Provvedimento del garante sugli Amministratori di sistema

Premetto che la ritengo una gran cagata… e completamente inutile, visto che i log NON HANNO ALCUN VALORE PROBATORIO!

Ma visto che dobbiamo adeguarci… cerchiamo di farlo a COSTO ZERO!

Io ho risolto (sto risolvendo) così:

Installo rsyslog con logging su file sul logserver

Su un server linux CentOs 5.*

yum install rsyslog*
vim /etc/sysconfig/rsyslog
sostituisco
SYSLOGD_OPTIONS=”-m 0″
con
SYSLOGD_OPTIONS=”-m 0 -r”
vim /etc/rsyslog.conf
###################################################
$template DynAuth, “/var/log/TUTTI/%$MONTH%/%$DAY%/%FROMHOST%.log”
local1.*,user.*,auth.*,authpriv.*,kern.* ?DynAuth
$EscapeControlCharactersOnReceive off
%msg:::space-cc%
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local3.*                                                /var/log/varie.log
###################################################

Abilitare il logging su tutti i server linux

Su un qualsiasi server linux

cat /etc/syslog.conf

auth.*;authpriv.*;local1.*          @logserver.dominio

Su ogni server devo poi creare utenti PERSONALI da assegnare a tutti gli AdS:
useradd -G wheel -m -s /bin/bash username
passwd username
Aggiungo
AllowUsers username
in /etc/ssh/sshd_config
lancio
visudo
e aggiungo o decommento la riga seguente:
%wheel  ALL=(ALL)       ALL
In questo modo gli AdS dovranno loggarsi con il loro account ed usare sudo
(consiglio il sudo -i o sudo -u per diventare root)
Il vantaggio dell’uso di sudo sta nel fatto che ho potuto cambiare password a root e metterla in cassaforte senza la necessità di comunicarla a tutti gli AdS (dato che sudo permette di diventare root inserendo la propria password)

Abilitare il logging su Oracle 9i

mkdir /var/log/oracle/
chown -R oracle:dba /var/log/oracle/
SHOW PARAMETER audit
ALTER SYSTEM SET audit_trail=OS SCOPE=SPFILE;
ALTER SYSTEM SET audit_sys_operations=TRUE SCOPE=SPFILE;
ALTER SYSTEM SET audit_file_dest=”/var/log/oracle” SCOPE=SPFILE;
AUDIT SESSION;
SHUTDOWN IMMEDIATE
startup
Occorre poi creare un cron sul logserver che filtra solo i login/logout e prelevi i risultati.
Nella ver 9i infatti non è possibile inviare i log a un remote syslog

Abilitare il logging su Postgres

Modifico
/usr/local/pgsql/data/postgresql.conf
come segue:

log_destination = ‘syslog’

syslog_facility = ‘LOCAL1’
syslog_ident = ‘postgres’
log_connections = true
log_disconnections = true
log_duration = true
log_hostname = true

Abilitare il logging su MySql

Dato che mysql non supporta la scrittura di log su syslog si può risolvere nel seguente modo:

Nel file
/etc/my.cnf

nella sezione
[mysqld]

aggiungo
log=/var/log/mysql.log

Poi lancio all’avvio il seguente comando:

tail -f /var/log/mysql.log | egrep ‘Connect|Quit’ | logger -p LOCAL1.info -t mysql &

(ringrazio Stefano Coletta (http://www.mindcreations.com/) per la precisazione:

l’egrep va corredato dall’opzione –line-buffered altrimenti non funziona correttamente)

tail -f /var/log/mysql.log | egrep –line-buffered ‘Connect|Quit’ | logger -p LOCAL1.info -t mysql &

e lo salvo nell’ rc.local

e lo metto anche nella sezione postrotate del logrotate in
/etc/logrotate.d/mysql-log-rotate

Altrimenti, come suggeritomi dal buon Alessandro Corbelli di www.web4web.it si possono usare le named pipe:

http://www.linuxjournal.com/article/2156

http://www.linuxjournal.com/content/using-named-pipes-fifos-bash

Non loggo tutto su file ma ho creato una named pipe ed in inittab ho inserito, in respawn, uno script così composto

while [ true ]; do
tail -f <namedpipe> | egrep ‘Connect|Quit’ | logger…
done

Le prestazioni sono ‘abbastanza’ decenti.
Il while sarebbe anche superfluo…

Occorre fare attenzione a un particolare:

Se si utilizza la named pipe con lo script in inittab, nello script NON deve esserci il tail, ma il cat.

