Database Security Checklist - Indico

advertisement
Lots of Stuff
Gordon D. Brown
Science & Technology Facilities Council
WLCG Service Reliability Workshop
CERN 26-30 November 2007
Overview
•
•
•
•
•
•
Database Security
Passwords
Database Security Checklist
Host Housekeeping
Grid Control
Backups Overview
• Interactive
• Any questions
WLCG Service Reliability Workshop
2
Database Security
WLCG Service Reliability Workshop
3
Database Security
• Authenticating DBA logins on host
– Operating system (o/s) authentication
– A password file
• For nonsecure remote connections
– Must be authenticated by a password file
• Connecting to database as a privileged user over a local
connection or a secure remote connection in two ways
– If have password file and have been granted the SYSDBA or
SYSOPER system privilege
– If no password file, then operating system authentication,
username of the database administrator in a special group
• OSDBA:. Users in that group are granted SYSDBA privileges
• OSOPER: Users in that group are granted SYSOPER privileges
WLCG Service Reliability Workshop
4
Database Security
• Operating System Authentication
– OSDBA and OSOPER
– The groups are created and assigned specific names as
part of the database installation process.
– If you are not a member of either of these operating
system groups and you attempt to connect as SYSDBA or
SYSOPER, the CONNECT command fails
WLCG Service Reliability Workshop
5
Database Security
• Using Password File Authentication
– To enable authentication of an administrative user using
password file authentication you must do the following:
– If not already created, create the password file using the
ORAPWD utility:
• ORAPWD FILE=filename PASSWORD=password ENTRIES=max_users
• For RAC the environment variable for each instance should
point to the same password file
• Protect password file!
WLCG Service Reliability Workshop
6
Database Security
• Operating system authentication takes precedence over
password file authentication.
• Specifically, if you are a member of the OSDBA or OSOPER group
for the operating system, and you connect as SYSDBA or
SYSOPER, you will be connected with associated administrative
privileges regardless of the username/password that you
specify. i.e.
sqlplus / as sysdba
• If you are not in the OSDBA or OSOPER groups, and you are not
in the password file, then attempting to connect as SYSDBA or
as SYSOPER fails.
WLCG Service Reliability Workshop
7
Database Security
• Setting REMOTE_LOGIN_PASSWORDFILE
– With password file, you must set the initialization parameter
REMOTE_LOGIN_PASSWORDFILE. Values:
• NONE: Database behaves as if password file does not exist.
– No privileged connections are allowed over nonsecure
connections.
• EXCLUSIVE: (default) Used with only one instance of one
database.
– Only an EXCLUSIVE file can be modified
– Enables you to add, modify, and delete users. It also enables you
to change the SYS password with the ALTER USER command.
• SHARED: Used by multiple databases running on the same
server, or multiple instances of a (RAC) database.
– Password file cannot be modified.
– This option is useful if you are administering multiple databases
or a RAC database.
WLCG Service Reliability Workshop
8
Database Security
• Login overview
WLCG Service Reliability Workshop
9
Database Security
• Viewing Password File Members
– V$PWFILE_USERS view to see the users who have been
granted SYSDBA or SYSOPER
• USERNAME: User that is recognized by the password file
• SYSDBA: If TRUE, then the user can log on with SYSDBA
• SYSOPER: if TRUE, then the user can log on with SYSOPER
WLCG Service Reliability Workshop
10
Database Security
• Ensure that internal networks are inside a firewall
• Oracle Advanced Security
– Add on
– Enables data encryption and integrity checking, enhanced
authentication, single sign-on, and support for DCE
– Combines network encryption, database encryption and
strong authentication together to help customers address
privacy and compliance requirements:
WLCG Service Reliability Workshop
11
Database Security
• Transparent Data Encryption
– Protection of stored data by transparently encrypting data
(using 3DES or AES with up to 256 bits) at the column or
tablespace level.
• Network encryption and data integrity
– Supports:
•
•
•
•
RC4 (40, 56, 128, and 256 bits)
DES (40 and 56 bits)
3DES (2 and 3 keys)
AES (128, 192, and 256 bits)
WLCG Service Reliability Workshop
12
Database Security
• Strong authentication
– Two-factor (or "strong") authentication is based on
something the user has (a smart card, token, etc.) and a
PIN or passcode. Supports:
•
•
•
•
Kerberos
RADIUS (Remote Authentication Dial-In User Service)
Secure Sockets Layer (with digital certificates)
PKI
WLCG Service Reliability Workshop
13
Database Passwords
•
•
•
•
Use strong passwords
Try against a password checker
Passwords stored as hashes in database
Cleartext passwords can be typically but not necessarily
found at the following places
–
–
–
–
–
–
–
Server
Shell History files
Unix Scripts
Log Files
Dump Files
Trace Files
Application Server
–
–
–
–
–
–
–
JDBC-Config-Files
Trace Files
DBA Client PC
Desktop-Shortcut
Batch-Files
Tool Configuration files (connections.ini)
Trace Files
WLCG Service Reliability Workshop
14
Database Passwords
• Do not email passwords around
• Where are yours written down?
• Do your machine room staff have them? In
emergency?
• Who actually knows the passwords? A list of
people?
• Who has access to the host (as root? oracle?)
• Credentials often in Grid Control
WLCG Service Reliability Workshop
15
Database Passwords
• We use “pwsafe”
–
–
–
–
Use SSH key to access
Password on pwsafe to use
File replicated across two sites
Usernames and passwords are stored using a unique name
to identify them, normally of the form group.name.
However the group name is optional.
• o/s
<machine name>.<o/s user>
• database users:
<database name>.<user name>
• application express: <apex instance>.<workspace>
WLCG Service Reliability Workshop
16
Database Passwords
• pwsafe
– Showing A Password:
• # pwsafe up <unique name>
– Adding A Password:
• # pwsafe a <unique name>
– Deleting A Password:
• # pwsafe delete <unique name>
• Can add notes too
WLCG Service Reliability Workshop
17
Machine Ports
• Check the Oracle default port list
• Changing the default ports can help to stop simple attacks
but not real portscans.
• In Oracle it is very often not possible to change the default
port because the port is hardcoded.
• At least for the Oracle database (except iasdb) it's is
recommended to change the TNS listener port from
1521/1526 to something else.
• Options include running a local firewall then using something
called SQLNet Proxy to manage the port. Otherwise we could
use Connection Manager.
