Pete Finnigan's Oracle Security Weblog

I just got an email from Tim to let me know that he has updated his excellent fileprobe.sh script. I have a link to this script and also Tim's other Oracle security shell scripts on my Oracle security tools page which I have just updated to note this change or you can get them on Tim's site.

This script is used to audit operating system files related to the Oracle installation for security issues. It is a shell script so therefore supports Unix / Linux operating systems. It is also a Korn Shell script so if you are on Linux and do not have KSH installed then either install it or use bash instead. You are on your own to run it under bash but it should either work or have simple issues to fix ( I have not tried it myself with bash). The script reports any issues found and also generates a shell script that can be used to fix the issues. As Tim states in the file header:

"# IT IS CRUCIAL THAT THE GENERATED SCRIPT BE CONSIDERED
# ONLY AS A REPORT OF SUGGESTIONS, AND THAT IT BE REVIEWED
# CAREFULLY BEFORE BEING CONSIDERED FOR USE.
#
# All commands in the script are commented out for this reason.
# To actually use the generated shell script, you must first
# edit it to "uncomment" the generated commands, thereby
# taking full responsibility for their use."

Tim has made a few alterations to this script - rather than paraphrase them I will quote the section from the header :

"# Modifications:
# 15apr05 TGorman - added exceptions on SETUID and SETGID checks for
# "$ORACLE_HOME/bin/oracle", "$ORACLE_HOME/bin/dbsnmp",
# and "$ORACLE_HOME/dbs/orapw$ORACLE_SID" files,
# because these files are supposed to have these
# permissions...
# - added exceptions on "owner" and "group" checks for
# "lost+found" directories, which are supposed to be
# owned by "root", not the Oracle software owner...
# - added more disclaimers against running the generated
# shell script without carefully reviewing and
# understanding what the generated commands are intended
# for...
# 27apr05 TGorman - added restriction on check for files/dirs not
# belonging to "dba" group to check only files
# belonging to "oracle" user; intent is to prevent
# unnecessary double-reporting...
# - added more-graceful error handling when SQL*Plus
# errors are encountered (such as Oracle instance
# not running)...
# - added additional check for files and directories
# that are not writable by the Oracle software owner,
# thus potentially causing problems during patching..."

This is an excellent script and if you have been making use of it previously, I suggest that you go on over to Tim's site and download the updated version.