Comments on: Do you check your script library? http://coskan.wordpress.com/2009/11/30/do-you-check-your-scripts-library/ What I learned about Oracle Tue, 18 Jun 2013 17:42:56 +0000 hourly 1 http://wordpress.com/ By: Neil Johnson http://coskan.wordpress.com/2009/11/30/do-you-check-your-scripts-library/#comment-3863 Sat, 05 Dec 2009 20:35:59 +0000 http://coskan.wordpress.com/?p=688#comment-3863 If you have grid control you could put your scripts on there. SQL*Plus can execute scripts available via http. See the link below for an example.

http://blog.tanelpoder.com/2007/08/31/sqlplus-is-my-second-home-part2/

Assuming your grid control server is secure then I guess you can sleep easy knowing your scripts are safe :)

]]> By: coskan http://coskan.wordpress.com/2009/11/30/do-you-check-your-scripts-library/#comment-3861 Fri, 04 Dec 2009 15:47:16 +0000 http://coskan.wordpress.com/?p=688#comment-3861 I wish there is a wallet like solution for sql scripts as well. When I login I need to open the wallet. When I go and edit files in directory I need to open the wallet first etc. etc.

]]> By: coskan http://coskan.wordpress.com/2009/11/30/do-you-check-your-scripts-library/#comment-3860 Fri, 04 Dec 2009 15:45:21 +0000 http://coskan.wordpress.com/?p=688#comment-3860 Thank you for your comments and your time Eugene but my main problem is that my workstation is windows and I am calling scripts inside the sqlplus.

your solution is very good for the maintenance scripts we run on the server. I will try your way as soon as I can.

]]> By: Eugene http://coskan.wordpress.com/2009/11/30/do-you-check-your-scripts-library/#comment-3854 Wed, 02 Dec 2009 18:04:18 +0000 http://coskan.wordpress.com/?p=688#comment-3854 Hello Coskan,
Here is my idea how to solve security problem with sql repository:

1)First we need to encrypt file with openssl:
= = = = = = = = = = = = = = = = = = = = = = = =
cd ~/sql_rep && openssl enc -aes-128-cbc -in check_db_status.sql -out check_db_status.enc
once prompted, please enter password for yuor file it can be the same for all sqls.

enter aes-128-cbc encryption password:
or you can specify password via additional option

cd ~/sql_rep && openssl enc -aes-128-cbc -in check_db_status.sql -out check_db_status.sql.enc -pass pass:tezzt && rm -f check_db_status.sql

check_db_status.sql
~~~~
spool /tmp/teztingz.lst
select NAME,OPEN_MODE,FORCE_LOGGING,FLASHBACK_ON from gv$database;
spool off
exit
~~~~

NOw you have only encrypted version of your sql in your repository.

2)Decrypt your sql and run:
= = = = = = = = = = = = = = = = = = = = = = = =
Just run this command to decrypt file and run sql, upon completion it will delete an *sql and will leave *enc only:

cd ~/sql_rep && \
cd ~/sql_rep && openssl enc -d -aes-128-cbc -in check_db_status.sql.enc -out check_db_status.sql && \
sqlplus “/as sysdba” @check_db_status.sql && rm -f check_db_status.sql

this one will prompt password.


cd ~/sql_rep && \
openssl enc -d -aes-128-cbc -in check_db_status.sql.enc -out check_db_status.sql -pass pass:tezzt && \
sqlplus “/as sysdba” @check_db_status.sql && rm -f check_db_status.sql

And this one already have password as an option.

3)To simplify execution you can create an alias:
= = = = = = = = = = = = = = = = = = = = = = = =
function dbstf {
cd ~/sql_rep && \
openssl enc -d -aes-128-cbc -in check_db_status.sql.enc -out check_db_status.sql -pass pass:tezzt && \
sqlplus “/as sysdba” @check_db_status.sql && rm -f check_db_status.sql
}
alias dbst=dbstf

So just run dbst from command prompt and you will run decrypted sql and than it will be deleted:

[oracle@xxxx sql_rep]$ XXX_db_1st >>dbst
~~~~~~~
dbst

SQL*Plus: Release 11.1.0.6.0 – Production on Mon Nov 23 08:35:33 2009

Copyright (c) 1982, 2007, Oracle. All rights reserved.

XXX11G READ WRITE NO NO
Disconnected from Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 – Production
~~~~~~~

I think use of openssl is very simple and it installed on every unix machine.

I hope this solution will be applicable for you.

Thanks and best regards Eugene

]]> By: Fidelinho http://coskan.wordpress.com/2009/11/30/do-you-check-your-scripts-library/#comment-3853 Wed, 02 Dec 2009 09:23:15 +0000 http://coskan.wordpress.com/?p=688#comment-3853 What do we have is the scripts in a share folder where only two persons can write.
If someone wants to add a file or a modification he/she has to contact those persons.
What “I” am looking for is a “code” organizer (like The Guide) with password protection.
I still have not found exactly what I’m looking for :(

]]> By: coskan http://coskan.wordpress.com/2009/11/30/do-you-check-your-scripts-library/#comment-3852 Tue, 01 Dec 2009 15:49:39 +0000 http://coskan.wordpress.com/?p=688#comment-3852 Thank you for your comments Hemant,

I was thinking about going fully DBA v2 but it is not that easy to leave command lines simplicity. Scary. I wonder if Oracle Security experts check this issue when they do auditing at sites and if they are I wonder what is their advice.

Maybe Pete Finnegan can leave a comment on this issue

]]> By: Hemant K Chitale http://coskan.wordpress.com/2009/11/30/do-you-check-your-scripts-library/#comment-3851 Tue, 01 Dec 2009 15:23:53 +0000 http://coskan.wordpress.com/?p=688#comment-3851 Yes, I do worry about my “scripts” !

It is a scary thought that someone, with malicious intent, could have modified a “standard” script. This would be much easier to do than to modify application code (in whichever language it is written !).

Occassionally, I check a script before executing it. Or at least look at timestamps.
But I don’t think that it is validation enough.

Possibly, this is a reason to go to OEM and have OEM manage all alerts and report ?

Hemant

]]>