WLCG Service Reliability Workshop
18
Database Security Checklist
WLCG Service Reliability Workshop
19
Database Security Checklist – Step 1
• Install only what is required
• Oracle Database Installation contains a host of options and
products in addition to the database server.
• Install additional products and options only as necessary.
• Use the custom installation option to avoid installing
unnecessary products or, perform a typical installation, and
then deinstall unrequired options and products.
• It is best practise to know what the database will be used for
so that you can apply only what Oracle products are needed.
WLCG Service Reliability Workshop
20
Database Security Checklist – Step 1
• Common components that you can install with each
database are:
–
–
–
–
–
–
–
–
–
Oracle Data Mining
Oracle Text
Oracle Olap
Oracle Spatial
Oracle Ultra Search
Oracle Label Security
Sample Schemas
Enterprise Manager Repository
Oracle database extensions for .NET
WLCG Service Reliability Workshop
21
Database Security Checklist – Step 1
• None of these are needed to get a database up and running.
They are "extras" to be added for more functionality.
• Check which of these have been installed by running DBCA
• ACTION: Use the instructions below to deinstall any options
on PRODUCTION databases that are not actually used
– Dropping Sample Schemas
– Sample Schemas script directories are located in
$ORACLE_HOME/demo/schema.
– The script xx_drop.sql, where xx is the schema abbreviation,
removes all objects from a particular schema. Run this for
HR/OE/PM/IX/SH/BI schemas.
WLCG Service Reliability Workshop
22
Database Security Checklist – Step 1
• Dropping schemas (cont)
# cd $ORACLE_HOME/demo/schemas
# sqlplus hr/pass
SQL> @human_resources/hr_drop
SQL> exit
# sqlplus oe/pass
SQL> @order_entry/oe_drop
SQL> exit
# sqlplus pm/pass
SQL> @product_media/pm_drop
SQL> exit
WLCG Service Reliability Workshop
23
Database Security Checklist – Step 1
• Dropping schemas (cont)
# sqlplus ix/pass
SQL> @info_exchange/dix_v3.sql
-- ignore any errors
SQL> exit
# sqlplus sh/pass
SQL> @sales_history/sh_drop.sql
-- ignore any errors
SQL> exit
WLCG Service Reliability Workshop
24
Database Security Checklist – Step 1
• Dropping schemas (cont)
• no script to run for BI
• Once this has been done for all the schemas, drop the
users HR/OE/PM/IX/SH/BI.
SQL> drop user <user> cascade;
• Manual de-install of Spatial
• Spatial is installed by default when using DBCA. To deinstall manually follow Metalink Note:179472.1
• Also drop the MDDATA user (the notes miss this
one)
WLCG Service Reliability Workshop
25
Database Security Checklist – Step 2
• Lock and Expire Default User Accounts
• Oracle installs a number of default database server user
accounts.
• On DBCA installation
– most default database user accounts automtically locked and
expireed .
• On MANUAL installation
– no accounts are locked
• The following two slides show a list of Oracle account and
their status that is given AFTER the database is created using
DBCA
• ACTION: Check these accounts are still expired and locked if
not being used.
WLCG Service Reliability Workshop
26
Database Security Checklist – Step 2
WLCG Service Reliability Workshop
27
Database Security Checklist – Step 2
WLCG Service Reliability Workshop
28
Database Security Checklist – Step 3
• Review all database users every 6 months (or more often)
• Contact users and check schemas are still required
– If not export and drop them
• If any further options or Oracle products e.g. Apex, Oracle
Warehouse Builder, HTTP server have been installed, check
they are still required
– If not deinstall them
• Run the Oracle Installer in
$ORACLE_HOME/oui/bin/runInstaller to check if there are any
other Oracle Homes with products in them and deinstall from
there.
• Other products like Oracle Warehouse Builder may have an
alternative de-install process. Check the documentation for
your product.
WLCG Service Reliability Workshop
29
Database Security Checklist – Step 4
• Change default User Passwords
• Unlock ONLY those accounts that need to be accessed on a
regular basis and assign a strong password to each of these
accounts.
– Minimum password of 8 alphanumeric characters.
– Make sure the passwords are different between the users
– Make sure they are also different for any counterpart account on
a production/development/test account.
• This is mandatory for all DBA accounts on the database
– sys, system, sysman, dbsnmp
WLCG Service Reliability Workshop
30
Database Security Checklist – Step 4
• Change passwords with
$ sqlplus / as sysdba
SQL> alter user system identified by ********;
User altered.
SQL>
• Basic password management rules (such as length, history,
complexity etc...) as provided by the database be applied to
all user passwords and that these passwords are changed
periodically.
• ACTION: ensure all passwords are at least 8 random
alphanumeric characters. If change of password is required to
satisfy this, make sure you advise users/arrange appropriate
downtime as an application may need to change it's settings.
WLCG Service Reliability Workshop
31
Database Security Checklist – Step 4
• ACTION: Change SYS, SYSTEM, SYSMAN (on Grid Control DB),
DBSNMP passwords every 6 months. Remember to change
preferred credentials in Grid Control, agent config and pwsafe
(or your wherever you store passwords).
• Changing DBSNMP password
– Change DBSNMP password as above. To tell the agent that the
password has changed, edit the file
$AGENT_HOME/<machine>/sysman/emd/targets.xml and edit
the database target section as follows:
Property NAME="UserName" VALUE="dbsnmp";
Property NAME="password" VALUE="newpass"
ENCRYPTED="FALSE";
• Then stop and start the agent. The password will be
encrypted again when the agent restarts.
WLCG Service Reliability Workshop
32
Database Security Checklist – Step 5
• Enable Data Dictionary Protection
• To prevent regular users that have ANY system privileges e.g.
DROP ANY TABLE being able to use these on the data
dictionary make sure the parameter is
O7_DICTIONARY_ACCESSIBILITY is set to FALSE.
• Action FALSE is the default in 10g but check it anyway
$ sqlplus / as sysdba
SQL> show parameter O7_DICTIONARY_ACCESSIBILITY
NAME
TYPE
VALUE
------------------------------- ------------ ----07_DICTIONAIRY_ACCESSIBILITY
boolean
FALSE
WLCG Service Reliability Workshop
33
Database Security Checklist – Step 5
• If a user does need to access a dictionary view for non
malicious information, they can be granted the "SELECT ANY
DICTIONARY" privilege.
