Archive

Archive for the ‘Oracle Enterprise Manager’ Category

ORA-04063

April 3, 2012 Leave a comment

Error: ORA-04063

OEM Error when assigning an email id to SYS user:

Internal error. ORA-04063: package body "SYSMAN.EMD_NOTIFICATION" has errors
ORA-06508: PL/SQL: could not find program unit being called:
 "SYSMAN.EMD_NOTIFICATION"
ORA-06512: at "SYSMAN.MGMT_PREFERENCES", line 1536 ORA-06512: at line 1

Cause:

Oracle policy recommends taking away the execute privilege on UTL_SMTP from PUBLIC. This takes away the privileges from SYSMAN as well. SYSMAN needs execute on UTL_SMTP and UTL_TCP to send notifications.

Workaround:

1. Log into the repository database as sys:

grant execute on sys.utl_smtp to sysman;
grant execute on sys.utl_tcp to sysman;

2. Compile:

alter package sysman.emd_notification compile;

References:

Security Policy Violations in OEM

April 3, 2012 Leave a comment

Found this four policy violations under ‘Security’ category in OEM:

1. EXECUTE UTL_FILE privileges to PUBLIC

Recommendation: Oracle recommends that you revoke EXECUTE privileges on powerful packages from PUBLIC

Violation Count:1 Details: Package ­UTL_FILE

Solution:

REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;

Anyone that happens to get any userid and password on your database will be able to use UTL_FILE.

This may be legitimate, or it may be malicious – and you have absolutely no control over it if the package is granted to public.

For example, person A legitimately dumps confidential data (or has a comma-delimited spreadsheet with payroll info) in the UTL_FILE directory. Person B, a casual employee who is unhappy and about to be fired, happens to get access to the database because the demo user SCOTT is unlocked with password TIGER. Person B can now access the confidential data.

Oracle uses the ‘least privilege’ security principal. That means Oracle recommends several packages, such as UTL_FILE, be granted execute on a need-to-use basis instead of simply granting to public.

2. Excessive PUBLIC EXECUTE privileges

Recommendation: Oracle recommends that you revoke EXECUTE privileges on powerful packages from PUBLIC

Violation Count:4 Details: Package ­UTL_SMTP, ­DBMS_RANDOM, ­UTL_TCP, ­UTL_HTTP

Solution:

REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;
REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;­
REVOKE EXECUTE ON UTL_TCP­ FROM PUBLIC;
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;

3. Well-known accounts Security

Recommendation: Oracle recommends that you to expire and lock well-known accounts

Violation Count:1 Details: Account­ OUTLN(open)

4. Default passwords Security

Recommendation: Oracle recommends that all default passwords be changed

Violation Count:1 Details: Account­OUTLN­

References: