Symantec Enterprise Security Manager Modules for Oracle Release Notes Release 5.0 for Symantec ESM 9.0 and 10.0 For Red Hat Enterprise Linux, HP-UX, AIX, Solaris, and Windows
Symantec Enterprise Security Manager Modules for Oracle Release Notes The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: 5.0 Legal Notice Copyright 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-control, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com
Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our Web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level
Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Licensing and registration Customer service Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/ Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com
What's new This document includes the following topics: What's new New support About uninstalling the ESM Oracle Application module New logging functionality New options added for esmorasetup New parameter added in the oraenv.dat file New checks New messages New templates Modified templates Enhancements Resolved issues What's new This release includes the following features and enhancements: New platform support Real Application Cluster (RAC) support Uninstallation of the Oracle Application module New logging functionality
8 What's new New support Three new options in the esmorasetup One new parameter added in the oraenv.dat file One new check in the Oracle Auditing module (Windows and UNIX) Two new checks in the Oracle Roles module (Windows and UNIX) One new check in the Oracle Profiles module (Windows and UNIX) One new check in the Oracle Patches module (Windows and UNIX) One new template in the Oracle Auditing module (Windows and UNIX) One new template in the Oracle Patches module (Windows and UNIX) Two new templates in the Oracle Roles module (Windows and UNIX) Two new messages in the Oracle SID Discovery module (Windows and UNIX) One new message in the Oracle Profile module (Windows and UNIX) New support This release of Symantec ESM Modules for Oracle database supports the following: New Platform support: AIX 7.1 PPC64 (64-bit) Red Hat Enterprise Linux x86_64 (5.x) Real Application Cluster (RAC) support: AIX 6.1 PPC64 (64-bit) with Oracle 10.2.0.x AIX 7.1 PPC64 (64-bit) with Oracle 11.2.0.1 About uninstalling the ESM Oracle Application module This release of Symantec ESM Modules for Oracle database includes uninstallation of the Oracle Application module. Using this feature, you can uninstall all the components of the ESM Oracle Application module that are installed on the ESM agent computer. You can uninstall the ESM Oracle Application module using the module executables.
What's new New logging functionality 9 Note: If you install the ESM Oracle Application Module 5.0 by using the esmora.tpi, the uninstallation process completes successfully. However, if you install the ESM Oracle Application Module 5.0 by using LiveUpdate, the uninstallation process may abort. The reason being, to uninstall the ESM Oracle Application module, the program looks for a specific or a later version of the register binary. The version of the register binary gets automatically updated if the installation is through the esmora.tpi. New logging functionality This release of Symantec ESM Modules for Oracle database introduces a new logging feature that enables ESM to log the information, such as errors and exceptions, that a module generates at the runtime. This feature is currently enabled for the Windows and UNIX Oracle Accounts, Oracle Auditing, Oracle Network, Oracle Configuration. For Oracle Profiles and Roles module, this feature is only available on the new checks that are being shipped with Oracle 5.0. New options added for esmorasetup The following options have been added for the esmorasetup: -eof -eif -N Specify the file name that gets created with the encrypted credentials. Specify the file name that contains the encrypted credentials. Specify this option during the SID configuration, if you do not want to verify the SID name in the oratab file. You must specify one in the Check SID process only text box if you want to run the Oracle SID Discovery module after you have updated the configuration file using the N option. The default value of the text box is zero. If the text box is set to zero, then the module reports the instance as retired instance. Note: This option is only applicable on UNIX. New parameter added in the oraenv.dat file This release of Symantec ESM Modules for Oracle database adds the following new parameter in the oraenv.dat file:
10 What's new New checks MANAGEORAUSERPASSWORD You can use this parameter to enable the password management for the pre-created accounts. By default, this parameter is set to 0. To enable, set the parameter to 1. When enabled, the ESM Oracle modules for Oracle database manage the passwords for the pre-created accounts that are explicitly configured with the respective Oracle databases. New checks This release of Symantec ESM Modules for Oracle database adds the following new checks in the Oracle modules: Table 1-1 gives a list of the new checks that are added to the Oracle modules. Table 1-1 Module name, check name, and description Module name Oracle Auditing Oracle Roles Check name Audit settings Granted privileges Granted roles Description This check reports the audit settings that do not match the settings that are specified in the template file. Use the name list to enable or disable the template files. This check reports the privileges and the associated users and roles that violate the conditions that you specify in the template. Use the name list to enable or disable the template file. This check reports the users and the roles that violate the conditions that you specify in the template. Use the name list to enable or disable the template file.