WLCG Service Reliability Workshop
34
Database Security Checklist – Step 6
• Practise the principle of least privilege
• Do not provide users with any more priviliges than are strictly
necessary
• Restrict the following as much as possible:
– The number of SYSTEM and OBJECT privileges granted to
database users
– 2) The number of people who are allowed to make SYS-privileged
connections to the database.
• ACTION: Review the SYSTEM privs (Note most regular users
should only have CREATE SESSION privilege or CONNECT role
assigned (although check CONNECT role only contains
"CREATE SESSION" privilege in DBA_SYS_PRIVS).
WLCG Service Reliability Workshop
35
Database Security Checklist – Step 6
• ACTION: The RESOURCE role (allows creation of tables etc)
should only be assigned on creation of the schema and for
schema changes and then dropped again on production
databases). Drop RESOURCE role from regular users (see
DBA_SYS_PRIVS). Review the contents of the RESOURCE role
in DBA_ROLE_PRIVS.
• ACTION: Also "ANY" privileges should not be assigned as they
allow this user access to objects in all other schemas. Change
ANY system privileges to object privileges e.g. drop SELECT
ANY TABLE and assign ....
WLCG Service Reliability Workshop
36
Database Security Checklist – Step 6
• To check currently assigned system privs
SELECT * from DBA_SYS_PRIVS
WHERE GRANTEE NOT IN ('DBA', 'SYS', 'SYSTEM',
'OEM_MONITOR', 'OEM_ADVISOR', 'IMP_FULL_DATABASE',
'EXP_FULL_DATABASE', 'ORDSYS', 'ORDPLUGINS',
'JAVADEBUGPRIV', 'OUTLN', 'FLOWS_020200', 'FLOWS_030000',
'AQ_ADMINISTRATOR_ROLE', 'CTXSYS', 'EXFSYS', 'XDB',
'APEX_PUBLIC_USER', 'CONNECT', 'RESOURCE', 'DIP',
'SCHEDULER_ADMIN', 'DBSNMP', 'ANONYMOUS', 'WMSYS',
'RECOVERY_CATALOG_OWNER')
ORDER BY GRANTEE, PRIVILEGE;
WLCG Service Reliability Workshop
37
Database Security Checklist – Step 6
• Review and revoke unneccessary privs
– GRANT CONNECT TO <user>;
– REVOKE CREATE PROCEDURE FROM <user>;
– REVOKE RESOURCE FROM <user>;
• To see roles assigned to users
– SELECT * FROM dba_role_privs WHERE USER = 'ADAM';
• ACTION: Review object privs for each regular user and revoke as
necessary
– select * from dba_tab_privs where grantee ='SSO';
• ACTION: Check that only SYS has DBA role
WLCG Service Reliability Workshop
38
Database Security Checklist – Step 6
• Additionally, review the privileges grants to the PUBLIC role as you
may wish to restrict what access this will give to all users.
• Oracle provides execution rights to four packages on the PUBLIC
role that should be removed after installation:
• ACTION: Revoke the execution privilege on PUBLIC to the
packages:
–
–
–
–
UTL_SMTP [EMAIL]
UTL_TCP [Network Connections]
UTL_HTTP [request/retrieve information from HTTP server]
UTL_FILE [access to files outside the DB]
WLCG Service Reliability Workshop
39
Database Security Checklist – Step 6
• Remove with
# sqlplus / as sysdba
SQL> REVOKE EXECUTE ON sys.utl_smtp FROM "PUBLIC";
Revoke succeeded.
SQL> REVOKE EXECUTE ON sys.utl_tcp FROM "PUBLIC";
Revoke succeeded.
SQL> REVOKE EXECUTE ON sys.utl_http FROM "PUBLIC";
Revoke succeeded.
SQL> REVOKE EXECUTE ON sys.utl_file FROM "PUBLIC";
Revoke succeeded.
WLCG Service Reliability Workshop
40
Database Security Checklist – Step 7
• Enforce access controls effectively and authenticate
clients stringently
• Setting the initialization parameter REMOTE_OS_AUTHENT =
FALSE, creates a more secure configuration that enforces
proper, server-based authentication of clients connecting to
an Oracle database.
• You should not alter the default setting of the
REMOTE_OS_AUTHENT initialization parameter, which is FALSE.
Setting this parameter to FALSE does not mean that users
cannot connect remotely. It simply means that the database
will not trust that the client has been already authenticated,
and will therefore apply its standard authentication processes.
WLCG Service Reliability Workshop
41
Database Security Checklist – Step 7
• ACTION: Check parameter REMOTE_OS_AUTHENT is FALSE on
each database instance (all on RAC):
$ sqlplus / as sysdba
SQL> show parameter remote_os_authent
NAME
---------------------remote_os_authent
TYPE
VALUE
--------------------- ----boolean
FALSE
WLCG Service Reliability Workshop
42
Database Security Checklist – Step 8
• Restrict Operating System Access
• Limit the number of operating system users.
• Limit the privileges of the operating system accounts
(administrative, root-privileged or DBA) on the host (physical
machine) to the least privileges needed for the user's tasks.
• ACTION: Check with System Administrator that only default
users have been created and any unused default ones are
locked. Ask them to remove any old users.
• ACTION: Check with System Administrator that the privileges
of OS accounts have the least privileges necessary.
WLCG Service Reliability Workshop
43
Database Security Checklist – Step 8
• ACTION: Check that any database developers have their own
O/S id and are in the osinstall group but not the dba group.
This allows them to access sqlplus but not to log on as
SYSDBA.
• Restricting the ability to modify the default file and directory
permissions for the Oracle Database home (installation)
directory or its contents. Even privileged operating system
users and the Oracle owner should not modify these
permissions, unless instructed otherwise by Oracle.
WLCG Service Reliability Workshop
44
Database Security Checklist – Step 8
• ACTION: Check with System Administrator that no O/S users
can change file/directory permissions of the Oracle Home
• Restricting symbolic links. Ensure that when providing a path
or file to the database, neither the file nor any part of the
path is modifiable by an untrusted user.
• The file and all components of the path should be owned by
the DBA or some trusted account, such as root. This
recommendation applies to all types of files: data files, log
files, trace files, external tables, bfiles, and so on.
