daily pastebin goal
64%
SHARE
TWEET

EM12c R4 SSL Security Checkup v1.11

a guest Dec 4th, 2015 422 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. #
  3. # This script should examine your EM12c R4 environment, identify the ports
  4. # each component uses, and check for SSLv2/SSLv3 usage, as well as make
  5. # sure that weak cipher suites get rejected.  It also contains a patch
  6. # check currently comparing against the latest recommended patches
  7. # and flags the use of self-signed certificates.  Further checks include
  8. # EM12c Java JDK version.
  9. #
  10. # Added in v1.0:   Repository database patch check
  11. # Added in v1.1:   EM12c Java JDK version check
  12. # Change in v1.2:  Removed patch 19948000 recommendation for OHS.
  13. # Change in v1.3:  Update for 30 Apr 2015 patches, add EM-OH plugin home
  14. #                  restored GDFA/16420963 for WLS
  15. #                  added 20114054 for Agent - only applicable for Linux x86-64
  16. # Change in v1.4:  Add datestamp/hostname to output header
  17. #                  Update for 31 May 2015 patches, add EM-DB-DISC plugin home
  18. # Change in v1.5:  Add repo DB check for SSL_VERSION and SSL_CIPHER_SUITES
  19. #                  Add VERBOSE_CHECKSEC variable:
  20. #                   Set to 0 for quiet run.
  21. #                   Set to 1 to see failed check summary after run.
  22. #                   Set to 2 for failed check summary and patch details.
  23. # Change in v1.6:  Add PSU4 for EM12cR4, complete VERBOSE_CHECKSEC work
  24. #                  Add 14 July 2015 patches
  25. # Change in v1.7:  Update for 31 Jul 2015 patches
  26. # Change in v1.8:  Update for 31 Aug 2015 patches
  27. # Change in v1.9:  Add 17714229 for OMS home
  28. #                  Add 21068288 CVE-2015-4742 for oracle_common home
  29. #                  Add check for usage of demonstration SSL certificates
  30. # Change in v1.10: Update for 1 Oct 2015 patches, PSU5, CPUOCT2015
  31. #                  Added 18502187 for OMS home
  32. # Change in v1.11: Update for 30 Nov 2015 patches
  33. #
  34. # From: @BrianPardy on Twitter
  35. #
  36. # Known functional on Linux x86-64, Solaris, AIX.
  37. #
  38. # Run this script as the Oracle EM12c software owner, with your environment
  39. # fully up and running.
  40. #
  41. # Thanks to Dave Corsar, who tested on Solaris and let me know the
  42. # changes needed to make an earlier version work on Solaris.
  43. #
  44. # Thanks to opa tropa who confirmed AIX functionality and noted the
  45. # use of GNU extensions to grep, which I have since removed.
  46. #
  47. # Dedicated to our two Lhasa Apsos:
  48. #   Lucy (6/13/1998 - 3/13/2015)
  49. #   Ethel (6/13/1998 - 7/31/2015)
  50. #
  51. #
  52.  
  53. SCRIPTNAME=`basename $0`
  54. PATCHDATE="30 Nov 2015"
  55. OMSHOST=`hostname -f`
  56. VERSION="1.11"
  57. FAIL_COUNT=0
  58. FAIL_TESTS=""
  59.  
  60. RUN_DB_CHECK=0
  61. VERBOSE_CHECKSEC=2
  62.  
  63. HOST_OS=`uname -s`
  64. HOST_ARCH=`uname -m`
  65.  
  66. ORAGCHOMELIST="/etc/oragchomelist"
  67. ORATAB="/etc/oratab"
  68.  
  69. if [[ ! -r $ORAGCHOMELIST ]]; then                      # Solaris
  70.         ORAGCHOMELIST="/var/opt/oracle/oragchomelist"
  71. fi
  72.  
  73. if [[ ! -r $ORATAB ]]; then                             # Solaris
  74.         ORATAB="/var/opt/oracle/oratab"
  75. fi
  76.  
  77. if [[ -x "/usr/sfw/bin/gegrep" ]]; then
  78.         GREP=/usr/sfw/bin/gegrep
  79. else
  80.         GREP=`which grep`
  81. fi
  82.  
  83. OMS_HOME=`$GREP -i oms $ORAGCHOMELIST | xargs ls -d 2>/dev/null`
  84.  
