改审计目的精心调校的数据库触发器。
支持灵活的审计配置，使安全人员可以选择必须监督和审计跟踪记录的数据库操作和数据修改的特定类型。
对现有的应用程序提供完全透明的系统级和数据更改审计，无需任何修改这些应用。
完全兼容所有主机操作系统可以运行支持的数据库，包括但不限于Windows NT，UNIX和Linux，虚拟机，OS/390，z/OS。

DB Audit 在多种平台，多种数据库上都有完整的解决方案：
安全性预防管理
侦测和安全配置分析
审计与监控
弱点及渗入测试
校正

多种数据库统一管理，操作简便学习周期短，方便使用。通过左侧数据库树型目录可以方便管理各种数据库；右侧大块的工作区域中，将所有的审计按功能分类，可清晰地完成所有的配置。

DB Audit 可以出色的工作在多种平台，多数据库的复杂环境中，通过警告中心服务器收集、存储和分析各种数据库的审计警告，并按照管理中心所配置将审计报表或警告发送到不同的部门及用户。

DB Audit客户：
DB Audit拥有众多大客户，例如，M＆T银行,道琼斯公司，富士银行(Fuji Bank)，亨廷顿银行(Huntington Bank)，Wells Fargo银行，北方信托公司, （The Reserve Funds）储备基金，第一资本金融公司（Capital One Financial Corp.）,3M公司，AT＆T公司，IBM公司，戴尔公司，JP摩根大通，惠普，壳牌，索尼，美国军队，美国航空航天局等。

软件截图：

DB Audit 目前在国内有一家授权代理  北京铸锐数码科技。

Audit DB – LuMigent 公司的产品 ， 功能包括 数据库活动监控、审计、 用户权限监控、变更复核、访问监控等。
产品主页： http://www.lumigent.com/products/audit-db

软件截图：

DBCoffer – 难得一见的国产数据库安全产品。 相关介绍： 国内首款主动预防型 数据库安全加固产品，存储层、数据访问层、应用访问层全方位防止数据泄密。
产品主页：　http://www.schina.cn/a/fangan/shujukubaoxianxiang/about.html

目前找不到该款产品的软件截图 www.oracledatabase12g.com Here

© 2012, www.oracledatabase12g.com. 版权所有.文章允许转载,但必须以链接方式注明源地址,否则追究法律责任.

Related posts:

1. Driving Security Revenue With Oracle Database 11g
2. MySQL Training Solutions
3. Know about Oracle Network Security
4. Oracle Protected Enterprise: Upsell Security and Identity Management into your Oracle Deals
5. 如何清理审计基表SYS.AUD$
6. Oracle Database 11g: Security Student Guide
7. Migrate from MySQL to Oracle

--- listspfiles.sql
--- Purpose: Sample script to list spfiles kept in ASM instance
--- Usage: This should be run against an ASM instance,
--- not a database instance.
---
--- cut here --%<----%<----%<----%<----%<----%<--

--list all spfiles

set lines 120
col full_path for a110
SELECT full_path, dir, sys
FROM
(SELECT
CONCAT('+'||gname,SYS_CONNECT_BY_PATH(aname,'/')) full_path,
dir, sys FROM
(SELECT g.name gname,
a.parent_index pindex, a.name aname,
a.reference_index rindex, a.ALIAS_DIRECTORY dir,
a.SYSTEM_CREATED sys
FROM v$asm_alias a, v$asm_diskgroup g
WHERE a.group_number = g.group_number)
START WITH (MOD(pindex, POWER(2, 24))) = 0
CONNECT BY PRIOR rindex = pindex
ORDER BY dir desc, full_path asc)
WHERE UPPER(full_path) LIKE '%SPFILE%'
/

Sample output:

FULL_PATH                                                                                                      D S
-------------------------------------------------------------------------------------------------------------- - -
+DATA/Aspfile.ora                                                                                              N N
+DATA/VPROD/PARAMETERFILE/spfile.273.766620265                                                                 N Y
+DATA/VPROD/PARAMETERFILE/spfile.365.773976489                                                                 N Y
+DATA/VPROD/spfileVPROD.ora                                                                                    N N

© 2012, www.oracledatabase12g.com. 版权所有.文章允许转载,但必须以链接方式注明源地址,否则追究法律责任.