• ACTION: Check no symbolic links against data files, log files,
trace files, external tables, bfiles etc
WLCG Service Reliability Workshop
45
Database Security Checklist – Step 9
• Restrict Network Access
• Use a firewall
• Oracle Listener (9i)
– An Oracle Listener running without an established password may be
probed for critical details about the databases on which it is
listening such as trace and logging information, banner information
and database descriptors and service names.
– Restrict the privileges of the listener, so that it cannot read or write
files in the database or the Oracle server address space. This
restriction prevents external procedure agents spawned by the
listener (or procedures executed by such an agent) from inheriting
the ability to do such reads or writes.
WLCG Service Reliability Workshop
46
Database Security Checklist – Step 9
• Oracle Listener
– Prevent online administration by requiring the administrator to have
write privileges on the LISTENER.ORA file
– Use the parameter ADMIN_RESTRICTIONS_listener_name to restrict
runtime administration of the listener. The parameter is useful if the
listener is not password-protected.
– Setting ADMIN_RESTRICTIONS_listener_name=on disables the
runtime modification of parameters in listener.ora. That is, the
listener will refuse to accept SET commands that alter its
parameters.
– To change any of the parameters in listener.ora, including
ADMIN_RESTRICTIONS_listener_name itself, modify the listener.ora
file manually and reload its parameters (with the RELOAD command)
for the new changes to take effect without explicitly stopping and
restarting the listener.
WLCG Service Reliability Workshop
47
Database Security Checklist – Step 9
• ACTION: Add or alter this line in the LISTENER.ORA file
– ADMIN_RESTRICTIONS_LISTENER=ON
Then RELOAD the configuration.
• If you are administering the listener remotely over an insecure
network and require maximum security, configure the listener
with a secure protocol address that uses the TCP/IP with SSL
protocol. If the listener has multiple protocol addresses, ensure
that the TCP/IP with SSL protocol address is listed first in the
listener.ora file.
WLCG Service Reliability Workshop
48
Database Security Checklist – Step 9
• ACTION: Use SSL when administering the listener, by making the
TCPS protocol the first entry in the address list as follows:
LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=
(PROTOCOL=tcps)
(HOST = ed-pdsun1.us.oracle.com)
(PORT = 8281)))
WLCG Service Reliability Workshop
49
Database Security Checklist – Step 9
• For Oracle Database 10g Release 1 and higher the default
authentication mode is local O/S authentication which requires
administrator to be a member of the local dba group.
• Setting a password for the TNS listener in Oracle Database 10g
Release 1 and higher simplifies administration.
• However, setting a password requires good password management
to prevent unauthorized users from guessing the password and
potentially gaining access to privileged listener operations.
• Customers may wish to consider not setting a password for the
TNS listener starting with Oracle Database 10g Release 1.
• ACTION: No need to set a listener password for release 10.1 or
higher but ensure that only the oracle O/S user (or equivalent) is a
member of the dba O/S group (or equivalent)
WLCG Service Reliability Workshop
50
Database Security Checklist – Step 9
• ACTION: Remove the external procedure configuration from the
listener.ora file if you do not intend to use such procedures.
Remove the following
EXTPROC_LISTENER=
(DESCRIPTION=
(ADDRESS=
(PROTOCOL=ipc)(KEY=extproc)))
WLCG Service Reliability Workshop
51
Database Security Checklist – Step 9
• Monitor listener activity
• Authenticating client computers over the Internet is problematic.
Do user authentication instead, which avoids client system issues
that include falsified IP addresses, hacked operating systems or
applications, and falsified or stolen client system identities.
• Configure the connection to use SSL. Using SSL (Secure Sockets
Layer) communication makes eavesdropping unfruitful and enables
the use of certificates for user and server authentication. (requires
OAS??)
WLCG Service Reliability Workshop
52
Database Security Checklist – Step 9
• Consider setting up certificate authentication for clients and
servers such that:
– The organization is identified by unit and certificate issuer and the
user is identified by distinguished name and certificate issuer.
– Applications test for expired certificates.
– Certificate revocation lists are audited
WLCG Service Reliability Workshop
53
Database Security Checklist – Step 9
• ACTION: Check network IP addresses
– Use the Oracle Net valid node checking security feature to allow or
deny access to Oracle server processes from network clients with
specified IP addresses. To use this feature, set the following
protocol.ora (Oracle Net configuration file) parameters:
tcp.validnode_checking = YES
tcp.excluded_nodes = {list of IP addresses}
tcp.invited_nodes = {list of IP addresses}
– The first parameter turns on the feature whereas the latter parameters
respectively deny and allow specific client IP addresses from making
connections to the Oracle listener (This helps in preventing potential
Denial of Service attacks).
WLCG Service Reliability Workshop
54
Database Security Checklist – Step 9
• Encrypt network traffic
– If possible, use Oracle Advanced Security to encrypt network traffic
between clients, databases, and application servers.
• Harden the operating system
– disabling all unnecessary operating system services.
– Both UNIX and Windows platforms provide a variety of operating
system services, most of which are not necessary for most
deployments. Such services include FTP, TFTP, TELNET, and so forth.
– Be sure to close both the UDP and TCP ports for each service that is
being disabled. Disabling one type of port and not the other does not
make the operating system more secure.
– See your friendly local system administrator
WLCG Service Reliability Workshop
55
Database Security Checklist – Step 10
• Apply all security patches
• Always apply all relevant and current security patches for both
the operating system on which Oracle Database resides and
Oracle Database itself, and for all installed Oracle Database
options and components.
• Periodically check the security site on Oracle Technology
Network for details on security alerts released by Oracle
Corporation at
http://www.oracle.com/technology/deploy/security/alerts.htm
WLCG Service Reliability Workshop
56
Database Security Checklist – Step 10
• Also check Oracle Worldwide Support Service site, Metalink,
for details on available and upcoming security-related patches
at http://metalink.oracle.com
• ACTION: Check with System Administrator re outstanding OS
security patches and apply
• ACTION: Install Oracle Critical Patch updates as soon as
possible after release
WLCG Service Reliability Workshop
57
Database Security Checklist – Step 11
• Contact Oracle Security products if you come across a
vulnerability in Oracle Database
• If you believe that you have found a security vulnerability in
Oracle Database, then submit a Service Request to Oracle
Worldwide Support Services using Metalink, or e-mail a
complete description of the problem, including product
version and platform, together with any exploit scripts and
examples to the following address: secalert_us@oracle.com
WLCG Service Reliability Workshop
58
Database Security Checklist – Other Steps
• Policies in Enterprise Manager
– Each target should be checked to make sure it complies with all
security polices for host, database and cluster instances, listener
and other targets where appropriate.
