Category: Oracle

When Auditing Attacks

I had a particularly annoying problem with Oracle auditing a few days ago. I thought I would write about it here in case anybody knows a solution, or if anyone at Oracle cares to add the functionality I need. 🙂

The problem

I was asked to audit selects against tables in a particular schema when issued by several users. For the sake of this post let’s assume the following.

  • SCHEMAOWNER : The owner of the tables that are to be audited.
  • USER1, USER2, USER3 : The three users whose select statements are to be audited.

So I decided the write an audit policy.

Option 1 : Audit all selects, regardless of schema

My first thought was to do this.

create audit policy my_select_policy
actions select
when q'~ sys_context('userenv', 'session_user') in ('USER1','USER2','USER3') ~'
evaluate per session
container=current;

The problem is it produced masses of audit records, most of which were referencing selects against objects owned by other schemas. I have so many records I can’t actually purge the audit trail. I’m having to wait until the next partition is created in a month, so I can drop the current partition and shrink the data files. 🙁

Option 2 : Explicitly list all objects to be audited

So I need to make the policy more granular, which I can do by explicitly referencing all objects I want to audit, like this.

create audit policy my_select_policy
actions select on schemaowner.tab1,
        select on schemaowner.tab2,
        select on schemaowner.tab3
when q'~ sys_context('userenv', 'session_user') in ('USER1','USER2','USER3') ~'
evaluate per session
container=current;

The problem is there are loads of tables in the schema, so doing this is a pain. I could generate the statement using a script, but even then if someone adds a new table the audit policy wouldn’t pick it up.

What I really want

What I really want is to be able to limit the action to a specific schema. The specific syntax is not important. The result is what matters. Maybe something like this.

-- Use and explicit schema reference,
create audit policy my_select_policy
  actions select on schema schemaowner
when q'~ sys_context('userenv', 'session_user') in ('USER1','USER2','USER3') ~' 
evaluate per session
container=current;

Thoughts

I don’t believe the current syntax for audit policies allows them to be limited by schema, so I’m faced with generating masses of unnecessary audit records, or having to explicitly name every table. 🙁

This all sounded kind-of familiar, and when I did a bit of Googling I found this note by Pete Finnigan. So I’m not alone in finding this frustrating.

Cheers

Tim…

HP-UX and Oracle 11g : Don’t let the door hit you on ass on the way out…

We had a pretty momentous occasion recently. We finally got rid of the last of our HP-UX servers, and with it the last of our Oracle 11g databases and Oracle Forms apps.

We use VMware virtual machines running Oracle Linux for nearly all our databases. We pushed really hard over the last couple of years to get everything migrated to 19c. Despite this, there were two projects that were left behind on HP-UX and Oracle 11g. They were effectively dead projects, from the time before we moved to Oracle Cloud Apps, about 5 years ago. We couldn’t get rid of them because people wanted to look at the historical data, but there was very little appetite to do anything with them…

Finally, over the last year we’ve had an archive project running, which involved moving the databases on to Oracle Linux and upgrading to 19c. That bit was easy. The other bit of the project involved building two new APEX apps to replace a 3rd party application and an old Oracle Forms 11g app. Those went live a few months ago, but there was still a lot of reluctance to actually decommission the old systems.

Recently we finally got the approval to turn off the old systems, and decommission the old HP-UX kit. When the change went through the Change Advisory Board (CAB) it was such a relief…

The kit is now decommissioned, and I’ve just been clearing the agents out of Cloud Control, so it’s finally over. No more HP-UX. No more Oracle 11g. No more Oracle Forms…

Now all we have to do is replace a whole load of Oracle Linux 7 servers, and get ready to upgrade to the next long term release of the database… 🙂

Cheers

Tim…

Search Trends and Oracle

Please read the update before jumping to any conclusions. 🙂

I was chatting with some folks the other day and the question was raised about if we had seen a decline in our website activity. Since the vast majority of my website traffic comes from Google searches, I figured the obvious thing to do was to look at what is happening on Google Trends in terms of search terms. That way we were not focusing on the popularity of a specific site, but on searches in general. That resulted in this rather alarming graph showing a trend over the last 20 years.

I guess we all thought this decline was at the expense of another engine, so our obvious next thought was to compare against the other relational database engines. One of the guys suggested we also compare the word “database” as well, just to see. This is the resulting graph.

