Tuesday, 24 June 2014

Oracle PSU vs CPU

PSU and CPU is one of the biggest issue during audit. Auditors wants to see that you should apply the last patches.

But  the question is
Should you apply PSU or CPU ?
Actually If you apply last PSU , normally It consist of last CPU as well.

PSU and CPU 's are inclusive, A PSU consist of last PSU as well. Therefore If you apply last PSU , It means you apply all PSUs for this version.

To find PSU number ; you should check the last 5th digit. That works for   10g,11g and 12c . For these versions I strongly recommend  below metalink notes. These notes can answer all of your specific questions.


  • Patch Set Updates for Oracle Products (Doc ID 854428.1)
  • My Oracle Support Note 1618213.1
  • Oracle Announces First Patch Set Update For Oracle Database Release 10.2 (Doc ID 850471.1)

And some practical information ;

If you want to check which PSUs or CPUs are applied to your database from command shell.

$ opatch lsinventory -bugs_fixed | egrep -i 'PSU|DATABASE PATCH SET UPDATE'

14727310   14727310  Sun Mar 24 05:53:51 EET 2013   DATABASE PATCH SET UPDATE 11.2.0.3.5 (INCLUDES CPU
14275605   14275605  Sun Mar 24 05:52:28 EET 2013   DATABASE PATCH SET UPDATE 11.2.0.3.4 (INCLUDES CPU13923374   
13923374  Sun Mar 24 05:52:01 EET 2013   DATABASE PATCH SET UPDATE 11.2.0.3.3 (INCLUDES 13696216   
13696216  Sun Mar 24 05:51:07 EET 2013   DATABASE PATCH SET UPDATE 11.2.0.3.2 (INCLUDES 
13343438   13343438  Sun Mar 24 05:49:26 EET 2013   DATABASE PATCH SET UPDATE 11.2.0.3.1
For the same Database ; you can query PSU history by a sql statement.

  SELECT *
    FROM DBA_REGISTRY_HISTORY
    ORDER BY action_time DESC;





Posted by at No comments:
Labels: , , , , , , , ,

Tuesday, 17 June 2014

Finding Oracle DB Users with Critical System Priviliges


First you have to define which system privileges are critical for you.  For example the below list is enough for me. Normal App user should not have below priviliges.

  • BECOME USER
  • ALTER USER
  • DROP USER
  • CREATE ROLE
  • ALTER ANY ROLE
  • DROP ANY ROLE
  • GRANT ANY ROLE
  • CREATE PROFILE
  • ALTER PROFILE
  • DROP PROFILE
  • CREATE ANY TABLE
  • ALTER ANY TABLE
  • DROP ANY TABLE
  • INSERT ANY TABLE
  • UPDATE ANY TABLE
  • DELETE ANY TABLE
  • CREATE ANY PROCEDURE
  • ALTER ANY PROCEDURE
  • DROP ANY PROCEDURE
  • CREATE ANY TRIGGER
  • ALTER ANY TRIGGER
  • DROP ANY TRIGGER
  • CREATE TABLESPACE
  • ALTER TABLESPACE
  • DROP TABLESPACES
  • ALTER DATABASE
  • ALTER SYSTEM

Now The simplest query to find who has the system privileges. But the output of this query can be devious.
Because ; Users and Roles can be seen at the query result.


SELECT *
  FROM DBA_SYS_PRIVS
 WHERE PRIVILEGE IN
          ('BECOME USER',
           'ALTER USER',
           'DROP USER',
           'CREATE ROLE',
           'ALTER ANY ROLE',
           'DROP ANY ROLE',
           'GRANT ANY ROLE',
           'CREATE PROFILE',
           'ALTER PROFILE',
           'DROP PROFILE',
           'CREATE ANY TABLE',
           'ALTER ANY TABLE',
           'DROP ANY TABLE',
           'INSERT ANY TABLE',
           'UPDATE ANY TABLE',
           'DELETE ANY TABLE',
           'CREATE ANY PROCEDURE',
           'ALTER ANY PROCEDURE',
           'DROP ANY PROCEDURE',
           'CREATE ANY TRIGGER',
           'ALTER ANY TRIGGER',
           'DROP ANY TRIGGER',
           'CREATE TABLESPACE',
           'ALTER TABLESPACE',
           'DROP TABLESPACES',
           'ALTER DATABASE',
           'ALTER SYSTEM');
In order to report only Oracle user ; we should add a simple predicate .