Related posts:

1. Script:收集ASM诊断信息
2. Script:利用外部表实现SQL查询Oracle告警日志Alert.log
3. Script:收集Exadata诊断信息
4. Script:列出数据库中5%以上链式行的表
5. Script:列出没有主键或唯一索引的表
6. Script:Generate A DDL Script For A Table
7. Script:when transaction will finish rollback
8. Script:List NLS Parameters and Timezone
9. Script:列出失效索引或索引分区
10. Script:收集数据库安全风险评估信息

[oracle@nas ~]$ oerr ora 10235
10235, 00000, "check memory manager internal structures"
// *Cause:
// *Action:

List of Levels for Event 10235
Level 1: Check heap before heap is freed.
Level 2: Level 1 + fill allocation and frees with 0xff.
Level 3: level 2 + checks to make sure chunk belongs to heap prior to operation (free, grow, make chunk as
freeable with mark). Scan of extents, could get expensive
Level 4: level 3 + allocates permanent chunks as freeable chunks. This accomplishes two things:
all permanent allocations are in their own chunks and the comments for the permanent chunks appear in a heap dump.
The following levels should be OR'ed in together. For example, in order to use levels 2, 8 and 16,
event 10235 needs to be set to level 26.
Level 8: Check heap on every operation to the heap.
Level 16: Level 8 + check top PGA heap and SGA heap.
Level 32: Level 16 + check all heaps in the top pga heap, recursively; check SGA heap.
Level 64: Level 32 + check SGA heap if started up in single_process=true.
Level 256: align chunks at the bottom of a page and page protect the page that follows the chunk,
to catch writes off the end of a chunk, for all heaps.
Level 512: Like level 256, except for all heaps in the pga heap; so this event is useful for detecting
corruption in the pga heap and pga subheaps. This can also be enabled on specific heaps or chunks with
specific comments.
Level 65536: Enable CPM(Commented PerManent chunk) Keep comment for permanent allocation. It's useful for
detecting memory growth/overrun in permanent space. If you need to investigate the allocations for "library cache",
The combination of event 10049 level 10100 and this event will help to have more descriptive information.

注意只有当 怀疑oracle实例存在内存讹误(memory corruption)或者深入研究KGH堆管理内部原理的时候才有必要使用该10235事件，不要在生产库设置该诊断事件！！ 不推荐在session会话级别设置该event 可能引起问题，具体的设置方法如下：

alter system set event=' 10235 trace name context forever,level 512 ' scope=spfile;
restart instance;

实际上绝大多数情况下我们不会用到10235 event， 即便是提交有关内存泄露(memory leak)或者内存讹误(memory corruption)的SR后 oracle Support 要求你上传一些heapdump的trace信息， 直接做heapdump转储也已经足够了， 具体用法如下：

alter session set event 'trace name immediate heapdump level <n>';

level 级别列表如下：

 1:          pga heap,  1025:            pga heap w/ contents
 2:          sga heap,  2050:            sga heap w/ contents
 4:          uga heap,  5000:            uga heap w/ contents
 8:          current call heap,  8200: current call heap w/ contents
16:         user call heap, 16400:     user call heap w/ contents
32:         large alloc heap, 32800:  large alloc heap w/ contents

若希望dump转储某个特定的subheap ，则先要知道该heap descriptor 的address地址

alter session set event 'trace name immediate headump_addr level <addr>';

© 2012, www.oracledatabase12g.com. 版权所有.文章允许转载,但必须以链接方式注明源地址,否则追究法律责任.

Related posts:

1. EVENT 10235:”check memory manager internal structures”
2. Oracle Internal Research深入研究Oracle内部原理
3. FAQ Memory Corruption
4. Oracle Internal Event:10200 Consistent Read诊断事件
5. Oracle Internal Event:10201 consistent read undo application诊断事件
6. Setting an Oracle event:The structure of the trace syntax
7. Oracle Event 10357 and 10351
8. EVENT:10210 check data block integrity
9. EVENT:10211 check index block integrity
10. opatch java.lang.OutOfMemoryError:Java heap space错误一例

这里总结了一下ASMLIB的诊断思路， 如下脚本：

cat /etc/sysconfig/oracleasm

1) uname -a
2) rpm -qa | grep ^oracleasm
3) rpm -V oracleasmlib
4) multipath -ll

1) output of command line

# rpm -V oracleasm-support

# /etc/init.d/oracleasm scandisks

# /etc/init.d/oracleasm listdisks

# ls -l -R /dev/oracleasm/

# ls -l /etc/sysconfig/oracleasm

# cat /etc/sysconfig/oracleasm

# mount

2) oracleasm log file

/var/log/oracleasm

3) sosreport

By default the "sos" package should be installed into EL4u6 or later.
(If not, please download the sos package from ULN https://linux.oracle.com)

You just need type command "sosreport" as root user, and press "Enter" or "yes" for all the questions.