Quindi lo script diventa:

while [ true ]; do
cat <namedpipe> | egrep ‘Connect|Quit’ | logger -p LOCAL1.info -t mysql
done


Abilitare il logging sui server Windows

Sui server windows

Ho usato snare:

SnareSetup-3.1.5-MultiArch.exe

http://www.intersectalliance.com/projects/SnareWindows/index.html

Come “Destination snare server address” ho messo lo stesso ip del log server e come porta la 514

Abilitare il logging su Exchange

Per abilitare il logging sel mailserver:

Gestore sistema Exchange -> Gruppi amministrativi -> <nome>  -> server -> NomeServer -> tasto dx sul server -> registrazione Diagnostica
-> MSExchangeIS -> private o cassetta postale -> Accessi = minima; Controllo accessi = minima (oppure logons=minima e access control = minima)

Poi su snare:
Creo un nuovo oggetto:
Identify the high level event = Any event(s)
Event ID Search Term = 1009,1016,1013,1029
General Search Term = *
Select the User Match Type = Include
User Search Term = *admin*
Identify the event types to be captured = Success Audit + Failure Audit
Identify the event logs = Security  + Application
Select the Alert Level = Critical

Abilitare il logging sul FileServer

Creo un nuovo oggetto:
Identify the high level event = Any event(s)
Event ID Search Term = 538,540,552,551,682,683,528
General Search Term = *
Select the User Match Type = Include
User Search Term = *admin*
Identify the event types to be captured = TUTTI
Identify the event logs = Security
Select the Alert Level = Critical

Immodificabilità dei log

Ogni notte, sul logserver, parte un cron che mi crea un md5 di tutti i file di log

Lo chiamo Z_calcola_md5.sh in modo che il cron lo chiama da ultimo DOPO il logrotate

cat /etc/cron.daily/Z_calcola_md5.sh

########################################
#!/bin/bash
TMP=`/bin/date –date=’1 days ago’ +%m/%d`
FILE_NAME=”MD5-`/bin/date –date=’1 days ago’ +%m-%d`.md5″
DEST_DIR01=”/var/log/TUTTI”
DEST_DIR=”$DEST_DIR01/$TMP/”
MD5_DIR=”/var/log/TUTTI/MD5/”
cd $MD5_DIR
find  $DEST_DIR  -type f -exec md5sum {} \;  > $FILE_NAME
#########################################

A questo punto posso creare un tar.gz e salvare i log su un dvd o effettuarne un backup

Quicker Database Oracle Installs on Unbrekable Linux with the oracle-validated RPM

Fonte:
http://www.orablogs.com/sergio/archives/linux/index.html

In an earlier post I wrote about the Oracle channel on the Unbreakable Linux Network (ULN) and how to subscribe to it. This channel just got a great new addition in the form of the oracle-validated RPM. When you install this RPM using up2date and ULN, it will automatically install all packages required by the Oracle database installer.

