System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Security hardening hpux 11.23 itanium

 
SOLVED
Go to solution
Donald Thaler
Super Advisor

Security hardening hpux 11.23 itanium

their is an oracle process genlcntsh which creates a file called libclntsh.so.10.1. this file is critical to the linking process for the oracle binaries. when i run the process as root it works, when i run it as oracle i get an error 'Failed to link libclntsh.so.10.1'..
oracle says this points in the direction of 'security hardening', evidently some module has the wrong read/write/access permission.

i have a second server (backup server) where this linking process works as the user oracle.

how does one go about comparing the access rights on the files between two servers ??
27 REPLIES
Steven Schweda
Honored Contributor

Re: Security hardening hpux 11.23 itanium

"ls -l"?
"lsacl"?
Dennis Handly
Acclaimed Contributor
Solution

Re: Security hardening hpux 11.23 itanium

>how does one go about comparing the access rights on the files between two servers?

You could use my scripts in the following thread and then compare the generated output script.
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1215123
Donald Thaler
Super Advisor

Re: Security hardening hpux 11.23 itanium

swverify -F\* returns illegal option -- * ??
Steven E. Protter
Exalted Contributor

Re: Security hardening hpux 11.23 itanium

Shalom,

swverify \*

Not what you wrote.

/sbin/init.d/swagentd -r

Try again.

Compare permissions of the libclntsh.so.10.1. library on the good system to the bad and make corrections and try again.

Look at the oracle install logs for other issues.

Check the environment of the install user on both systems for variations.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Dennis Handly
Acclaimed Contributor

Re: Security hardening hpux 11.23 itanium

>swverify -F\* returns illegal option -- *

You need a space between -F and \*.
(You might want to leave out the -F first as SEP suggests.)
Donald Thaler
Super Advisor

Re: Security hardening hpux 11.23 itanium

dennis... i noticed your chown_script_B.ksh only deals with symbolic links (chown -h), whats the downside (if any) of changing the script to do all files in a particular directory
Donald Thaler
Super Advisor

Re: Security hardening hpux 11.23 itanium

what exactly does swverify -F \* do ??
Steven E. Protter
Exalted Contributor

Re: Security hardening hpux 11.23 itanium

Shalom,

No impact to changing ownership on soft links.

Like to see that script.

Try the swverify both ways, my way first then Dennis. If the results are not too verbose post them.



SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Donald Thaler
Super Advisor

Re: Security hardening hpux 11.23 itanium

steven to see dennis's script go to:
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1215123

what does the swverify -F \* verify the ownership and permissions against ???
TTr
Honored Contributor

Re: Security hardening hpux 11.23 itanium

> when i run the process as root it works, when i run it as oracle i get an error 'Failed to link libclntsh.so.10.1'..

If you ran this as root, it probably has created the library file(s) in the oracle directory tree that are owned by root. So if you run this process again as the oracle user, it will fail because it can not write over any files that are owned by root.

Check the owner and permissions of
$ORACLE_HOME/lib/libclntsh*
$ORACLE_HOME/lib32/libclntsh*
or use a find command to find root owned files in the entire oracle installation directory.

Check in the oracle directory tree for any files that are owned by root and have a date stamp from the time you ran this process as root.

> i have a second server (backup server) where this linking process works as the user oracle

If you did not run this process as root on this second server, my above claim makes even more sense. (Don't run it as root)
James R. Ferguson
Acclaimed Contributor

Re: Security hardening hpux 11.23 itanium

Hi Donald:

> what does the swverify -F \* verify the ownership and permissions against ???

It examines the IPD (Installed Product Database) or the contents of the '/var/adm/sw/products' directory. Therein are 'INFO' files (deeper down) that specify the modes, ownership and mtime attributes associated with the installed files. It is this information that 'swverify' uses to make its comparisons to the actual file attributes.

Regards!

...JRF...
Dennis Handly
Acclaimed Contributor

Re: Security hardening hpux 11.23 itanium

>I noticed your chown_script_B.ksh only deals with symbolic links (chown -h), whats the downside (if any) of changing the script to do all files in a particular directory

You don't run the generated script, you just compare the scripts. It should do all of the files, including symlinks.

>what does the swverify -F \* verify the ownership and permissions against?

