上一篇講了在linux終端如何檢查遠程主機策略配置,這一篇繼續補充說一下linux終端如何檢查遠程oracle策略配置。
檢查環境和上一篇中描述的一樣,接下來我們就進入主題。
我們先看一段我檢查的記錄,可以從中發現一些小竅門。
[root@byhis01 ~]# su - oracle
oracle@byhis01:~$ sqlplus /nolog
SQL*Plus: Release 10.2.0.1.0 - Production on Sat Oct 1216:56:34 2013
Copyright (c) 1982, 2005, Oracle. All rights reserved.
SQL> conn / as sysdba;
ERROR:
ORA-12545: Connect failed because target host or objectdoes not exist
通過以上日誌可看出我由root切換到oracle用戶下,順利執行sqlplus,但是執行conn / as sysdba 命令報錯。如果對報錯信息不熟悉的話,第一反應是數據庫關閉了os認證,登陸數據庫必須輸入數據庫的用戶名和密碼。接下來我們就驗證一下是否數據庫關閉了os認證。
查看$ORACLE_HOME/network/admin/sqlnet.ora配置如下:
-bash-3.2$ more $ORACLE_HOME/network/admin/sqlnet.ora
SQLNET.INBOUND_CONNECT_TIMEOUT=0
NAMES.DIRECTORY_PATH=(TNSNAMES)
TCP.VALIDNODE_CHECKING = YES
TCP.INVITED_NODES=(192.168.1.43,192.168.1.7,192.168.1.2,192.168.1.3,192.168.1.4)
# TCP.EXCLUDED_NODES= ()
由上可知sqlnet.ora文件中爲無SQLNET.AUTHENTICATION_SERVICES,這一與os認證相關的配置,u數據庫未關閉OS認證。
既然未關閉OS認證,那爲什麼登陸失敗呢。其實我們通過報錯的信息可知連接失敗是因爲目標主機或者對象不存在。即另外一種原因:oracle並非數據庫的安裝和啓動用戶。我們可以通過查看系統的進程來判斷。日誌如下:
oracle@his01:~$ ps -ef|grep ora_
orasrv 2717 1 0Sep17 ? 00:06:14 ora_pz99_orcl1
orasrv 6243 1 0Sep17 ? 00:13:56 ora_j000_orcl1
oracle 6269 4909 016:57 pts/9 00:00:00 grep ora_
orasrv 7128 1 0Sep04 ? 00:46:14 ora_pmon_orcl1
orasrv 7132 1 0Sep04 ? 00:00:39 ora_diag_orcl1
orasrv 7143 1 0Sep04 ? 00:00:06 ora_psp0_orcl1
orasrv 7149 1 0Sep04 ? 00:20:13 ora_lmon_orcl1
orasrv 7155 1 0Sep04 ? 00:26:36 ora_lmd0_orcl1
orasrv 7157 1 0Sep04 ? 01:10:43 ora_lms0_orcl1
orasrv 7173 1 0Sep04 ? 00:00:13 ora_mman_orcl1
orasrv 7191 1 0Sep04 ? 00:42:22 ora_dbw0_orcl1
orasrv 7195 1 0Sep04 ? 00:41:33 ora_dbw1_orcl1
orasrv 7197 1 0Sep04 ? 00:49:17 ora_lgwr_orcl1
orasrv 7199 1 0Sep04 ? 00:11:13 ora_ckpt_orcl1
orasrv 7201 1 0Sep04 ? 00:04:17 ora_smon_orcl1
orasrv 7203 1 0Sep04 ? 00:00:01 ora_reco_orcl1
orasrv 7206 1 0Sep04 ? 00:11:18 ora_cjq0_orcl1
orasrv 7208 1 0Sep04 ? 00:00:24 ora_mmon_orcl1
通過日誌可知:當前正在運行的oracle進行的用戶不是oracle,而是orasrv。
其實通過查看系統信息頁可以看出一些端倪。
[sysroot@his01 ~]$ more /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
nfsnobody:x:65534:4294967294:Anonymous NFSUser:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separatedSSH:/var/empty/sshd:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
oracle:x:100:101::/usr/local/oracle:/bin/bash
orasrv:x:116:101:orasrv:/df8003/rdbm/orasrv:/bin/bash
sysroot:x:500:500::/home/sysroot:/bin/bash
由上可知:當前有兩個數據庫用戶 oracle和orasrv。那麼當oracle用戶下切換有問題時,自然要想到是否與orasrv用戶有關。
接下來再說一個小竅門,目前只知道root用戶的密碼,oracle和orasrv的密碼都不知道,在oracle用戶下如何切換到orasrv用戶下呢,答案是oracle先su到root 輸入密碼,然後再su到orasrv,因爲root到orasrv是高向低用戶切換,無需密碼。如下所示:
oracle@byhis01:~$ su - root
Password:
[root@byhis01 ~]#su - orasrv
-bash-3.2$
之後就順利通過os認證,無需sys用戶的密碼即可以以sysdba的角色登陸數據庫。
-bash-3.2$ sqlplus /nolog
SQL*Plus: Release 10.2.0.4.0 - Production on Sat Oct 1216:58:22 2013
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
SQL> conn / as sysdba;
Connected.