The sosreport will run for several minutes, according to different system, the running time might be more longer.
Once completed, "sosreport" will generate a compressed sosreport-xx-xx.bz2 file under /tmp. 

[summary]
- confirm system build asm disk on muoltipath devices
- modify /etc/udev/rules.d.90-dm.rules
- currently both nodes could find the asm disk from scandisks and listdisks
- sharon.honor will try installer again, if necessary need get help from application(RAC) team

1. Reboot the box.

2. Run the following commands
#fdisk -l
#multipath -ll
#blkid
#cat /etc/sysconfig/oracleasm
#cat /etc/sysconfig/oracleasm-_dev_oracleasm

#uptime
#/etc/init.d/oracleasm start
#/etc/init.d/oracleasm listdisks

#uptime
#/etc/init.d/oracleasm scandisk

Please also modify the /etc/sysconfig/oracleasm-_dev_oracleasm with below.
ORACLEASM_SCANORDER="dm"
ORACLEASM_SCANEXCLUDE="sd"

The devices that asmlib will scan is controlled in the /etc/sysconfig/oracleasm file
with the "scanorder" and "scanexclude" parameters.

© 2012, www.oracledatabase12g.com. 版权所有.文章允许转载,但必须以链接方式注明源地址,否则追究法律责任.

Related posts:

1. oracleasm failed to createdisk on raw device

# CHECK FIREWALL, WINDOWS FIREWALL , ANTI-Virus Software First !
ping hostname
tnsping TNS
trcroute TNS
telnet  <hostname> <port>  

tracert hostname

client side
sqlplus scott/tiger@TNS

&
server side
sqlplus scott/tiger@TNS

cat /etc/hosts
cat /etc/resolv.conf
cat /etc/nsswitch.conf
ipconfig -a
ping 127.0.0.1

$ORACLE_HOME/network/admin/sqlnet.ora
$ORACLE_HOME/network/admin/tnsnames.ora
$ORACLE_HOME/network/admin/listener.ora
$ORACLE_HOME/network/admin/endpoints_listener.ora
$ORACLE_HOME/network/log/*
sqlnet.log listener.log
/var/log/messages
/var/adm/messages
errpt -a

ls -ld $ORACLE_HOME
netstat -rn
ps -ef | grep -i tns
lsnrctl status {listener_name}
lsnrvtl services {listener_name}

ulimit -a

1. Complete database alert log.

2. If the database was not restarted from the time of last occurance of the
issue,

select * from v$resource_limit

3. RAM and SWAP configured on the server.

4. ulimit settings for oracle user:

ulimit -aS
ulimit -aH

5. Kernel parameter settings:

/etc/sysctl.conf

dblogin

show parameter cluster_database

show parameter listener

$srvctl config vip -n {nodename}

$lsnrctl status listener

agent.log and the crsd.log ..

crsd agent log and the crsd.log
$crsctl getperm resource ora.LISTENER.lsnr

sql net client trace , Client side tracing is done by adding the following syntax to the client’s sqlnet.ora file:

We will need a timestamped matching set of client/listener sqlnet traces while error is reproduced in order to find the root cause of the issue.

++ Enable client sqlnet tracing.
=======================

To do this add the following to client sqlnet.ora:

TRACE_LEVEL_CLIENT=16
TRACE_UNIQUE_CLIENT=TRUE
TRACE_DIRECTORY_CLIENT=path
TRACE_FILE_CLIENT=client
TRACE_TIMESTAMP_CLIENT=ON

replace path with a local directory for the trace files. (for example c:\temp)
Do a test connection from the problematic client and check if the trace files are created.
Upload the traces containing the error to me on metalink.