• ACTION: Go to Grid Control, click on Compliance | Policy
Violations. Correct any security violations for your system
including Host, Cluster Database, Database Instance and
Listener targets.
WLCG Service Reliability Workshop
59
Database Security Checklist – Other Steps
• Personal Data (from HBI audit)
– If the database schema contains Personal data it must comply to
the Data Protection Act.
– Define Personal Data - what are the rules of compliance?
• Sensitive Data (from HBI audit)
– If the database schema contains Sensitive data it must comply to
the Data Protection Act.
– Define Sensitive Data - what are the rules of compliance?
WLCG Service Reliability Workshop
60
Database Auditing
• Audit any object
NAME
---------------audit_file_dest
audit_sys_operations
audit_trail
VALUE
-----/opt/oracle/app/oracle/admin/ngsdb/adump
FALSE
DB
• See dba_audit_* tables
• There is an AUDIT privilege
• Logins/logouts stored in dba_audit_session
WLCG Service Reliability Workshop
61
Database Auditing
• Check logins
SET LINESIZE 120;
COL username FORMAT a15
COL terminal FORMAT a15
COL logon_time FORMAT a25
COL logoff_time FORMAT a25
COL action_name FORMAT a20
COL returncode FORMAT 9999
SELECT username,
terminal,
action_name,
TO_CHAR(timestamp,'DD-MON-YYYY HH24:MI:SS') logon_time,
TO_CHAR(logoff_time,'DD-MON-YYYY HH24:MI:SS') logoff_time,
returncode
FROM
dba_audit_session
WHERE ROWNUM < 16
ORDER BY logoff_time DESC;
WLCG Service Reliability Workshop
62
Database Auditing
• Check logins
WLCG Service Reliability Workshop
63
Database Auditing
• O/S logins monitored in ora_<pid>.aud files
Audit file /opt/oracle/app/oracle/admin/<host>/adump/ora_22155.aud
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, Real Application Clusters, OLAP and Data Mining options
ORACLE_HOME = /opt/oracle/app/oracle/product/10.2.0
System name:
Linux
Node name: <hostname>
Release:
2.6.9-55.0.2.ELsmp
Version:
#1 SMP Tue Jun 12 17:59:08 EDT 2007
Machine:
i686
Instance name: <instance name>
Redo thread mounted by this instance: 1
Oracle process number: 76
Unix process pid: 22155, image: oracle@<hostname> (TNS V1-V3)
Wed Nov 28 20:54:00 2007
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/0
STATUS: 0
WLCG Service Reliability Workshop
64
Host Security
• Use ssh key pairs
– Update /etc/ssh/sshd_config where you can say that you do
not want to allow password authentication
PasswordAuthentication yes
to
PasswordAuthentication no
then restart the ssh daemon
/etc/init.d/sshd restart
– After that change you need to have your public ssh key in the
~/.ssh/authorized_keys file for any user that you would like
to log in as.
WLCG Service Reliability Workshop
65
Other Security
• Do not leave host names or database names in presentations
etc
• Google your hosts (or will that then go in their cache?)
• Lock your computer when you’re away
• Don’t leave putty or “screen” sessions open
• Speak to your security officer if in any doubt
• Arrange a security audit
WLCG Service Reliability Workshop
66
Host Housekeeping
Managing Your Environment
WLCG Service Reliability Workshop
67
Host Housekeeping
• Log files can grow to large sizes and be difficult to view or
take up too much space
• We have developed script to purge them
– Runs through Grid Control
• Make sure files are backed up first if you need them
• Balance between history and space
WLCG Service Reliability Workshop
68
Host Housekeeping
function rmfiles {
DIR=$1
DESC=$2
DAYS=$3
if [ -d $DIR ]
then
echo ` `
echo "Checking ${DESC}: ${DIR}"
echo "Removing files/directories older than: $DAYS days"
# The * stops find deleting the directory itself
echo `find ${DIR}/* -mtime +$DAYS | wc -l` files or directories
# This lists the files/dirs to delete
find ${DIR}/* -mtime +$DAYS
# then deletes them
find ${DIR}/* -mtime +$DAYS -exec rm -rf {} \;
else
echo "Directory $DIR does not exist on this server"
fi
}
WLCG Service Reliability Workshop
69
Host Housekeeping
echo "Housekeeping files"
date +\%d\%m\%y_\%H\%M\%S
echo `date`
OBASE=/opt/oracle/ora01/app/oracle
OHOME=$OBASE/OracleHomes/10.2.0/db_1
AGHOME=/opt/oracle/ora01/app/oracle/OracleHomes/oms10g/agent10g
# For RAC
CRSHOME=/opt/oracle/crs/oracle/product/10/app
# For HTTP server installations
HTTPHOME=/opt/oracle/ora01/app/oracle/OracleHomes/oms10g/oms10g
# For Grid Control installations
OMSHOME=/opt/oracle/ora01/app/oracle/OracleHomes/oms10g/oms10g
WLCG Service Reliability Workshop
70
Host Housekeeping
rmfiles "$OBASE/admin/$ORACLE_SID/bdump" "BACKGROUND dump destination" 120
rmfiles "$OBASE/admin/$ORACLE_SID/cdump" "CORE dump destination" 31
rmfiles "$OBASE/admin/$ORACLE_SID/dpdump" "DATA PUMP destination" 31
rmfiles "$OBASE/admin/$ORACLE_SID/udump" "USER dump destination" 31
rmfiles "$OBASE/admin/$ORACLE_SID/adump" "AUDIT destination" 31
rmfiles "$OBASE/admin/$ORACLE_SID/hdump" "HIGH AVAILABILITY tracefile
destination" 31
rmfiles "$OHOME/admin/+ASM/bdump" "ASM BACKGROUND dump destination" 31
rmfiles "$CRSHOME/log/`hostname -s`/client" "CRS client logs" 31
rmfiles "$AGHOME/`hostname`/sysman/log" "AGENT logs" 31
rmfiles "$AGHOME/sysman/log" "AGENT logs" 31
rmfiles "$HTTPHOME/Apache/Apache/logs" "HTTP SERVER logs" 31
rmfiles "$OMSHOME/opmn/logs" "OMS opmn logs" 31
rmfiles "$OMSHOME/sysman/log" "OMS sysman logs" 31
WLCG Service Reliability Workshop
71
Host Housekeeping
Housekeeping files 291107_074653 Thu Nov 29 07:46:53 GMT 2007
Checking BACKGROUND dump destination:
/opt/oracle/ora01/app/oracle/admin/mercury/bdump
Removing files/directories older than: 120 days
1 files or directories
/opt/oracle/ora01/app/oracle/admin/mercury/bdump/alert_mercury.log.200
70731
Checking CORE dump destination:
/opt/oracle/ora01/app/oracle/admin/mercury/cdump
Removing files/directories older than: 31 days
find: /opt/oracle/ora01/app/oracle/admin/mercury/cdump/*: No such file
or directory 0 files or directories
.