[root@localhost ~]# up2date --install oracle-validated  Fetching Obsoletes list for channel: el4_i386_addons...  Fetching Obsoletes list for channel: el4_i386_oracle...  Fetching Obsoletes list for channel: el4_i386_latest...  Fetching rpm headers... ########################################  Name                                    Version        Rel      ---------------------------------------------------------- oracle-validated                        1.0.0          3.el4             i386     Testing package set / solving RPM inter-dependencies... ######################################## oracle-validated-1.0.0-3.el ########################## Done.                    elfutils-libelf-devel-0.97. ########################## Done.                    gcc-3.4.6-3.1.0.1.i386.rpm: ########################## Done.                    gcc-c++-3.4.6-3.1.0.1.i386. ########################## Done.                    glibc-devel-2.3.4-2.25.i386 ########################## Done.                    glibc-headers-2.3.4-2.25.i3 ########################## Done.                    glibc-kernheaders-2.4-9.1.9 ########################## Done.                    libstdc++-devel-3.4.6-3.1.0 ########################## Done.                    sysstat-5.0.5-11.rhel4.i386 ########################## Done.                    Preparing              ########################################### [100%]  Installing...    1:libstdc++-devel        ########################################### [100%]    2:glibc-kernheaders      ########################################### [100%]    3:glibc-headers          ########################################### [100%]    4:glibc-devel            ########################################### [100%]    5:gcc                    ########################################### [100%]    6:gcc-c++                ########################################### [100%]    7:sysstat                ########################################### [100%]    8:elfutils-libelf-devel  ########################################### [100%]    9:oracle-validated       ########################################### [100%] insmod /lib/modules/2.6.9-42.EL/kernel/drivers/net/e1000/e1000.ko  insmod /lib/modules/2.6.9-42.EL/kernel/drivers/char/hangcheck-timer.ko hangcheck_reboot=1 The following packages were added to your selection to satisfy dependencies:  Name                                    Version        Release -------------------------------------------------------------- elfutils-libelf-devel                   0.97.1         3                    gcc                                     3.4.6          3.1.0.1              gcc-c++                                 3.4.6          3.1.0.1              glibc-devel                             2.3.4          2.25                 glibc-headers                           2.3.4          2.25                 glibc-kernheaders                       2.4            9.1.98.EL            libstdc++-devel                         3.4.6          3.1.0.1              sysstat                                 5.0.5          11.rhel4              [root@localhost ~]#  

Named after Validated Configurations, oracle-validated also creates an oracle OS user and an oinstall and dba group. Kernel parameters are also set properly, ensuring that the Oracle Universal Installer will proceed without complaints. Very nice!

--  principio di Napoleone: non attribuire a malintenzione cio' che puo' essere semplicemente spiegato come imbecillita' MaoX Blog: Problemi e soluzioni di un sistemista informatico: http://maox.blogspot.com

Installation of Oracle 9i (R2) on (Oracle) Enterprise Linux

Installation of Oracle 9i (R2) on (Oracle) Enterprise Linux

fonte:
http://ivan.kartik.sk/oracle/install_ora9_elinux.html

This paper (HOWTO) describes step-by-step installation of Oracle 9i database software on Enteprise Linux. Installation steps are valid for 32 bit (x86) and 64 bit (x86_64) architectures.

This paper covers following steps:

Pre-Instalation Tasks

1. Create oracle User Account

Login as root and create te user oracle which belongs to dba group.

su –
# groupadd dba
# groupadd oinstall
# useradd -g oinstall -G dba oracle

2. Setting System parameters
Edit the /etc/sysctl.conf and add following lines:

kernel.sem = 250 32000 100 128
kernel.shmmax = 2147483648
kernel.shmmni = 128
kernel.shmall = 2097152
kernel.msgmnb = 65536
kernel.msgmni = 2878
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000

Note: You need execute “sysctl -p” or reboot system to apply above settings.

Edit the /etc/security/limits.conf file and add following lines:

* – nproc 16384
* – nofile 16384

3. Setting Oracle Enviroment
Edit the /home/oracle/.bash_profile file and add following lines:

Use this settings for 32bit (x86) architecture.

ORACLE_BASE=/opt/oracle
ORACLE_HOME=$ORACLE_BASE/920
ORACLE_SID=MYORACLE
LD_LIBRARY_PATH=$ORACLE_HOME/lib
LD_ASSUME_KERNEL=2.4.19
PATH=$PATH:$ORACLE_HOME/bin

export ORACLE_BASE ORACLE_HOME ORACLE_SID LD_LIBRARY_PATH LD_ASSUME_KERNEL PATH

Use this settings for 64bit (x86_64) architecture.