接下來進入主題,說一下linux終端如何檢查oracle數據庫策略配置。
oraclescript.txt
set echo on;
spool oracle.txt
set linesize 512;
set pagesize 1024;
select * from global_name;
archive log list;
select username,profile from dba_users;
select username,account_status from dba_users;
select * from dba_profiles where profile='DEFAULT';
select name,status from v$controlfile;
select group#,status,member from v$logfile;
select name from v$archived_log;
select name,password from user$;
select tablespace_name,sum(bytes)/1024/1024 fromdba_data_files group by tablespace_name;
select tablespace_name,sum(bytes)/1024/1024 fromdba_free_space group by tablespace_name;
show parameter;
show parameter audit;
show parameter os_auth;
show parameter remote_login_passwordfile;
show parameter 07_DICTIONARY_ACCESSIBILITY;
select granted_role from dba_role_privs wheregrantee='PUBLIC';
select grantee,privilege,admin_option from dba_sys_privs;
select grantee,granted_role,default_role fromdba_role_privs;
select grantee||' '||owner||'.'table_name fromdba_tab_privs where grantee='PUBLIC' and table_name like ' UTL_%';
select grantee||' '||owner||'.'table_name fromdba_tab_privs where grantee='PUBLIC' and table_name like ' DBMS_%';
select username,account_status,default_tablespace,temporary_tablespace,profile fromdba_users order by username;
select profile,resource_name,resource_type,limit fromdba_profiles order by profile;
select tablespace_name,sum(bytes)/1024/1024 as FreeSizefrom dba_free_space group by tablespace_name order by tablespace_name;
select tablespace_name,status,contents,logging fromdba_tablespaces order by tablespace_name;
select status||' '||name from v$controlfile;
select group#,status from v$log;
select group#||' '||status||' '||member from v$logfileorder by group by group#;
select name||' '|| value from v$parameter where name like'%archive%';
select stamp ||' '||name from v$archived_log order bystamp;
select sid||':'||serial#||':'||username||':'||command||':'||status||':'||program fromv$session;
select event||' '||sum(seconds_in_wait) fromv$session_wait group by event order by sum(seconds_in_wait) desc;
select wait_class||' '||sum(total_waits) ||''||sum(time_waited) as timeWaited from v$system_wait_class group by wait_classorder by wait_class;
spool off
此腳本的重點是:
1、第一條命令set echo on 至關重要,以爲如果不執行這個命令,那麼最後的檢查結果中只有命令執行後的結果,無執行的命令,會很混亂。
2、 spool oracle.txt 中oracle.txt文件默認是存在了$ORACLE_HOME的目錄下。
3、一定要記得最後要用spool off來終止spool的錄屏功能。
然後檢查一下一些數據庫配置文件
cat$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
cat $ORACLE_HOME/network/admin/sqlnet.ora
cat$ORACLE_HOME/network/admin/listener.ora
最後通過scp拷貝出oracle的alert日誌,對oracle的報錯信息進行分析即可。
文章中以列出了針對風險評估的oracle檢查的命令腳本。希望這個能對大家有用。