.
Completed Thu Nov 29 07:46:55 GMT 2007
WLCG Service Reliability Workshop
72
WLCG Service Reliability Workshop
73
WLCG Service Reliability Workshop
74
WLCG Service Reliability Workshop
75
WLCG Service Reliability Workshop
76
WLCG Service Reliability Workshop
77
WLCG Service Reliability Workshop
78
Alert Log Maintenance
• Script keeps alert log to a managable size
• Allows file to be emailed daily
#!/bin/bash
BDUMP=/opt/oracle/app/oracle/admin/ogma/bdump
# This script will move and rename the current alert.log by
adding the date as the extension
# GDB 08-OCT-2004
# Email the log
cat $BDUMP/alert_ogma1.log | mail -s "Oracle: ogma1 alert log
for `date`" db_admins
# Rename the log
CURRDATE=`date '+%Y%m%d'`
cp $BDUMP/alert_ogma1.log $BDUMP/alert_ogma1.log.$CURRDATE
cat /dev/null > $BDUMP/alert_ogma1.log
WLCG Service Reliability Workshop
79
Alert Log Maintenance
• Run daily from cron
0 8 * * * /home/oracle/mercury/alert.sh >/dev/null 2>&1
• Emailed to group
– Details in /home/oracle/.mailrc file
alias db_admins databaseservices@rl.ac.uk
WLCG Service Reliability Workshop
80
Alert Log Maintenance
• Keeps alert logs small and easy to find
-rw-r-----rw-r-----rw-r-----rw-r-----rw-r-----rw-r-----rw-r-----rw-r-----rw-r-----rw-r-----
1
1
1
1
1
1
1
1
1
1
oinstall
oinstall
oinstall
oinstall
oinstall
oinstall
oinstall
oinstall
oinstall
oinstall
35347
35449
35654
35974
36269
36539
34669
35014
35465
0
Nov
Nov
Nov
Nov
Nov
Nov
Nov
Nov
Nov
Nov
20
21
22
23
24
25
26
27
28
28
08:00
08:00
08:00
08:00
08:00
08:00
08:00
08:00
08:00
08:00
alert_ogma1.log.20071120
alert_ogma1.log.20071121
alert_ogma1.log.20071122
alert_ogma1.log.20071123
alert_ogma1.log.20071124
alert_ogma1.log.20071125
alert_ogma1.log.20071126
alert_ogma1.log.20071127
alert_ogma1.log.20071128
alert_ogma1.log
WLCG Service Reliability Workshop
81
Host Housekeeping
• Directory Structure
–
–
–
–
–
–
–
–
–
–
/opt/oracle/product/10.2.0/db_1 # oracle database home
/opt/oracle/product/10.2.0/client_1 # oracle client home
/opt/oracle/product/10.2.0/agent_1 # oracle agent home
/opt/oracle/product/10.2.0/crs # oracle clusterware home
/opt/oracle/oraInventory # oracle inventory
/opt/oracle/archive/<sid> # archives if not using ASM
/opt/oracle/backup/<sid> # backups
/opt/oracle/oradata/<sid> # data if not using ASM
/opt/oracle/admin/<sid> # logs and alerts
/opt/oracle/flash_recovery_area/<sid> # flash recovery area if
used
WLCG Service Reliability Workshop
82
Host Housekeeping
• All database, environment and schema scripts should be kept
under /home/oracle
• The /home/oracle directory should be the home directory for
the unix user oracle
• In /home/oracle the following scripts should be available:
– ora10<database name>.sh # Script to set database SID
– ora10asm.sh # Script to set ASM SID
– ora10common.sh # Script to set common environment variables
• Scripts should use LOGIN_PATH and LOGIN_LD_LIBRARY_PATH
environment variables so that ora10 scripts can be run more
than once in a session and the variables PATH and
LD_LIBRARY_PATH to not grow to big by adding themselves to
their new definition
WLCG Service Reliability Workshop
83
Host Housekeeping
• Summary of environment files
[oracle@lcgdb01 ~]$ l ora*
-rwxrwxrwx 1 oinstall
43
-rwxrwxrwx 1 oinstall 302
-rwxrwxrwx 1 oinstall 5114
-rwxrwxrwx 1 oinstall 552
-rwxrwxrwx 1 oinstall
55
-rwxrwxrwx 1 oinstall 298
May
May
Mar
May
Aug
Sep
18 2006 ora10asm.sh
22 2006 ora10agent_cern.sh
29 2007 orahousekeep.sh
22 2007 ora10common.sh
8 10:00 ora10ogma.sh
12 15:32 ora10agent_cclrc.sh
WLCG Service Reliability Workshop
84
Host Housekeeping
• ora10common.sh
# clusterware
export CRS_HOME=/opt/oracle/crs/oracle/product/10/app
# oracle
export ORACLE_BASE=/opt/oracle/app/oracle
export ORACLE_HOME=$ORACLE_BASE/product/10.2.0
export
PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/OPatch:$ORACLE_HOME/jdk/bi
n:$CRS_HOME/bin
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
# sqlplus
export EDITOR=vi
export ORA_NLS10=$ORACLE_HOME/nls/data
export NLS_LANG="english_united kingdom.AL32UTF8"
export NLS_DATE_FORMAT="DD-MON-YYYY HH24:MI:SS"
export RMAN="$ORACLE_HOME/bin/rman target / catalog
rman/<password>@rcat"
WLCG Service Reliability Workshop
85
Host Housekeeping
• ora10ogma.sh
/home/oracle/ora10common.sh
export ORACLE_SID=ogma1
WLCG Service Reliability Workshop
86
Host Housekeeping
• ora10asm.sh
/home/oracle/ora10common.sh
export ORACLE_SID=+ASM1
WLCG Service Reliability Workshop
87
Host Housekeeping
• Agent environment script: ora10agent_cclrc.sh
export ORACLE_BASE=/opt/oracle/app/oracle
export ORACLE_HOME=$ORACLE_BASE/agent10g
export AGENT_HOME=$ORACLE_BASE/agent10g
unset ORACLE_SID
export
PATH=$PATH:$ORACLE_HOME/lcgdb01.gridpp.rl.ac.uk/bin:$OR
ACLE_HOME/OPatch:$ORACLE_HOME/jdk/bin
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
WLCG Service Reliability Workshop
88
Host Housekeeping
• Agent environment script: ora10agent_cern.sh
export ORACLE_BASE=/opt/oracle/app/oracle
export ORACLE_HOME=$ORACLE_BASE/agent10g_CERN/agent10g
export AGENT_HOME=$ORACLE_BASE/agent10g_CERN/agent10g
unset ORACLE_SID
export
PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/OPatch:$ORACLE
_HOME/jdk/bin
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
WLCG Service Reliability Workshop
89
Host Housekeeping
• Agent environment scripts
– Check you are using the right emctl
– which emctl
• Check status with emctl status agent
• Check files are uploading
• Automatically start on host boot
WLCG Service Reliability Workshop
90
Documentation
• System documentation
– versions, hosts, databases, users, patch versions
• wiki
– Who can access?