It should be noted we tried variations on “sql server” and “postgresql”, but they didn’t affect the searches. Feel free to try for yourself. 🙂

So the decline in searches was not restricted to Oracle. You may notice this is related to “All Categories” of search, and the word “oracle” is not specific to the database, so I tried in “Computers & Electronics”, and we got a similar result.

For subsequent searches I switched back to “All Categories”.

If we switch to the last 5 years, things seem to have levelled off somewhat.

So the next question was if NoSQL databases were eating into the relational database market. A straight search looked interesting.

But what happens when we add Oracle back into the mix. Does the rise in popularity of some NoSQL databases account for the drop in searches for relational databases?

It doesn’t look like it. The gains in some NoSQL databases are insignificant compared to the reductions in searches for relational databases.

So we are left with a question. Why is there a drop off in searches for relational databases, when there doesn’t seem to be a corresponding uptick in alternatives?

Update : So what is really going on?

The graphs are not absolute search numbers, but normalised compared to the total Google searches that happened. Back in the day only geeks were Googling, so tech searches were a comparatively high percentage. Now everyone is Googling, the proportion of tech searches is much lower compared to the random stuff. Check out the FAQ about Google Trends data. So in our case, the trend over time of an individual term is not so important as the comparison between two search terms over time, as both should be affected in a similar way by the normalisation…

What we can see is over time the searches for different relational engines have got closer. If we are using the number of searches as a proxy for popularity, then it seems it’s a much closer game now than before.

Cheers

Tim…

PS. Thanks to the folks that pointed me in the right direction about Google Trends.

PPS. I noticed the switch from 12c to 19c searches over recent years.

The Oracle ACE Program : My 18 Year Anniversary

It’s April 1st, which means it’s my 18th year anniversary of being an Oracle ACE.

As usual I’ll mention some of the other anniversaries that will happen throughout this year.

  • 29 years working with Oracle technology in August. (August 1995)
  • 24 years doing my website in July. (Original name: 03 July 2000 or current name: 31 August 2001)
  • 19 years blogging in June. (15 June 2005)
  • 18 years on the Oracle ACE Program. (01 April 2006)
  • 9 years doing videos on my YouTube channel, with some breaks of course.

Fingers crossed for next year…

Cheers

Tim…

APEX : Keeping up to date is so easy…

Over the years I’ve extolled the virtues of Oracle Application Express (APEX) because of the ease of development. I think low code tools are a massive boon to productivity. Of course there are some tasks that need alternative tools, but for many scenarios low code tools are awesome.

Something else I find really appealing about APEX is the ease of upgrades. I’m not talking about how easy it is to apply the upgrade itself, because updating Java and Tomcat versions on a server is really easy too. I mean how simple it is from a wider perspective.

I was the first person in my company to use APEX. I used it to write some utility type applications, when it was still “forbidden”. Some of these applications were written over a decade ago, and they are still working fine. In that time we’ve had regular APEX upgrades, and they’ve just kept going. No refactoring. No drama.

Of course, they aren’t using all of the new features that were added in subsequent releases, but the important thing is all that development investment was not impacted by staying on the latest APEX release and patch set. In comparison, updating some of our other platforms and frameworks is a nightmare, requiring substantial development effort and testing.

So it’s not just about improving productivity during the development phase. It’s also about the reduction in the total cost of ownership (from a development perspective) over the lifespan of the application.

Just thought I would share that thought, as I upgrade & patch some production systems… 🙂

Cheers

Tim…

Oracle VirtualBox 7.0.14

VirtualBox 7.0.14 has been released.

The downloads and changelog are in the usual places.

I’ve installed it on my Windows 10 and 11 machines with no drama.

Vagrant 2.4.0

Vagrant 2.4.0 is still the current release, so no change there.

If you are new to Vagrant and want to learn, you might find this useful.

Once you understand that, I found the best way of learning more was to look at builds done by other people. You can see all my Vagrant builds here.

I’ve updated my Vagrant builds to include the latest Oracle patches, along with GraalVM, ORDS, SQLcl and Tomcat.

Packer 1.10.0

I use Packer to rebuild my Vagrant boxes (Oracle Linux 7, 8 and 9) so they have the latest guest additions. The current set of boxes were built using Packer 1.10.0. The new version of the boxes can be seen here.

If you are interested in creating your own Packer builds, you might take inspiration from mine, available here.