  85. OPATCH="$OMS_HOME/OPatch/opatch"
  86. OPATCHAUTO="$OMS_HOME/OPatch/opatchauto"
  87. OMSORAINST="$OMS_HOME/oraInst.loc"
  88. ORAINVENTORY=`head -n 1 $OMSORAINST | awk -F= '{print $2}'`
  89.  
  90. MW_HOME=`dirname $OMS_HOME`
  91. BIP_HOME=`$GREP -vi REMOVED $ORAINVENTORY/ContentsXML/inventory.xml | $GREP "HOME NAME=\"Oracle_BI" | awk '{print $3}' | sed -e 's/LOC=\"//' | sed -e 's/"//'`
  92. COMMON_HOME=`$GREP -vi REMOVED $ORAINVENTORY/ContentsXML/inventory.xml | $GREP "HOME NAME=\"common" | awk '{print $3}' | sed -e 's/LOC=\"//' | sed -e 's/"//'`
  93. WEBTIER_HOME=`$GREP -vi REMOVED $ORAINVENTORY/ContentsXML/inventory.xml | $GREP "HOME NAME=\"webtier" | awk '{print $3}' | sed -e 's/LOC=\"//' | sed -e 's/"//'`
  94. AGENT_HOME=`$GREP -vi REMOVED $ORAINVENTORY/ContentsXML/inventory.xml | $GREP "HOME NAME=\"agent12c" | awk '{print $3}' | sed -e 's/LOC=\"//' | sed -e 's/"//'`
  95. AGENT_DB_PLUGIN_HOME="$AGENT_HOME/../../plugins/oracle.sysman.db.agent.plugin_12.1.0.7.0"
  96. AGENT_DB_PLUGIN_DISC_HOME="$AGENT_HOME/../../plugins/oracle.sysman.db.discovery.plugin_12.1.0.7.0"
  97. AGENT_FMW_PLUGIN_HOME="$AGENT_HOME/../../plugins/oracle.sysman.emas.agent.plugin_12.1.0.7.0"
  98. AGENT_FMW_PLUGIN_DISC_HOME="$AGENT_HOME/../../plugins/oracle.sysman.emas.discovery.plugin_12.1.0.7.0"
  99. AGENT_BEACON_PLUGIN_HOME="$AGENT_HOME/../../plugins/oracle.sysman.beacon.agent.plugin_12.1.0.4.0"
  100. AGENT_OH_PLUGIN_HOME="$AGENT_HOME/../../plugins/oracle.sysman.oh.agent.plugin_12.1.0.4.0"
  101.  
  102. EM_INSTANCE_BASE=`$GREP GCDomain $MW_HOME/domain-registry.xml | sed -e 's/.*=//' | sed -e 's/\/user_projects.*$//' | sed -e 's/"//'`
  103. WL_HOME=`$GREP wlserver $MW_HOME/domain-registry.xml | sed -e 's/.*=//' | sed -e 's/\/samples.*$//' | sed -e 's/"//' | uniq`
  104.  
  105. EMGC_PROPS="$EM_INSTANCE_BASE/em/EMGC_OMS1/emgc.properties"
  106. EMBIP_PROPS="$EM_INSTANCE_BASE/em/EMGC_OMS1/embip.properties"
  107. OPMN_PROPS="$EM_INSTANCE_BASE/WebTierIH1/config/OPMN/opmn/ports.prop"
  108. OHS_ADMIN_CONF="$EM_INSTANCE_BASE/WebTierIH1/config/OHS/ohs1/admin.conf"
  109.  
  110. PORT_UPL=`$GREP EM_UPLOAD_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
  111. PORT_OMS=`$GREP EM_CONSOLE_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
  112. PORT_OMS_JAVA=`$GREP MS_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
  113. PORT_NODEMANAGER=`$GREP EM_NODEMGR_PORT $EMGC_PROPS | awk -F= '{print $2}'`
  114. PORT_BIP=`$GREP BIP_HTTPS_PORT $EMBIP_PROPS | awk -F= '{print $2}'`
  115. PORT_ADMINSERVER=`$GREP AS_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
  116. PORT_OPMN=`$GREP '/opmn/remote_port' $OPMN_PROPS | awk -F= '{print $2}'`
  117. PORT_OHS_ADMIN=`$GREP Listen $OHS_ADMIN_CONF | awk '{print $2}'`
  118. PORT_AGENT=`$AGENT_HOME/bin/emctl status agent | $GREP 'Agent URL' | sed -e 's/\/emd\/main\///' | sed -e 's/^.*://' | uniq`
  119.  