• Disaster Recovery
• Contacts
• Standard Operating Procedures
– startups, shutdown, user alerts
• Do you know who to ring/email in an emergency?
• Do you know what to without power/telephones?
WLCG Service Reliability Workshop
91
Grid Control
WLCG Service Reliability Workshop
92
WLCG Service Reliability Workshop
93
Grid Control
• Secure agent upload
• The agents as to be secured against the OMS before they can
be upgrade via grid control.
– ./emctl secure agent
• To secure the agent you need a registration password from
the OMS. Which you can obtain or add one to use for a one off registration
• Go to Grid Vontrol setup page and then click-on registration
password link.
WLCG Service Reliability Workshop
94
Always set Target Properties
target properties
WLCG Service Reliability Workshop
95
Target Properties found in Target Home
WLCG Service Reliability Workshop
96
There is workaround for missing button!
WLCG Service Reliability Workshop
97
Check alerts - Critical
WLCG Service Reliability Workshop
98
Check alerts - Warning
WLCG Service Reliability Workshop
99
Check alerts - Errors
WLCG Service Reliability Workshop
100
Set Credentials
WLCG Service Reliability Workshop
101
Setup Email Alerts
email alerts
WLCG Service Reliability Workshop
102
Setup Templates
WLCG Service Reliability Workshop
103
Setup Metric Thresholds
WLCG Service Reliability Workshop
104
Backups
WLCG Service Reliability Workshop
105
Backups
•
•
•
•
•
Backup details stored centrally
Common scripts
One connection from all machines
Version has to be newest
Setup at RAL:
– Dedicated server
– Cold backups
WLCG Service Reliability Workshop
106
Backups – RMAN Catalog
• Jobs in crontab on each database
# RMAN
30 1 *
30 1 *
30 3 *
Schedules follow here
* 1 /home/oracle/rmanfulback.sh mars rman <password> rcat >/dev/null 2>&1
* 2-7 /home/oracle/rmanincback.sh mars rman <password> rcat >/dev/null 2>&1
* * /home/oracle/rmanvalidate.sh mars rman <password> rcat >/dev/null 2>&1
WLCG Service Reliability Workshop
107
Backups – Full Backup Script (1)
#!/bin/ksh
#
####################################################################
#
# THE INPUT PARAMETERS ARE :
#
# $1
- Target DB
# $2
- RMAN owner
# $3
- RMAN password
# $4
- RMAN DB
#
# Script to backup archived redo log files
#
####################################################################
#
# Check arguments
#
if [[ $# -ne 4 ]]
then
echo "$0 Error on $HOST: \nUsage: $0 TARGET_DB RMAN_OWNER RMAN_PWD RMAN_DB"
exit 1
fi
WLCG Service Reliability Workshop
108
Backups – Full Backup Script (2)
###################
# RMAN variables #
###################
#
export SID=$1
export RMAN_OWNER=$2
export RMAN_PWD=$3
export RMAN_DB=$4
export LOGIN_PATH=$PATH
export LOGIN_LD_LIBRARY_PATH=$LD_LIBRARY_PATH
. /home/oracle/ora10$SID.sh
export HBlog=/home/oracle/$SID/rmanlogs/fulback${SID}.`date +%d%m%y%H%M%S`.log
echo $HBlog
export emailsub=$HOSTNAME.$ORACLE_SID..Backup.Failure
WLCG Service Reliability Workshop
109
Backups – Full Backup Script (3)
rman target / catalog ${RMAN_OWNER}/${RMAN_PWD}@${RMAN_DB} log \"${HBlog}\" << SQL
show all;
run {
backup incremental level 0 database plus archivelog delete input;
}
report obsolete;
delete noprompt obsolete;
list backup;
Exit
SQL
oraerror=`cat $HBlog | grep "ORA-"`
rmanerror=`cat $HBlog | grep "RMAN-"`
echo $oraerror
echo $rmanerror
if [ -z "$oraerror" -a -z "$rmanerror" ]
then
echo "No Errors"
else
echo "Errors Found !!!!"
cat $HBlog |mailx -s $emailsub databaseservices@stfc.ac.uk
fi
WLCG Service Reliability Workshop
110
Backups – Level 1 Backup Script
show all;
run {
backup incremental level 1 database plus archivelog
delete input;
}
report obsolete;
delete noprompt obsolete;
list backup;
exit
WLCG Service Reliability Workshop
111
Backups – Archive Logs Backup Script
show all;
run {
backup archivelog all delete input;
}
report obsolete;
delete noprompt obsolete;
list backup;
exit
WLCG Service Reliability Workshop
112
Backups – RMAN Sync Script
• Run through OEM
show all;
run {
resync catalog;
}
list backup;
exit
WLCG Service Reliability Workshop
113
Backups – Restore Validate Script
show all;
run {
restore validate database archivelog all;
}
list backup;
exit
WLCG Service Reliability Workshop
114
Backup Job in Grid Control
WLCG Service Reliability Workshop
115
Backups – Backup Report by Email (1)
Latest Database Backup Times
Database
-----------------------ATLASDLF
ATLSTAGE
CASTORP
CASTORT
CMSDLF
.