Packer has been warning about using built in plugins for some time. This version doesn’t use built in plugins at all, so I had to do the following (in bold) to load the plugins, so I could perform a build.

set PATH=%USERPROFILE%\u01\software\hashicorp\packer_1.10.0_windows_amd64;%PATH%
packer plugins install github.com/hashicorp/vagrant
packer plugins install github.com/hashicorp/virtualbox

cd \git\oraclebase\vagrant\packer\ol9

packer build -only virtualbox-iso ol9.json

How did it all go?

The new versions of VirtualBox and Packer worked fine. 🙂

What about the VirtualBox GUI?

Just a quick warning. I do everything using Vagrant, so I rarely look at the VirtualBox GUI. Remember, when I say everything worked fine, I mean for what I use.

Cheers

Tim…

Oracle Database 19c on Oracle Linux 9 (OL9): Installation Articles and Vagrant Builds

Earlier this year I wrote a rant about the lack of product certifications on Oracle Linux 9 (OL9).

One of the points I made was we are having to replace OL7 servers, but were forced to go to OL8 because Oracle 19c was not certified on OL9, and Oracle 23c on-prem is not available.

This blog post by Mike DieTrich changed all that because now 19c is certified on OL9, provided you are on patch 19.19 or above, and are on the correct version of UEK or the RHEL kernel. See Mike’s post for details.

Installation Articles

Of course, this triggered some installation articles.

Vagrant Builds

There are database, RAC and Data Guard vagrant builds here.

Odd Occurrence

I noticed something a little odd when doing these builds using the 19.21 RU patches.

For the database and Data Guard builds I used the DB RU and OJVM combo patch, and I was still forced to fake the distribution using the CV_ASSUME_DISTID environment variable. For the RAC build I used the GI RU and OJVM combo patch, and I didn’t need to fake the distribution.

I went back to the DB build, and instead used the GI RU and OJVM combo patch, and I no longer needed to fake the distribution. So it looks like there is something different about the database patches between these two types of RUs that slightly affect the installation process. It’s no big deal, but it might catch you out.

Oracle 19c is old. Why do you care?

We are in the process of replacing a load of VMs that are currently running OL7, and we want to go to OL9. Prior to this announcement were were going to have to do one of two things.

  • Migrate to 19c on OL8, which would be OK for 23c when it drops, but not ideal as building an OL8 box now seems like a fail.
  • Wait for 23c on-prem to drop and move to 23c on OL9. The problem here is we could run out of time waiting for 23c to come.

This announcement gives us a new option.

  • Migrate to 19c on OL9, then upgrade to 23c when the on-prem version drops.

This third option is way better for us!

Remember

There are a couple of things to remember.

  • You need to be on 19c to upgrade to 23c, so getting your 19c database on an OS that is supported for 23c is important. We’ve had confirmation that 23c will be available for OL8 and OL9 on release.
  • The extended support waiver for 19c was increased from 1 year to 2 years. Mike also wrote about this here. That means you get free extended support for 19c until April 30, 2026.

Conclusion

This is massive for us. I’m very happy!

Cheers

Tim…

Oracle VirtualBox 7.0.12, Vagrant 2.4.0 and Packer 1.9.4

Oracle VirtualBox 7.0.12

VirtualBox 7.0.12 has been released.

The downloads and changelog are in the usual places.

I’ve installed it on my Windows 10 and 11 machines with no drama.

Vagrant 2.4.0

Releases of VirtualBox prompt me to check for new versions of Vagrant. The current version is Vagrant 2.4.0. All my test systems are built with Vagrant, so I installed it as well.

If you are new to Vagrant and want to learn, you might find this useful.

Once you understand that, I found the best way of learning more was to look at builds done by other people. You can see all my Vagrant builds here.

I’ll be doing some updates to my Oracle builds over the coming days, so this will get a lot of testing.

Packer 1.9.4

I use Packer to rebuild my Vagrant boxes (Oracle Linux 7, 8 and 9) so they have the latest guest additions. The current set of boxes were built using Packer 1.9.4. The new version of the boxes can be seen here.

If you are interested in creating your own Packer builds, you might take inspiration from mine, available here.

How did it all go?

The new versions of VirtualBox, Packer and Vagrant all did their jobs fine. 🙂

What about the VirtualBox GUI?

Just a quick warning. I do everything using Vagrant, so I rarely look at the VirtualBox GUI. Remember, when I say everything worked fine, I mean for what I use.

Cheers

Tim…

Joel Kallman Day 2023 : Announcement

Since 2016 we’ve had an Oracle community day where we push out content on the same day to try and get a bit of a community buzz. The name has changed over the years, but in 2021 it was renamed to the “Joel Kallman Day”. Joel was big on community, and it seems like a fitting tribute to him.