What's new New messages 11 Table 1-1 Module name, check name, and description (continued) Module name Oracle Profiles Oracle Patches Check name Profile settings SID info Description This check reports the profile settings that do not match the settings that are specified in the template file. Use the name list to enable or disable the template files. This check add on the relevant SIDs to the patch messages that are reported from the Patch information and Installed patches checks. New messages This release of Symantec ESM Modules for Oracle database adds the new messages in the following modules: Oracle SID Discovery (Windows and UNIX) Oracle Profile (Windows and UNIX) Oracle SID Discovery (Windows and UNIX) New messages have been added to the following checks in the SID Discovery module. Table 1-2 shows the checks with their new messages. Table 1-2 Checks Checks with their new messages New messages Detect Retired Instances and Automatically Delete Retired Instances Detect New Instance Oracle instance process is not running Oracle instance process is not running; This instance is skipped from Configuration The messages are reported if the checks do not find the SID service in the running state although the SID entry is present in the oracle.dat file.
12 What's new New templates Oracle Profile module (Windows and UNIX) A new message has been added to the Password reuse max and Password reuse time checks in the Oracle Profile module. The checks reports this message if the reuse settings are found to be weaker than the values that you specify in the check. This message is reported only when you have enabled both the checks. Table 1-3 shows the new message for the Oracle Profile module. Table 1-3 New message for the Oracle Profile module Message String ID ORA_PROFILE_PASS_REUSE_ WEAK Message Title Password reuse settings weaker than expected Message Severity yellow-1 New templates This release of Symantec ESM Modules for Oracle database adds new templates across various modules. Table 1-4 gives a list of the new templates that are added to the Oracle modules. Table 1-4 Module name, template name, description Module name Oracle Auditing (Windows and UNIX) Template name Oracle Auditing Description The Auditing Setting check uses the Oracle Auditing template to report the audit settings that do not match with the settings that are specified in the template.
What's new New templates 13 Table 1-4 Module name, template name, description (continued) Module name Oracle Patches (Windows and UNIX) Oracle Profiles (Windows and UNIX) Oracle Roles (Windows and UNIX) Template name Oracle Patch Profile settings Oracle System Privileges Oracle Roles Description A new template, ora_cpu_psu.orp has been added to the Patch Information check. The default extension of the template is.orp. By using this template, the check reports information on the critical patch updates (CPU) and patch set updates (PSU). You can create and use this template like you create and use the Oracle Patch template. However, the ora_cpu_psu.orp and orapatch.orp are separate templates and should not be run together. If you enable the templates at the same time, the check may report false positive. Note: The ora_cpu_psu.orp template includes the latest critical patch updates and patch set updates from January 2011. The Profile settings check uses the Oracle Profiles template to report on the roles that you specify in the template. The Granted privileges check uses the Oracle System Privileges template to report on the system privileges that you specify in the template. The Granted roles check uses the Oracle Role template to report on the roles that you specify in the template.
14 What's new Modified templates Modified templates This release of Symantec ESM Modules for Oracle database modifies the following templates: Oracle Configuration Watch Oracle Object Privileges Oracle Configuration Watch The Oracle Configuration Watch template has been enhanced to report on the SEC_CASE_SENSITIVE_LOGON setting that enables or disables the password case sensitivity in the database. The Oracle configuration watch check verifies whether this setting is enabled or disabled in the database. Oracle Object Privileges The Oracle Object Privileges template has been enhanced with a new Exclude List sublist. The following new columns are added to the Exclude List sublist: Exclude Specify the following that you want to exclude: Object Name Owner Object Privilege Grantor Grantee Name Specify the name that you want to exclude. The Exclude field works with the Name field. For example, if you want to exclude a grantee name from reporting, select Grantee from the Exclude drop-down list and enter the name of the grantee (DBA) in the Name field. Updates on the Oracle Patch template From this release onwards, following changes are made to the existing Oracle Patch template: The template only includes the patches that are critical, legislative, recommended, and are related to security. The template only includes the patch entries that are present on the Oracle site.