.
MINERVA
STAGERDB
VENUS
WARHORSE
WARHORSE
DBID
---------4091293823
819435209
2263675954
2415163970
1227029095
Latest Backup
Bytes Processed Seconds Taken
----------------------------- --------------- ------------26-NOV-2007 23:44:39
6021971968
3850
27-NOV-2007 00:54:13
85770240
56
27-NOV-2007 00:31:40
12722176
26
16-NOV-2007 00:31:39
23625728
28
26-NOV-2007 21:11:42
3530555392
2098
Backup Type
--------------------DB INCR
DB INCR
DB INCR
DB INCR
DB INCR
402814294
1089287619
2579470848
780645177
792067278
26-NOV-2007
26-NOV-2007
26-NOV-2007
26-NOV-2007
27-NOV-2007
DB
DB
DB
DB
DB
22:24:11
22:31:57
22:17:14
18:47:06
00:46:17
6494879744
164298752
3631218688
127975424
7471104
4843
91
2679
82
9
INCR
INCR
INCR
INCR
INCR
23 rows selected.
--------------------------------------------------------------------------------------------------------------------The Following Databases have not been backed up in the last 24 hours
DB_NAME
-----------------------CASTORT
WLCG Service Reliability Workshop
116
Backups – Backup Report by Email (2)
Latest Restore Validate Runs
Database
-----------------------VENUS
ATLASDLF
LHCBSTAG
MERCURY
.
.
WARHORSE
SETH
CASTORP
HEKATE
CMSDLF
CASTORT
MARS
LHCBDLF
DBID
---------2579470848
4091293823
3505332007
344759533
Latest Restore Validate
----------------------------27-NOV-2007 01:11:22
27-NOV-2007 04:38:24
27-NOV-2007 02:50:41
27-NOV-2007 06:42:30
792067278
2382003523
2263675954
3791789259
1227029095
2418831922
1068316094
2704015590
27-NOV-2007
27-NOV-2007
27-NOV-2007
27-NOV-2007
27-NOV-2007
27-NOV-2007
27-NOV-2007
27-NOV-2007
02:46:54
02:07:17
03:32:05
00:04:33
00:19:53
02:34:26
04:48:05
03:06:59
24 rows selected.
-------------------------------------------------------------------------------------------------------The Following Databases have not had a Validate in the last 24 hours
no rows selected
WLCG Service Reliability Workshop
117
Backups – Email Script
####################################################################
#
# This script Produces Backup Reports to be sent to the DBAs
#
# Amendments :
#
AJW - 15/05/2007 initial construction
#
####################################################################
# set the rcat environment
. /home/oracle/ora10rcat.sh
sqlplus / as sysdba <<-!!
@/home/oracle/rmanrep1.sql
exit
!!
export emailsub=Backup.Report.`date +%d%m%y%H%M%S`
echo $emailsub
cat /home/oracle/rmanrep1.txt |mailx -s $emailsub databaseservices@stfc.ac.uk
WLCG Service Reliability Workshop
118
Backups – Email SQL
spool /home/oracle/rmanrep1.txt;
set line 120
set pagesize 999
/* get list of latest database backup times */
select a.db_name "Database",
db.dbid "DBID",
a.end_time "Latest Backup",
a.output_bytes "Bytes Processed",
(end_time - start_time) * 60 * 60 * 24 "Seconds Taken"
from rman.rc_rman_status a, rman.rc_database db
where object_type in ('DB FULL','DB INCR')
and status = 'COMPLETED'
and operation = 'BACKUP'
and end_time = (select max(end_time) from rman.rc_rman_status b
where b.db_name = a.db_name
and b.db_key = a.db_key
and object_type in ('DB FULL','DB INCR')
and status = 'COMPLETED'
and operation = 'BACKUP')
and db.db_key = a.db_key
order by end_time ;
WLCG Service Reliability Workshop
119
Backups – Catalog Backup Script
${ORACLE_HOME}/bin/rman target / nocatalog log \"${HBlog}\" <<
SQL
show all;
shutdown immediate
startup mount;
backup database;
startup;
report obsolete;
delete noprompt obsolete;
list backup;
exit
WLCG Service Reliability Workshop
120
Backups – RMAN Configuration
RMAN> show all;
RMAN configuration parameters are:
CONFIGURE RETENTION POLICY TO REDUNDANCY 2;
CONFIGURE BACKUP OPTIMIZATION ON;
CONFIGURE DEFAULT DEVICE TYPE TO DISK;
CONFIGURE CONTROLFILE AUTOBACKUP ON;
CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE DISK TO
'/opt/oracle/backup/mars/%F.bak';
CONFIGURE DEVICE TYPE DISK BACKUP TYPE TO COMPRESSED BACKUPSET PARALLELISM 1;
CONFIGURE DATAFILE BACKUP COPIES FOR DEVICE TYPE DISK TO 1;
CONFIGURE ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE DISK TO 1;
CONFIGURE CHANNEL DEVICE TYPE DISK MAXPIECESIZE 100 M FORMAT
'/opt/oracle/backup/mars/mars_%U.bak';
CONFIGURE MAXSETSIZE TO UNLIMITED;
CONFIGURE ENCRYPTION FOR DATABASE OFF;
CONFIGURE ENCRYPTION ALGORITHM 'AES128';
CONFIGURE ARCHIVELOG DELETION POLICY TO NONE;
CONFIGURE SNAPSHOT CONTROLFILE NAME TO
'/opt/oracle/app/oracle/product/10.2.0/dbs/snapcf_mars1.f';
WLCG Service Reliability Workshop
121
Backups - Summary
• We run backup jobs through crontab
• Resync and Email job through OEM
• Archive Logs backup job could be run automatically as oem
job when area 70% full (for example)
• Keep it simple, keep it documented
WLCG Service Reliability Workshop
122
Questions & (hopefully) Answers
g.d.brown@rl.ac.uk
WLCG Service Reliability Workshop
123
Download