SELECT *
  FROM DBA_SYS_PRIVS
 WHERE     PRIVILEGE IN
              ('BECOME USER',
               'ALTER USER',
               'DROP USER',
               'CREATE ROLE',
               'ALTER ANY ROLE',
               'DROP ANY ROLE',
               'GRANT ANY ROLE',
               'CREATE PROFILE',
               'ALTER PROFILE',
               'DROP PROFILE',
               'CREATE ANY TABLE',
               'ALTER ANY TABLE',
               'DROP ANY TABLE',
               'INSERT ANY TABLE',
               'UPDATE ANY TABLE',
               'DELETE ANY TABLE',
               'CREATE ANY PROCEDURE',
               'ALTER ANY PROCEDURE',
               'DROP ANY PROCEDURE',
               'CREATE ANY TRIGGER',
               'ALTER ANY TRIGGER',
               'DROP ANY TRIGGER',
               'CREATE TABLESPACE',
               'ALTER TABLESPACE',
               'DROP TABLESPACES',
               'ALTER DATABASE',
               'ALTER SYSTEM')
       AND grantee IN (SELECT username FROM dba_users);

Now the point is ; some Oracle users normally have SYSTEM PRIVILEGES; therefore  SYSTEM , SYS and some oracle users should not be on the query output.

 SELECT *
  FROM DBA_SYS_PRIVS
 WHERE     PRIVILEGE IN
              ('BECOME USER',
               'ALTER USER',
               'DROP USER',
               'CREATE ROLE',
               'ALTER ANY ROLE',
               'DROP ANY ROLE',
               'GRANT ANY ROLE',
               'CREATE PROFILE',
               'ALTER PROFILE',
               'DROP PROFILE',
               'CREATE ANY TABLE',
               'ALTER ANY TABLE',
               'DROP ANY TABLE',
               'INSERT ANY TABLE',
               'UPDATE ANY TABLE',
               'DELETE ANY TABLE',
               'CREATE ANY PROCEDURE',
               'ALTER ANY PROCEDURE',
               'DROP ANY PROCEDURE',
               'CREATE ANY TRIGGER',
               'ALTER ANY TRIGGER',
               'DROP ANY TRIGGER',
               'CREATE TABLESPACE',
               'ALTER TABLESPACE',
               'DROP TABLESPACES',
               'ALTER DATABASE',
               'ALTER SYSTEM')
       AND grantee IN
              (SELECT username
                 FROM dba_users
                WHERE username NOT IN
                         ('PGAADMIN',
                          'WMSYS',
                          'LBACSYS',
                          'SYS',
                          'SYSTEM',
                          'SGYON_KEY_USR',
                          'EXFSYS',
                          'DVOWNER',
                          'DVACCTMNGR',
                          'DVSYS',
                          'DWOWNER',
                          'RMAN', 'GGATE'));



Now we can list the Oracle users who have the critical system privileges. Is that enough ? It is not enough ;
because we can create a role and we assign this role to any user. After that we can create another role and we can grant this role the previous create role and at the end we can grant a critical system privilege to this role . If you run this query you can't list this user. Because the nature of recursive roles hides this information.
To solve this problem we should use hierarchical query START WITH and CONNECT BY clauses.

And the result ;


    SELECT DISTINCT c "User Names"
      FROM (    /* THE PRIVILEGES */
            SELECT NULL p, name c
              FROM system_privilege_map
             WHERE name IN
                      ('BECOME USER',
                       'ALTER USER',
                       'DROP USER',
                       'CREATE ROLE',
                       'ALTER ANY ROLE',
                       'DROP ANY ROLE',
                       'GRANT ANY ROLE',
                       'CREATE PROFILE',
                       'ALTER PROFILE',
                       'DROP PROFILE',
                       'CREATE ANY TABLE',
                       'ALTER ANY TABLE',
                       'DROP ANY TABLE',
                       'INSERT ANY TABLE',
                       'UPDATE ANY TABLE',
                       'DELETE ANY TABLE',
                       'CREATE ANY PROCEDURE',
                       'ALTER ANY PROCEDURE',
                       'DROP ANY PROCEDURE',
                       'CREATE ANY TRIGGER',
                       'ALTER ANY TRIGGER',
                       'DROP ANY TRIGGER',
                       'CREATE TABLESPACE',
                       'ALTER TABLESPACE',
                       'DROP TABLESPACES',
                       'ALTER DATABASE',
                       'ALTER SYSTEM')
            /*  ROLE RELATIONS */
            UNION
            SELECT granted_role p, grantee c FROM dba_role_privs
            /* PRIVILEGE RELATIONS */
            UNION
            SELECT privilege p, grantee c FROM dba_sys_privs)
     WHERE c IN
              (SELECT username
                 FROM dba_users
                WHERE username NOT IN
                         ('PGAADMIN',
                          'WMSYS',
                          'LBACSYS',
                          'SYS',
                          'SYSTEM',
                          'SGYON_KEY_USR',
                          'EXFSYS',
                          'DVOWNER',
                          'DVACCTMNGR',
                          'DVSYS',
                          'DWOWNER',
                          'RMAN',
                          'GGATE'))
START WITH p IS NULL
CONNECT BY p = PRIOR c;
Posted by at No comments:
Labels: , , , , , , , , ,
Location: Türkiye
Subscribe to: Posts (Atom)