HPE Community
Operating System - HP-UX
1753428 Members
4984 Online
108793 Solutions
New Discussion юеВ

Re: Security hardening hpux 11.23 itanium

 
SOLVED
Go to solution
TTr
Honored Contributor

тАО05-26-2009 05:31 AM

тАО05-26-2009 05:31 AM

Re: Security hardening hpux 11.23 itanium

> when i run the process as root it works, when i run it as oracle i get an error 'Failed to link libclntsh.so.10.1'..

If you ran this as root, it probably has created the library file(s) in the oracle directory tree that are owned by root. So if you run this process again as the oracle user, it will fail because it can not write over any files that are owned by root.

Check the owner and permissions of
$ORACLE_HOME/lib/libclntsh*
$ORACLE_HOME/lib32/libclntsh*
or use a find command to find root owned files in the entire oracle installation directory.

Check in the oracle directory tree for any files that are owned by root and have a date stamp from the time you ran this process as root.

> i have a second server (backup server) where this linking process works as the user oracle

If you did not run this process as root on this second server, my above claim makes even more sense. (Don't run it as root)
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО05-26-2009 05:50 AM

тАО05-26-2009 05:50 AM

Re: Security hardening hpux 11.23 itanium

Hi Donald:

> what does the swverify -F \* verify the ownership and permissions against ???

It examines the IPD (Installed Product Database) or the contents of the '/var/adm/sw/products' directory. Therein are 'INFO' files (deeper down) that specify the modes, ownership and mtime attributes associated with the installed files. It is this information that 'swverify' uses to make its comparisons to the actual file attributes.

Regards!

...JRF...
Reply
Dennis Handly
Acclaimed Contributor

тАО05-26-2009 08:21 AM

тАО05-26-2009 08:21 AM

Re: Security hardening hpux 11.23 itanium

>I noticed your chown_script_B.ksh only deals with symbolic links (chown -h), whats the downside (if any) of changing the script to do all files in a particular directory

You don't run the generated script, you just compare the scripts. It should do all of the files, including symlinks.

>what does the swverify -F \* verify the ownership and permissions against?

The IPD. Which probably be useless in problems with Oracle. Note the -F will "fix" the permission issues.
Reply
Donald Thaler
Super Advisor

тАО05-26-2009 10:31 AM

тАО05-26-2009 10:31 AM

Re: Security hardening hpux 11.23 itanium

i ran this process:

chown_script_A.sh /etc | chown_script_B.sh > chown.sh

and the only entries in chown.sh are

chown -h entries...i assumed from looking at

chown_script_B.sh (print "chown -h") that it only picked up symbolic links ..
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО05-27-2009 01:20 AM

тАО05-27-2009 01:20 AM

Re: Security hardening hpux 11.23 itanium

>the only entries in chown.sh are
chown -h entries...

Yes, you then do this on the other system and compare the chown.sh files. You may have to sort these first:
chown_script_A.sh /etc | chown_script_B.sh | sort -k4,4 > chown.txt

>I assumed from looking at chown_script_B.sh (print "chown -h") that it only picked up symbolic links

No it gets every "file". You also need to use:
chown_script_A.sh /etc | chmod_script_C.sh | sort -k3,3 > chmod.txt

And then compare those.
In your case, you probably need to look at the oracle filesystem, not /etc.
Reply
Sunny123_1
Esteemed Contributor

тАО05-27-2009 01:27 AM

тАО05-27-2009 01:27 AM

Re: Security hardening hpux 11.23 itanium

Hi

The script is OK.Follow Dennis Handly's procedure.

Regards
Sunny
Reply
Donald Thaler
Super Advisor

тАО05-27-2009 08:18 AM

тАО05-27-2009 08:18 AM

Re: Security hardening hpux 11.23 itanium

i'm running this script:
./chown_script_A.ksh /u01/app/oracle/product/10.2.0.4 | ./chmod_apollo.ksh | sort -k4,4 >chmod_oracle_apollo.txt

i must have the syntax wrong because it displays all the files it can't change because they don't exist but nothing is in chmod_oracle_apollo.txt ???
0 Kudos
Reply
Donald Thaler
Super Advisor

тАО05-27-2009 09:24 AM

тАО05-27-2009 09:24 AM

Re: Security hardening hpux 11.23 itanium

i just realized that all the files are being rejected as not found... if i run the chmod commands individually i don't get errors ??
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО05-27-2009 11:11 PM

тАО05-27-2009 11:11 PM

Re: Security hardening hpux 11.23 itanium

>I must have the syntax wrong because it displays all the files it can't change because they don't exist but nothing is in chmod_oracle_apollo.txt?
>if I run the chmod commands individually

To make it clear, the scripts were originally developed to copy the ownership and permissions from one machine to another.

I'm hijacking the scripts to enable you to do a difference between files on two systems. To do that, you compare the output file chmod_oracle_apollo.txt with one from the other system.

Or you can toss those scripts and just compare this:
find $* -xdev -exec ll -d {} + | awk '{ print $9, $1, $3, $4 }' | sort

>but nothing is in chmod_oracle_apollo.txt?

If there is nothing in that file, then we need to debug the pipeline in stages. Does "chown_script_A.sh /u01/app/oracle/product/10.2.0.4" produce anything?
Reply
Steven E. Protter
Exalted Contributor

тАО05-28-2009 01:13 AM

тАО05-28-2009 01:13 AM

Re: Security hardening hpux 11.23 itanium

The script might be altering the PATH causing the commands not to be found.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.