ORACLE_BASE=/opt/oracle
ORACLE_HOME=$ORACLE_BASE/920
ORACLE_SID=MYORACLE
LD_LIBRARY_PATH=$ORACLE_HOME/lib
LD_LIBRARY_PATH_32=$ORACLE_HOME/lib32
PATH=$PATH:$ORACLE_HOME/bin

export ORACLE_BASE ORACLE_HOME ORACLE_SID LD_LIBRARY_PATH LD_LIBRARY_PATH_32 PATH

Save the .bash_profile and execute following commands for load new enviroment:

cd /home/oracle
. .bash_profile

4. Create base directory for Oracle

Login as root and create base directory for Oracle ($ORACLE_BASE).

su –
# cd /opt
# mkdir oracle
# chown oracle:dba oracle

Download & Install

1. Install required .rpm packages

Some additional packages are required for succesful instalation of Oracle software. To check whether required packages are installed on your operating system one of following commands:

rpm -q compat-db compat-gcc-32 compat-gcc-32-c++ compat-libcom_err compat-libcwait compat-libgcc-296 compat-libstdc++-296 compat-libstdc++-33 gcc gcc-c++ glibc glibc-common glibc-devel glibc-headers glibc-kernheaders libgcc make

or

rpm -qa –qf ‘%{name}-%{version}-%{release}.%{arch}\n’|egrep ‘compat|glibc|gcc’|sort

Required packages for 32bit (x86) architecture:

binutils-2.15.92.0.2-21
compat-db-4.1.25-9
compat-gcc-32-3.2.3-47.3
compat-gcc-32-c++-3.2.3-47.3
compat-libcom_err-1.0-5
compat-libcwait-2.1-1
compat-libgcc-296-2.96-132.7.2
compat-libstdc++-296-2.96-132.7.2
compat-libstdc++-33-3.2.3-47.3
gcc-3.4.6-3.1
gcc-c++-3.4.6-3.1
glibc-2.3.4-2.25
glibc-common-2.3.4-2.25
glibc-devel-2.3.4-2.25
glibc-headers-2.3.4-2.25
glibc-kernheaders-2.4-9.1.98.EL
libgcc-3.4.6-3.1
make-3.80-6.EL4.i386

Note: Package compat-libcwait-2.1-1.i386.rpm is not included in Enterpise Linux installation media. You can download this package here.

Required packages for 64bit (x86_64) architecture:

binutils-2.15.92.0.2-21.x86_64
compat-db-4.1.25-9.i386
compat-db-4.1.25-9.x86_64
compat-gcc-32-3.2.3-47.3.x86_64
compat-gcc-32-c++-3.2.3-47.3.x86_64
compat-libcom_err-1.0-5.i386
compat-libcom_err-1.0-5.x86_64
compat-libgcc-296-2.96-132.7.2.i386
compat-libstdc++-296-2.96-132.7.2.i386
compat-libstdc++-33-3.2.3-47.3.i386
compat-libstdc++-33-3.2.3-47.3.x86_64
gcc-3.4.6-3.1.x86_64
gcc-c++-3.4.6-3.1.x86_64
glibc-2.3.4-2.25.i686
glibc-2.3.4-2.25.x86_64
glibc-common-2.3.4-2.25.x86_64
glibc-devel-2.3.4-2.25.i386
glibc-devel-2.3.4-2.25.x86_64
glibc-headers-2.3.4-2.25.x86_64
glibc-kernheaders-2.4-9.1.98.EL.x86_64
libgcc-3.4.6-3.1.i386
libgcc-3.4.6-3.1.x86_64
make-3.80-6.EL4.x86_64

Install the required packages using the rpm command:

# rpm -ivh <package_name>.rpm

If all required packages were installed succesfuly then login as root and switch the GCC 3.4 compiler binary with GCC 3.2 compiler binary as following:

su –
# cd /usr/bin
# mv ./gcc ./gcc34
# mv ./gcc32 ./gcc

2. Download the Oracle 9i (9.2.0.4) software from Oracle website for apropriate architecture.
Direct link to Oracle Database 32bit (x86)
Direct link to Oracle Database 64bit (x86_64)

Extract the files using following command (for 32bit architecture):

gunzip ship_9204_linux_disk1.cpio.gz
gunzip ship_9204_linux_disk2.cpio.gz
gunzip ship_9204_linux_disk3.cpio.gz

cpio -idmv < ship_9204_linux_disk1.cpio
cpio -idmv < ship_9204_linux_disk2.cpio
cpio -idmv < ship_9204_linux_disk3.cpio

or for 64bit architecture:

gunzip amd64_db_9204_Disk1.cpio.gz
gunzip amd64_db_9204_Disk2.cpio.gz
gunzip amd64_db_9204_Disk3.cpio.gz

cpio -idmv < amd64_db_9204_Disk1.cpio
cpio -idmv < amd64_db_9204_Disk2.cpio
cpio -idmv < amd64_db_9204_Disk3.cpio

When all archives were extracted you’ve got three directories Disk1, Disk2 and Disk3.