  120. REPOS_DB_CONNDESC=`$GREP EM_REPOS_CONNECTDESCRIPTOR $EMGC_PROPS | sed -e 's/EM_REPOS_CONNECTDESCRIPTOR=//' | sed -e 's/\\\\//g'`
  121. REPOS_DB_HOST=`echo $REPOS_DB_CONNDESC | sed -e 's/^.*HOST=//' | sed -e 's/).*$//'`
  122. REPOS_DB_SID=`echo $REPOS_DB_CONNDESC | sed -e 's/^.*SID=//' | sed -e 's/).*$//'`
  123.  
  124. if [[ "$REPOS_DB_HOST" == "$OMSHOST" ]]; then
  125.         REPOS_DB_HOME=`$GREP "$REPOS_DB_SID:" $ORATAB | awk -F: '{print $2}'`
  126.         REPOS_DB_VERSION=`$REPOS_DB_HOME/OPatch/opatch lsinventory -oh $REPOS_DB_HOME | $GREP 'Oracle Database' | awk '{print $4}'`
  127.  
  128.         if [[ "$REPOS_DB_VERSION" == "11.2.0.4.0" ]]; then
  129.                 RUN_DB_CHECK=1
  130.         fi
  131.  
  132.         if [[ "$REPOS_DB_VERSION" == "12.1.0.2.0" ]]; then
  133.                 RUN_DB_CHECK=1
  134.         fi
  135.  
  136.         if [[ "$RUN_DB_CHECK" -eq 0 ]]; then
  137.                 echo -e "\tSkipping local repository DB patch check, only 11.2.0.4 or 12.1.0.2 supported by this script for now"
  138.         fi
  139. fi
  140.  
  141.  
  142. sslcheck () {
  143.         OPENSSL_CHECK_COMPONENT=$1
  144.         OPENSSL_CHECK_HOST=$2
  145.         OPENSSL_CHECK_PORT=$3
  146.         OPENSSL_CHECK_PROTO=$4
  147.  
  148.         OPENSSL_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -$OPENSSL_CHECK_PROTO 2>&1 | $GREP Cipher | $GREP -c 0000`
  149.        
  150.        
  151.  
  152.         if [[ $OPENSSL_CHECK_PROTO == "tls1" ]]; then
  153.                 echo -en "\tConfirming $OPENSSL_CHECK_PROTO available for $OPENSSL_CHECK_COMPONENT at $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT... "
  154.                 if [[ $OPENSSL_RETURN -eq "0" ]]; then
  155.                         echo OK
  156.                 else
  157.                         echo FAILED
  158.                         FAIL_COUNT=$((FAIL_COUNT+1))
  159.                         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:$OPENSSL_CHECK_PROTO protocol connection failed"
  160.                 fi
  161.         fi
  162.  
  163.         if [[ $OPENSSL_CHECK_PROTO == "ssl2" || $OPENSSL_CHECK_PROTO == "ssl3" ]]; then
  164.                 echo -en "\tConfirming $OPENSSL_CHECK_PROTO disabled for $OPENSSL_CHECK_COMPONENT at $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT... "
  165.                 if [[ $OPENSSL_RETURN -ne "0" ]]; then
  166.                         echo OK
  167.                 else
  168.                         echo FAILED
  169.                         FAIL_COUNT=$((FAIL_COUNT+1))
  170.                         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:$OPENSSL_CHECK_PROTO protocol connection succeeded"
  171.                 fi
  172.         fi
  173. }
  174.  
  175. opatchcheck () {
  176.         OPATCH_CHECK_COMPONENT=$1
  177.         OPATCH_CHECK_OH=$2
  178.         OPATCH_CHECK_PATCH=$3
  179.  
  180.         if [[ "$OPATCH_CHECK_COMPONENT" == "ReposDBHome" ]]; then
  181.                 OPATCH_RET=`$OPATCH_CHECK_OH/OPatch/opatch lsinv -oh $OPATCH_CHECK_OH | $GREP $OPATCH_CHECK_PATCH`
  182.         else
  183.                 OPATCH_RET=`$OPATCH lsinv -oh $OPATCH_CHECK_OH | $GREP $OPATCH_CHECK_PATCH`
  184.         fi
  185.  
  186.         if [[ -z "$OPATCH_RET" ]]; then
  187.                 echo FAILED
  188.                 FAIL_COUNT=$((FAIL_COUNT+1))
  189.                 FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPATCH_CHECK_COMPONENT @ ${OPATCH_CHECK_OH}:Patch $OPATCH_CHECK_PATCH not found"
  190.         else
  191.                 echo OK
  192.         fi
  193.  