++ Enable listener sqlnet tracing.
==========================
To do this edit the listener.ora and add,

TRACE_LEVEL_{listener name}=16
TRACE_TIMESTAMP_{listener name}=TRUE
TRACE_DIRECTORY_{listener name}=/tmp {– this can be any directory other than a top level directory like / or c:\

Replace {listener name} with the name of the listener. For example if your listener was called LISTENER then TRACE_LEVEL_LISTENER=16

You need to restrict the amount of disk space used by the tracing then you must also set,

TRACE_FILELEN_{listener name}=500000 {– size of the files in K
TRACE_FILENO_{listener name}=10 {– number of files

This will limit the traces to 10 files of around 500Mb, so 5000Mb in total. When the 10th file is full it will reuse file number one.
You will need to stop/start the listener for this to take effect.
When the problem reproduces please can you upload the listener trace and the listener log.

Trace_level_client=16
Trace_directory_client={path_to_the_trace_directory} # use the full path to the trace directory
Trace_unique_client=on
Trace_timestamp_client=on
Diag_adr_enabled=off

trace Local listener or SCAN listeners
TRACE_LEVEL_{listener_name}= 16
TRACE_TIMESTAMP_{listener_name}=on
TRACE_DIRECTORY_{listener_name}={path_to_the_trace_directory}

truss -o /tmp/lisener.out -fae lsnrctl start {listener_name}

Some Useful Note:

Note.444705.1 TroubleShooting Guide For ORA-12514 TNS listener could not resolve SERVICE_NAME given in connect descriptor
Note.761740.1 Technicians Unable To Receive Orders While MWM Components Display ODBC Errors And Are Connected
Note.119007.1 ORA-12560: Administering the Listener on UNIX – Troubleshooting
Note 276812.1 TNS-12542 Error When Executing Batch Jobs or in High Transaction Environment
Note.219208.1 Ext/Pub Client Connection via Connect Manager Fails with TNS-12564
Note.393941.1 Ext/Mod ORA-12564 Reported When Using 10g Connection Manager
Note.1116960.1 ORA-609 TNS-12537 and TNS-12547 in 11g Alert.log
Note.550859.1 Abstract TROUBLESHOOTING GUIDE TNS-12518 TNS listener could not hand off client connection.
Note.207303.1 Client / Server / Interoperability Support Between Different Oracle Versions
Note.119706.1 Troubleshooting Guide TNS-12535 or ORA-12535 or ORA-12170 Errors

For database links between different Oracle versions connections must be supported in BOTH directions in the matrix found in Note 207303.1
eg: As 9.2 -} 7.3.4 is not supported then database links between these version
are not supported in either direction.
You are trying to connect two versions (client-server) that are not certified (as confirmed by Note 207303.1) and between which exist many technical incompatibilities.

CLIENT — LISTENER — SERVER RESULT

8 11.1 8 OK
9 11.1 9 OK
10 11.1 10 OK
11 11.1 11 OK

8 11.2 8 FAILS
9 11.2 9 OK
10 11.2 10 OK
11 11.2 11 OK

9 11.1 8 OK
10 11.1 8 OK
11 11.1 8 OK

9 11.2 8 FAILS
10 11.2 8 FAILS
11 11.2 8 FAILS

The relevant relationship that appears to be at issue is LISTENER and DATABASE. Client version is not a factor.

But if the ultimate outcome is that the 11.2 (11gR2) LISTENER is indicated (though I still haven’t seen documentation of this) as not compatible with use on a ORACLE 8i (8.1.7.0) DATABASE, then we’ll capture that here and move on. I would, however, like to see some evidence of this, if it is available. I can find notes in the KB about 10gR2′s listener not supporting 8i database, and I can find notes about 11gR1 having resolved that regression. But I can find nothing regarding listener/database compatibility that mentions 11gR2, that would explain our results.
Clients should be complied with Servers , For Sever 11.2 the only supported clients are 11.2.0 , 11.1.0 , 10.2.0 : 10g end MUST be at 10.2.0.2 (or higher) respectively in order to use PLSQL between those versions. See Note:4511371.8 for more details and finally 10.1.0.5 only with extended support .

On the other Side in order to connect from listener to DB server in a supported way , Listener version should be greater than or equal to the server version .

Note 207303.1 should still be followed.

© 2012, www.oracledatabase12g.com. 版权所有.文章允许转载,但必须以链接方式注明源地址,否则追究法律责任.

Related posts:

1. Connection pool,sqlnet,listener related issues/questions
2. 如何跟踪Oracle动态服务注册