topic Re: Security hardening hpux 11.23 itanium in Operating System - HP-UX

Security hardening hpux 11.23 itanium

Donald Thaler — Mon, 25 May 2009 01:45:24 GMT

their is an oracle process genlcntsh which creates a file called libclntsh.so.10.1. this file is critical to the linking process for the oracle binaries. when i run the process as root it works, when i run it as oracle i get an error 'Failed to link libclntsh.so.10.1'..
oracle says this points in the direction of 'security hardening', evidently some module has the wrong read/write/access permission.

i have a second server (backup server) where this linking process works as the user oracle.

how does one go about comparing the access rights on the files between two servers ??

Re: Security hardening hpux 11.23 itanium

Steven Schweda — Mon, 25 May 2009 04:14:28 GMT

"ls -l"?
"lsacl"?

Re: Security hardening hpux 11.23 itanium

Dennis Handly — Mon, 25 May 2009 04:29:46 GMT

>how does one go about comparing the access rights on the files between two servers?

You could use my scripts in the following thread and then compare the generated output script.
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1215123

Re: Security hardening hpux 11.23 itanium

Donald Thaler — Mon, 25 May 2009 16:16:35 GMT

swverify -F\* returns illegal option -- * ??

Re: Security hardening hpux 11.23 itanium

Steven E. Protter — Mon, 25 May 2009 17:50:18 GMT

Shalom,

swverify \*

Not what you wrote.

/sbin/init.d/swagentd -r

Try again.

Compare permissions of the libclntsh.so.10.1. library on the good system to the bad and make corrections and try again.

Look at the oracle install logs for other issues.

Check the environment of the install user on both systems for variations.

SEP

Re: Security hardening hpux 11.23 itanium

Dennis Handly — Mon, 25 May 2009 23:39:46 GMT

>swverify -F\* returns illegal option -- *

You need a space between -F and \*.
(You might want to leave out the -F first as SEP suggests.)

Re: Security hardening hpux 11.23 itanium

Donald Thaler — Tue, 26 May 2009 11:45:19 GMT

dennis... i noticed your chown_script_B.ksh only deals with symbolic links (chown -h), whats the downside (if any) of changing the script to do all files in a particular directory

Re: Security hardening hpux 11.23 itanium

Donald Thaler — Tue, 26 May 2009 12:04:22 GMT

what exactly does swverify -F \* do ??

Re: Security hardening hpux 11.23 itanium

Steven E. Protter — Tue, 26 May 2009 12:07:22 GMT

Shalom,

No impact to changing ownership on soft links.

Like to see that script.

Try the swverify both ways, my way first then Dennis. If the results are not too verbose post them.

SEP

Re: Security hardening hpux 11.23 itanium

Donald Thaler — Tue, 26 May 2009 12:12:53 GMT

steven to see dennis's script go to:
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1215123

what does the swverify -F \* verify the ownership and permissions against ???

Re: Security hardening hpux 11.23 itanium

TTr — Tue, 26 May 2009 12:31:41 GMT

> when i run the process as root it works, when i run it as oracle i get an error 'Failed to link libclntsh.so.10.1'..

If you ran this as root, it probably has created the library file(s) in the oracle directory tree that are owned by root. So if you run this process again as the oracle user, it will fail because it can not write over any files that are owned by root.

Check the owner and permissions of
$ORACLE_HOME/lib/libclntsh*
$ORACLE_HOME/lib32/libclntsh*
or use a find command to find root owned files in the entire oracle installation directory.

Check in the oracle directory tree for any files that are owned by root and have a date stamp from the time you ran this process as root.

> i have a second server (backup server) where this linking process works as the user oracle

If you did not run this process as root on this second server, my above claim makes even more sense. (Don't run it as root)

Re: Security hardening hpux 11.23 itanium

James R. Ferguson — Tue, 26 May 2009 12:50:37 GMT

Hi Donald:

> what does the swverify -F \* verify the ownership and permissions against ???