What's new Enhancements 15 The template that is being shipped with Oracle 5.0 release overwrites the earlier template. Note: The changes are made to keep alignment with the changes that are made on the Oracle site. Enhancements This release enhances the following modules: All Oracle modules (UNIX) Earlier, while configuring the Oracle database by using the esmorasetup or SID Discovery module, ESM reported error messages for Physical Standby databases. The messages have now been changed to: The database is configured as abackupdatabase.runthesetupagainwhenthedatabase becomes active. All other Oracle modules have also been enhanced to report the specified message when they are run on the Physical Standby databases. Oracle Objects (Windows and UNIX) A default template, Oracle Object Privileges is now available with the Object Privileges check. The Oracle Object Privileges template has a default.oop extension. Oracle Auditing (UNIX) Oracle Objects (Windows and UNIX) Oracle SID Discovery (UNIX) A new name list, Users/Roles has been added to the Audit trail protection check. Use the name list to include or exclude either the users or the roles or both for the check to report on. The following message has been removed from the Object Privileges check: ORA_OBJ_NOT_FOUND The check reported this message if the selected object was not present in the database or the information for the selected object was incorrect in the template. A new text box, Check SID process only is added to the Detect Retired Instance check. If you specify zero in the text box, the check verifies the state of the Oracle instance if its entry is present in the oratab file. If you specify one in the text box, the check reports the retired Oracle instance irrespective of its presence in the oratab file.
16 What's new Resolved issues Oracle SID Discovery (Windows and UNIX) The descriptions of the following checks have been updated: Automatically Deleted Retired Instance (Windows and UNIX) This check works with the Detect Retired Instance check and automatically deletes the corresponding retired server records from the configuration file. You can use this check to automate the module, to detect the uninstalled database instances or to detect the instances that are unavailable, and then to delete the corresponding entries from the oracle.dat file. Detect New Instance (UNIX) This check reports the instances that are newly discovered on the ESM agent computers and which are not configured in the ESM Oracle configuration file. These instances should be present in the oratab file and the corresponding Oracle service of the instances should also be available.use the name list to include or exclude the Oracle SIDs from the configuration file. Detect New Instance (Windows) This check reports the instances that are newly discovered on the ESM agent computers and which are not configured in the ESM Oracle configuration file. The corresponding Oracle service of the instances should also be available in running state. Detect Retired Instance (Windows) This check reports all the instances that are present in the ESM Oracle configuration file, but the Oracle service is unavailable. Note: The Check SID process only text box is only applicable for the UNIX platforms. Resolved issues This release resolves the following issues:
What's new Resolved issues 17 Installation and configuration (AIX-PPC64) Installation and configuration (Windows) Oracle SID Discovery (UNIX) Earlier during configuration, the ESM 32-bit Oracle Application module on Oracle 64-bit database reported an error message as the 32-bit libraries cannot be found in ORACLE_HOME/lib32. As a result, the ESM Oracle Application module could not be configured. This issue has now been resolved. On AIX-PPC64, ESM Oracle Application module is now 64-bit and only supports Oracle 64-bit database. Earlier during configuration, the ESM 64-bit Oracle Application module on Oracle 32-bit database reported an error message and as a result, the ESM Oracle Application module cannot be configured. This issue has now been resolved. On a 64-bit agent, if Oracle 32-bit database is installed, then to report on the Oracle database, you must also install a 64-bit Oracle client in the folder that is on the same level of that of the Oracle Home and name the folder as client_1. The DetectRetiredInstances and AutomaticallyDelete Retired Instances checks have now been enhanced to do the following: Report or delete those instances that are present in the oratab file, but are not found in a running state. Do not report or delete those instances that are not present in the oratab file, but are found in a running state. Oracle SID Discovery (UNIX) Oracle Network (Solaris) The module has been enhanced to first verify whether the SID is active and primary. Depending on the output, the check reports a message; Thedatabaseisconfigured as a backup database. Run the setup again when the database becomes active. Earlier, the Oraclenetconfigurationwatch check could not compare the parameter names and their values that were found in the listener.ora file with the values that were present in the template if the parameters in the listener.ora file were greater than 30. This issue has now been resolved.
18 What's new Resolved issues Oracle Network (RedHat) Earlier on Oracle cluster, the module referred to Oracle DB home/network/admin for the listener.ora file instead of GRID_HOME/network/admin. This issue has now been resolved. You can now add the GRID_HOME option to the oraenv.dat file as: config GRID_HOME /u01/app/grid. On a non-cluster database or if the file does not exist, the module falls back on ORACLE_HOME/network/admin/listener.ora.