|
上一篇 Linux终端如何检查远程主机策略配置讲了在linux终端如何检查远程主机策略配置,这一篇继续补充说一下linux终端如何检查远程oracle策略配置。检查环境和上一篇中描述的一样,接下来我们就进入主题。我们先看一段我检查的记录,可以从中发现一些小窍门。[root@byhis01 ~]# su - oracleoracle@byhis01:~$ sqlplus /nologSQL*Plus: Release 10.2.0.1.0 - Production on Sat Oct 1216:56:34 2013Copyright (c) 1982, 2005, Oracle. All rights reserved.SQL> conn / as sysdba;ERROR:ORA-12545: Connect failed because target host or objectdoes not exist通过以上日志可看出我由root切换到oracle用户下,顺利执行sqlplus,但是执行conn / as sysdba 命令报错。如果对报错信息不熟悉的话,第一反应是数据库关闭了os认证,登陆数据库必须输入数据库的用户名和密码。接下来我们就验证一下是否数据库关闭了os认证。查看$ORACLE_HOME/network/admin/sqlnet.ora配置如下:-bash-3.2$ more $ORACLE_HOME/network/admin/sqlnet.ora SQLNET.INBOUND_CONNECT_TIMEOUT=0NAMES.DIRECTORY_PATH=(TNSNAMES)TCP.VALIDNODE_CHECKING = YESTCP.INVITED_NODES=(192.168.1.43,192.168.1.7,192.168.1.2,192.168.1.3,192.168.1.4)# TCP.EXCLUDED_NODES= ()由上可知sqlnet.ora文件中为无SQLNET.AUTHENTICATION_SERVICES,这一与os认证相关的配置,u数据库未关闭OS认证。既然未关闭OS认证,那为什么登陆失败呢。其实我们通过报错的信息可知连接失败是因为目标主机或者对象不存在。即另外一种原因:oracle并非数据库的安装和启动用户。我们可以通过查看系统的进程来判断。日志如下:oracle@his01:~$ ps -ef|grep ora_orasrv 2717 1 0Sep17 ? 00:06:14 ora_pz99_orcl1orasrv 6243 1 0Sep17 ? 00:13:56 ora_j000_orcl1oracle 6269 4909 016:57 pts/9 00:00:00 grep ora_orasrv 7128 1 0Sep04 ? 00:46:14 ora_pmon_orcl1orasrv 7132 1 0Sep04 ? 00:00:39 ora_diag_orcl1orasrv 7143 1 0Sep04 ? 00:00:06 ora_psp0_orcl1orasrv 7149 1 0Sep04 ? 00:20:13 ora_lmon_orcl1orasrv 7155 1 0Sep04 ? 00:26:36 ora_lmd0_orcl1orasrv 7157 1 0Sep04 ? 01:10:43 ora_lms0_orcl1orasrv 7173 1 0Sep04 ? 00:00:13 ora_mman_orcl1orasrv 7191 1 0Sep04 ? 00:42:22 ora_dbw0_orcl1orasrv 7195 1 0Sep04 ? 00:41:33 ora_dbw1_orcl1orasrv 7197 1 0Sep04 ? 00:49:17 ora_lgwr_orcl1orasrv 7199 1 0Sep04 ? 00:11:13 ora_ckpt_orcl1orasrv 7201 1 0Sep04 ? 00:04:17 ora_smon_orcl1orasrv 7203 1 0Sep04 ? 00:00:01 ora_reco_orcl1orasrv 7206 1 0Sep04 ? 00:11:18 ora_cjq0_orcl1orasrv 7208 1 0Sep04 ? 00:00:24 ora_mmon_orcl1通过日志可知:当前正在运行的oracle进行的用户不是oracle,而是orasrv。其实通过查看系统信息页可以看出一些端倪。[sysroot@his01 ~]$ more /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownnfsnobody:x:65534:4294967294:Anonymous NFSUser:/var/lib/nfs:/sbin/nologinsshd:x:74:74:Privilege-separatedSSH:/var/empty/sshd:/sbin/nologinsabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologinoracle:x:100:101::/usr/local/oracle:/bin/bashorasrv:x:116:101:orasrv:/df8003/rdbm/orasrv:/bin/bashsysroot:x:500:500::/home/sysroot:/bin/bash由上可知:当前有两个数据库用户 oracle和orasrv。那么当oracle用户下切换有问题时,自然要想到是否与orasrv用户有关。接下来再说一个小窍门,目前只知道root用户的密码,oracle和orasrv的密码都不知道,在oracle用户下如何切换到orasrv用户下呢,答案是oracle先su到root 输入密码,然后再su到orasrv,因为root到orasrv是高向低用户切换,无需密码。如下所示:oracle@byhis01:~$ su - rootPassword: [root@byhis01 ~]#su - orasrv-bash-3.2$ 之后就顺利通过os认证,无需sys用户的密码即可以以sysdba的角色登陆数据库。