[Latest Update from 10th of April, 14:45]
mk_oracle_220-1.0.14.mkp (38.7 KB)
mk_oracle_210-1.0.14.mkp (36.9 KB)
Hi all,
we have now two mkps ready (2.2 and 2.1) which include the following fixes.
mk_oracle: Follow-up to privilege escalation fix
You might be affected by this Werk if you use mk_oracle
on a unix
system.
You might be affected by this Werk if you use oracle wallet to connect to your
database.
You are definitively affected by this Werk if you use oracle wallet to connect to your
database and used the instructions of our official documentation to setup your
configuration.
This Werk fixes connection problems introduced with 2.1.0p41, 2.2.0p24 and 2.3.0b4.
Since Werk #16232 we switch to a
unprivileged user when executing oracle binaries. This causes problems when
using an oracle wallet as the unprivileged user might not be able to access
files defining the connection details and credentials.
We introduced an additional permission check to the -t
âJust check
the connectionâ option of mk_oracle
. It should help you modifying
the permissions to continue using mk_oracle
with oracle wallet.
You can execute it with the following command:
MK_CONFDIR=/etc/check_mk/ MK_VARDIR=/var/lib/check_mk_agent /usr/lib/check_mk_agent/plugins/mk_oracle --no-spool -t
The path to mk_oracle might be different if you execute it asynchronously. For a
60 second interval the path would be /usr/lib/check_mk_agent/plugins/60/mk_oracle
The script will test permissions of the files needed to connect to the database. It boils down to the following:
mk_oracle
will switch to the owner of
$ORACLE_HOME/bin/sqlplus
before executing sqlplus
. So
this user has to have the following permissions:
- read
$TNS_ADMIN/sqlnet.ora
- read
$TNS_ADMIN/tnsnames.ora
- execute the wallet folder (
/etc/check_mk/oracle_wallet
if followed the official documentation)
- read files inside the wallet folder (
/etc/check_mk/oracle_wallet/*
if followed the official documentation)
Beside that we also fixed some bash syntax errors we introduced with
Werk #16232.
mk_oracle: Follow-up to privilege escalation fix: sqlnet.ora
You are affected by this Werk if you use mk_oracle agent plugin on unix.
mk_oracle
only works if it can find a sqlnet.ora
in your
$TNS_ADMIN
folder. In the past, mk_oracle
executed all oracle
binaries as root, so sqlnet.ora
was alwas readable. With Werk #16232 the oracle binaries are
executed with a low privileged user, so it might be the case, that
sqlnet.ora
can not be read by this user.
mk_oracle
will exit early if it can not read sqlnet.ora
. The
error message might look like:
/etc/check_mk/sqlnet.ora can not be read by user "oracle"! Either use 'sqlnet.ora permission group' bakery rule, or directly modify permissions of the file.
The error message will also be visible in the oracle_instance
check.
If you use the agent bakery to roll out mk_oracle to unix servers using
.rpm
, .deb
or Solaris .pkg
packages, you have to use
the âsqlnet.ora permission groupâ bakery rule to adapt the group of the
sqlnet.ora
file, otherwise your permission changes might be
overwritten by updating the agent.
Otherwise it is sufficient to adapt the permissions.
If you install the agent on Unix using the tgz
package, you will have
to manually adjust the permissions of the sqlnet.ora
file.
mk_oracle: report failed login
Due to fixes introduced with
Werk #16234 a failed login to the
oracle database was not reported as critical, but the services were going
stale. This is now fixed.
Please let us know if you have feedback.
Thanks