When is it?

The date is Wednesday October 11th. That’s just over a week away from today!

How do I get involved?

Here is the way it works.

  • Write a blog post. The title should be in the format “<insert-the-title-here> #JoelKallmanDay“.
  • The content can be pretty much anything. See the section below.
  • Tweet/X out the blog post using the hashtag #JoelKallmanDay.
  • Publishing the posts on the same day allows us to generate a buzz. In previous years loads of people were on twitter retweeting, making it even bigger. The community is spread around the world, so the posts will be released over a 24 hour period.
  • Oracle employees are welcome to join in. This is a community day about anything to do with the Oracle community.

Like previous years, it would be really nice if we could get a bunch of first-timers involved, but it’s also an opportunity to see existing folks blog for the first time in ages! 

The following day I write a summary post that includes links to all the posts that were pushed out through the day. You can see examples here.

What Should I Write About?

Whatever you want to write about. Here are some suggestions that might help you.

  • My favourite feature of {the Oracle-related tech you work on}.
  • What is the next thing on your list to learn.
  • Horror stories. My biggest screw up, and how I fixed it.
  • How the cloud has affected my job.
  • What I get out of the Oracle Community.
  • What feature I would love to see added to {the Oracle-related tech you work on}.
  • The project I worked on that I’m the most proud of. (Related to Oracle tech of course)

It’s not limited to these. You can literally write about anything Oracle-related. The posts can be short, which makes it easy for new people to get involved. If you do want to write about something technical, that’s fine. You can also write a simple overview post and link to more detailed posts on a subject if you like. In the previous years the posts I enjoyed the most were those that showed the human side of things, but that’s just me. Do whatever you like. 

Do I have to write in English?

No! It’s great to see people contributing to their own community. Google Translate does a pretty good job of translating them, so we can still read them.

Do I need to write about Joel or APEX?

I’m sure people would be happy to read stories about Joel, or content about APEX, but you don’t have to write about that. You can write about whatever you want, so long as it has an Oracle and/or community spin…

So you have a little over a week to get something ready!

Cheers

Tim…

Oracle Database 23c Generally Available – Sort Of

Oracle Cloud World is happening, which typically means lots of announcements. One of the welcome announcement was the release of Oracle 23c on OCI Oracle Base Database Service, so there is a production version generally available… Sort of… Why do I say “sort of”?

OCI Oracle Base Database Service

This is a single cloud service, and it’s not available on the free tier, so it’s only available for paying customers that want to use this particular service.

At the time of writing there is no Autonomous Database service for this version, and there is still no full on-prem release.

I thought it was unavailable in my data centre, but Jeff Smith told me 23c GA is only available for Intel shapes at the moment. Once I switched from the default AMD shape to an Intel shape and 23c release was in the database version list. Happy days.

Oracle Database 23c Free

In addition to the OCI Oracle Base Database Service, the announcement post mentions a new version of Oracle Database 23c Free. It is now a “Developer Release”, not a “Developer Preview”. You can get hold of it here.

The slightly confusing thing is there is no difference in the file name, so my immediate impression was it had not actually been released yet. I downloaded the file and did an installation, and sure enough it was version 23.3. It would have been nice if there was an indication of the update on the page, or a version number in the file name…

For those that previously used Oracle XE, Oracle Database 23c Free is now the natural replacement, so go crazy with it. 🙂

Here’s how you can get started.

  • Install documentation here.
  • My installation article here.
  • My Vagrant build here.
  • VirtualBox appliance from Oracle here.
  • Docker image from Oracle here.

Documentation

The documentation links we’ve been using for 23c Free are no longer marked as “Free”. It is the normal GA documentation now.

My 23c Articles

You can see all my 23c articles here. There are still some I can’t publish until the on-prem GA release happens…

On-Prem Release

As mentioned previously, there is no full on-prem release for Oracle 23c, so you can’t start planning your upgrades from 19c yet. It’s really good to have an updated version of Oracle Database 23c Free so quickly for home use, but from a work perspective 23c won’t really exist for me until there is an on-prem release.

I’m hoping that won’t be long, but time will tell.

Cheers

Tim…

Update: Someone pointed me to Release Schedule of Current Database Releases (Doc ID 742060.1), which has now been updated to include 23c. It says the on-prem releases for 23c will start appearing during 1H CY2024, which is the first half of 2024.

Exit mobile version