-bash-3.2$ sqlplus /nologSQL*Plus: Release 10.2.0.4.0 - Production on Sat Oct 1216:58:22 2013Copyright (c) 1982, 2007, Oracle. All Rights Reserved.SQL> conn / as sysdba;Connected.接下来进入主题,说一下linux终端如何检查oracle数据库策略配置。oraclescript.txtset echo on;spool oracle.txtset linesize 512;set pagesize 1024;select * from global_name;archive log list;select username,profile from dba_users;select username,account_status from dba_users;select * from dba_profiles where profile='DEFAULT';select name,status from v$controlfile;select group#,status,member from v$logfile;select name from v$archived_log;select name,password from user$;select tablespace_name,sum(bytes)/1024/1024 fromdba_data_files group by tablespace_name;select tablespace_name,sum(bytes)/1024/1024 fromdba_free_space group by tablespace_name;show parameter;show parameter audit;show parameter os_auth;show parameter remote_login_passwordfile;show parameter 07_DICTIONARY_ACCESSIBILITY;select granted_role from dba_role_privs wheregrantee='PUBLIC';select grantee,privilege,admin_option from dba_sys_privs;select grantee,granted_role,default_role fromdba_role_privs;select grantee||' '||owner||'.'table_name fromdba_tab_privs where grantee='PUBLIC' and table_name like ' UTL_%';select grantee||' '||owner||'.'table_name fromdba_tab_privs where grantee='PUBLIC' and table_name like ' DBMS_%';select username,account_status,default_tablespace,temporary_tablespace,profile fromdba_users order by username;select profile,resource_name,resource_type,limit fromdba_profiles order by profile;select tablespace_name,sum(bytes)/1024/1024 as FreeSizefrom dba_free_space group by tablespace_name order by tablespace_name;select tablespace_name,status,contents,logging fromdba_tablespaces order by tablespace_name;select status||' '||name from v$controlfile;select group#,status from v$log;select group#||' '||status||' '||member from v$logfileorder by group by group#;select name||' '|| value from v$parameter where name like'%archive%';select stamp ||' '||name from v$archived_log order bystamp;select sid||':'||serial#||':'||username||':'||command||':'||status||':'||program fromv$session;select event||' '||sum(seconds_in_wait) fromv$session_wait group by event order by sum(seconds_in_wait) desc;select wait_class||' '||sum(total_waits) ||''||sum(time_waited) as timeWaited from v$system_wait_class group by wait_classorder by wait_class;spool off此脚本的重点是:1、第一条命令set echo on 至关重要,以为如果不执行这个命令,那么最后的检查结果中只有命令执行后的结果,无执行的命令,会很混乱。2、 spool oracle.txt 中oracle.txt文件默认是存在了$ORACLE_HOME的目录下。3、一定要记得最后要用spool off来终止spool的录屏功能。 然后检查一下一些数据库配置文件cat$ORACLE_HOME/rdbms/admin/utlpwdmg.sqlcat $ORACLE_HOME/network/admin/sqlnet.oracat$ORACLE_HOME/network/admin/listener.ora最后通过scp拷贝出oracle的alert日志,对oracle的报错信息进行分析即可。文章中以列出了针对风险评估的oracle检查的命令脚本。希望这个能对大家有用。
(以上内容不代表本站观点。) --------------------------------- |
本網站是"非商業"(non-commercial)。