3. Start the Oracle software installation process.

Now the system is prepared for Oracle software installation. To start the installation process execute the following commands (as oracle):

cd Disk1
./runInstaller

Post-Instalation Tasks

1. Switch back the GCC binaries

su –
# cd /usr/bin
# mv ./gcc ./gcc32
# mv ./gcc34 ./gcc

2. (Optional) You may consider to use rlwrap for comfortable work with sqlplus. RPM package for RedHat compatible (x86) distribution you can download here. RPM for x86_64 architecture you can download here.

su –
# rpm -ivh rlwrap-0.24-rh.i386.rpm
# exit
echo “alias sqlplus=’rlwrap sqlplus'” >> /home/oracle/.bash_profile
. /home/oracle/.bash_profile

Common Installation Errors

Unable to load native library: /tmp/OraInstall2006-12-20_11-11-34AM/jre/lib/i386/libjava.so: symbol __libc_wait, version GLIBC_2.0 not defined in file libc.so.6 with link time reference
Solution: Install new JRE 1.3.1 version. Edit the Disk1/install/linux/oraparam.ini and set path to new JRE for JRE_LOCATION variable. For more information see Download & Install section.

/opt/oracle/jre/1.1.8/bin/../lib/i686/native_threads/libzip.so: symbol errno, version GLIBC_2.0 not defined in file libc.so.6 with link time reference (libzip.so)
Solution: Set the LD_ASSUME_KERNEL=2.4.19

/tmp/OraInstall2006-12-20_11-38-19AM/jre/lib/i386/libawt.so: libXp.so.6: cannot open shared object file: No such file or directory
Solution: Install the xorg-x11-deprecated-libs package.

Starting Oracle Intelligent Agent…/opt/oracle/920/bin/dbsnmpwd: line 156: 10736 Segmentation fault nohup $ORACLE_HOME/bin/dbsnmp $* >>$DBSNMP_WDLOGFILE 2>&1
/opt/oracle/920/bin/dbsnmpwd: line 156: 10749 Segmentation fault nohup $ORACLE_HOME/bin/dbsnmp $* >>$DBSNMP_WDLOGFILE 2>&1
/opt/oracle/920/bin/dbsnmpwd: line 156: 10761 Segmentation fault nohup $ORACLE_HOME/bin/dbsnmp $* >>$DBSNMP_WDLOGFILE 2>&1
/opt/oracle/920/bin/dbsnmpwd: line 156: 10773 Segmentation fault nohup $ORACLE_HOME/bin/dbsnmp $* >>$DBSNMP_WDLOGFILE 2>&1

Solution: Download and apply patch nr.: 3238244 from http://metalink.oracle.com.

Exception in thread “main” java.lang.InternalError: Can’t connect to X11 window server using ‘localhost:0.0’ as the value of the DISPLAY variable.
Solution: Execute “export DISPLAY=:0.0” (as oracle user) and “xhost +” as user who has opened X session (for example logged in KDE, GNOME, etc.). If the value is other than 127.0.0.1 or localhost you should “xhost +” on client machine.

Error in invoking target install of makefile /opt/oracle/920/ctx/lib/ins_ctx.mk
Error in invoking target install of makefile /opt/oracle/920/precomp/lib/ins_precomp.mk
Error in invoking target install of makefile /opt/oracle/920/plsql/lib/ins_plsql.mk
Error in invoking ntcontab.o of makfile /opt/oracle/920/network/lib/ins_net_client.mk

Solution: Some of required packages is missing (not installed on your OS) or GCC binaries wasn’t changed. For more information see Download & Install section.


--  principio di Napoleone: non attribuire a malintenzione cio' che puo' essere semplicemente spiegato come imbecillita' MaoX Blog: Problemi e soluzioni di un sistemista informatico: http://maox.blogspot.com