The IPD. Which probably be useless in problems with Oracle. Note the -F will "fix" the permission issues.
Donald Thaler
Super Advisor

Re: Security hardening hpux 11.23 itanium

i ran this process:

chown_script_A.sh /etc | chown_script_B.sh > chown.sh

and the only entries in chown.sh are

chown -h entries...i assumed from looking at

chown_script_B.sh (print "chown -h") that it only picked up symbolic links ..
Dennis Handly
Acclaimed Contributor

Re: Security hardening hpux 11.23 itanium

>the only entries in chown.sh are
chown -h entries...

Yes, you then do this on the other system and compare the chown.sh files. You may have to sort these first:
chown_script_A.sh /etc | chown_script_B.sh | sort -k4,4 > chown.txt

>I assumed from looking at chown_script_B.sh (print "chown -h") that it only picked up symbolic links

No it gets every "file". You also need to use:
chown_script_A.sh /etc | chmod_script_C.sh | sort -k3,3 > chmod.txt

And then compare those.
In your case, you probably need to look at the oracle filesystem, not /etc.
Sunny123_1
Esteemed Contributor

Re: Security hardening hpux 11.23 itanium

Hi

The script is OK.Follow Dennis Handly's procedure.

Regards
Sunny
Donald Thaler
Super Advisor

Re: Security hardening hpux 11.23 itanium

i'm running this script:
./chown_script_A.ksh /u01/app/oracle/product/10.2.0.4 | ./chmod_apollo.ksh | sort -k4,4 >chmod_oracle_apollo.txt

i must have the syntax wrong because it displays all the files it can't change because they don't exist but nothing is in chmod_oracle_apollo.txt ???
Donald Thaler
Super Advisor

Re: Security hardening hpux 11.23 itanium

i just realized that all the files are being rejected as not found... if i run the chmod commands individually i don't get errors ??
Dennis Handly
Acclaimed Contributor

Re: Security hardening hpux 11.23 itanium

>I must have the syntax wrong because it displays all the files it can't change because they don't exist but nothing is in chmod_oracle_apollo.txt?
>if I run the chmod commands individually

To make it clear, the scripts were originally developed to copy the ownership and permissions from one machine to another.

I'm hijacking the scripts to enable you to do a difference between files on two systems. To do that, you compare the output file chmod_oracle_apollo.txt with one from the other system.

Or you can toss those scripts and just compare this:
find $* -xdev -exec ll -d {} + | awk '{ print $9, $1, $3, $4 }' | sort

>but nothing is in chmod_oracle_apollo.txt?

If there is nothing in that file, then we need to debug the pipeline in stages. Does "chown_script_A.sh /u01/app/oracle/product/10.2.0.4" produce anything?
Steven E. Protter
Exalted Contributor

Re: Security hardening hpux 11.23 itanium

The script might be altering the PATH causing the commands not to be found.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Donald Thaler
Super Advisor

Re: Security hardening hpux 11.23 itanium

after i was able to run the genclnth successfully as root i had to go in and change the owner of the files to oracle:ointall... how do i go about finding all the symbolic links in a directory/subdirectory and if that's not possible what would the script look like to find all the files owned by
root in a given directory/subdirectories..
Donald Thaler
Super Advisor

Re: Security hardening hpux 11.23 itanium

i created a new user oracle1 and i was able to create a new oracle home without any problems..(the genclntsh process worked). how would i compare the users oracle and oracle1 to see what the differences are ??
Suraj K Sankari
Honored Contributor

Re: Security hardening hpux 11.23 itanium

Hi,
>>how would i compare the users oracle and oracle1 to see what the differences are

What are the things you want to compare ?

you can run these commands to see the differences

#finger oracle oracle1

login with oracle and run
env
set

same for oracle1 take the output into a file
then run diff or comm command

compare .profile for both users.

Suraj
Dennis Handly
Acclaimed Contributor

Re: Security hardening hpux 11.23 itanium

>how do I go about finding all the symbolic links in a directory/subdirectory

find $* -type l

>find all the files owned by root in a given directory/subdirectories.

find $* -user root
Donald Thaler
Super Advisor

Re: Security hardening hpux 11.23 itanium

the problem previously mentioned was an inability to run the oracle linking process,we discovered that if we create a new oracle user,oracle1, and run the linking process as that user, it works... are there any other varaibles other than the 'env' variable that we could compare against to see why one oracle user is different from the other one ??