It examines the IPD (Installed Product Database) or the contents of the '/var/adm/sw/products' directory. Therein are 'INFO' files (deeper down) that specify the modes, ownership and mtime attributes associated with the installed files. It is this information that 'swverify' uses to make its comparisons to the actual file attributes.

Regards!

...JRF...

Re: Security hardening hpux 11.23 itanium

Dennis Handly — Tue, 26 May 2009 15:21:13 GMT

>I noticed your chown_script_B.ksh only deals with symbolic links (chown -h), whats the downside (if any) of changing the script to do all files in a particular directory

You don't run the generated script, you just compare the scripts. It should do all of the files, including symlinks.

>what does the swverify -F \* verify the ownership and permissions against?

The IPD. Which probably be useless in problems with Oracle. Note the -F will "fix" the permission issues.

Re: Security hardening hpux 11.23 itanium

Donald Thaler — Tue, 26 May 2009 17:31:46 GMT

i ran this process:

chown_script_A.sh /etc | chown_script_B.sh > chown.sh

and the only entries in chown.sh are

chown -h entries...i assumed from looking at

chown_script_B.sh (print "chown -h") that it only picked up symbolic links ..

Re: Security hardening hpux 11.23 itanium

Dennis Handly — Wed, 27 May 2009 08:20:19 GMT

>the only entries in chown.sh are
chown -h entries...

Yes, you then do this on the other system and compare the chown.sh files. You may have to sort these first:
chown_script_A.sh /etc | chown_script_B.sh | sort -k4,4 > chown.txt

>I assumed from looking at chown_script_B.sh (print "chown -h") that it only picked up symbolic links

No it gets every "file". You also need to use:
chown_script_A.sh /etc | chmod_script_C.sh | sort -k3,3 > chmod.txt

And then compare those.
In your case, you probably need to look at the oracle filesystem, not /etc.

Re: Security hardening hpux 11.23 itanium

Sunny123_1 — Wed, 27 May 2009 08:27:26 GMT

Hi

The script is OK.Follow Dennis Handly's procedure.

Regards
Sunny

Re: Security hardening hpux 11.23 itanium

Donald Thaler — Wed, 27 May 2009 15:18:00 GMT

i'm running this script:
./chown_script_A.ksh /u01/app/oracle/product/10.2.0.4 | ./chmod_apollo.ksh | sort -k4,4 >chmod_oracle_apollo.txt

i must have the syntax wrong because it displays all the files it can't change because they don't exist but nothing is in chmod_oracle_apollo.txt ???

Re: Security hardening hpux 11.23 itanium

Donald Thaler — Wed, 27 May 2009 16:24:41 GMT

i just realized that all the files are being rejected as not found... if i run the chmod commands individually i don't get errors ??

Re: Security hardening hpux 11.23 itanium

Dennis Handly — Thu, 28 May 2009 06:11:26 GMT

>I must have the syntax wrong because it displays all the files it can't change because they don't exist but nothing is in chmod_oracle_apollo.txt?
>if I run the chmod commands individually

To make it clear, the scripts were originally developed to copy the ownership and permissions from one machine to another.

I'm hijacking the scripts to enable you to do a difference between files on two systems. To do that, you compare the output file chmod_oracle_apollo.txt with one from the other system.

Or you can toss those scripts and just compare this:
find $* -xdev -exec ll -d {} + | awk '{ print $9, $1, $3, $4 }' | sort

>but nothing is in chmod_oracle_apollo.txt?

If there is nothing in that file, then we need to debug the pipeline in stages. Does "chown_script_A.sh /u01/app/oracle/product/10.2.0.4" produce anything?

Re: Security hardening hpux 11.23 itanium

Steven E. Protter — Thu, 28 May 2009 08:13:15 GMT

The script might be altering the PATH causing the commands not to be found.

SEP