  194.         test $VERBOSE_CHECKSEC -ge 2 && echo $OPATCH_RET
  195.  
  196. }
  197.  
  198. opatchautocheck () {
  199.         OPATCHAUTO_CHECK_COMPONENT=$1
  200.         OPATCHAUTO_CHECK_OH=$2
  201.         OPATCHAUTO_CHECK_PATCH=$3
  202.  
  203.         OPATCHAUTO_RET=`$OPATCHAUTO lspatches -oh $OPATCHAUTO_CHECK_OH | $GREP $OPATCHAUTO_CHECK_PATCH`
  204.  
  205.         if [[ -z "$OPATCHAUTO_RET" ]]; then
  206.                 echo FAILED
  207.                 FAIL_COUNT=$((FAIL_COUNT+1))
  208.                 FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPATCHAUTO_CHECK_COMPONENT @ ${OPATCHAUTO_CHECK_OH}:Patch $OPATCHAUTO_CHECK_PATCH not found"
  209.         else
  210.                 echo OK
  211.         fi
  212.  
  213.         test $VERBOSE_CHECKSEC -ge 2 && echo $OPATCHAUTO_RET
  214.  
  215. }
  216.  
  217. certcheck () {
  218.         CERTCHECK_CHECK_COMPONENT=$1
  219.         CERTCHECK_CHECK_HOST=$2
  220.         CERTCHECK_CHECK_PORT=$3
  221.  
  222.         echo -ne "\tChecking certificate at $CERTCHECK_CHECK_COMPONENT ($CERTCHECK_CHECK_HOST:$CERTCHECK_CHECK_PORT)... "
  223.  
  224.         OPENSSL_SELFSIGNED_COUNT=`echo Q | openssl s_client -prexit -connect $CERTCHECK_CHECK_HOST:$CERTCHECK_CHECK_PORT 2>&1 | $GREP -ci "self signed certificate"`
  225.  
  226.         if [[ $OPENSSL_SELFSIGNED_COUNT -eq "0" ]]; then
  227.                 echo OK
  228.         else
  229.                 echo FAILED - Found self-signed certificate
  230.                 FAIL_COUNT=$((FAIL_COUNT+1))
  231.                 FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$CERTCHECK_CHECK_COMPONENT @ ${CERTCHECK_CHECK_HOST}:${CERTCHECK_CHECK_PORT} found self-signed certificate"
  232.         fi
  233. }
  234.  
  235. democertcheck () {
  236.         DEMOCERTCHECK_CHECK_COMPONENT=$1
  237.         DEMOCERTCHECK_CHECK_HOST=$2
  238.         DEMOCERTCHECK_CHECK_PORT=$3
  239.  
  240.         echo -ne "\tChecking certificate at $DEMOCERTCHECK_CHECK_COMPONENT ($DEMOCERTCHECK_CHECK_HOST:$DEMOCERTCHECK_CHECK_PORT)... "
  241.  
  242.         OPENSSL_DEMO_COUNT=`echo Q | openssl s_client -prexit -connect $DEMOCERTCHECK_CHECK_HOST:$DEMOCERTCHECK_CHECK_PORT 2>&1 | $GREP -ci "issuer=/C=US/ST=MyState/L=MyTown/O=MyOrganization/OU=FOR TESTING ONLY/CN=CertGenCAB"`
  243.  
  244.         if [[ $OPENSSL_DEMO_COUNT -eq "0" ]]; then
  245.                 echo OK
  246.         else
  247.                 echo FAILED - Found demonstration certificate
  248.                 FAIL_COUNT=$((FAIL_COUNT+1))
  249.                 FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$DEMOCERTCHECK_CHECK_COMPONENT @ ${DEMOCERTCHECK_CHECK_HOST}:${DEMOCERTCHECK_CHECK_PORT} found demonstration certificate"
  250.         fi
  251. }
  252.  
  253.  
  254. ciphercheck () {
  255.         OPENSSL_CHECK_COMPONENT=$1
  256.         OPENSSL_CHECK_HOST=$2
  257.         OPENSSL_CHECK_PORT=$3
  258.  
  259.         echo -ne "\tChecking LOW strength ciphers on $OPENSSL_CHECK_COMPONENT ($OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT)..."
  260.  
  261.         OPENSSL_LOW_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -tls1 -cipher LOW 2>&1 | $GREP Cipher | uniq | $GREP -c 0000`
  262.  
  263.         if [[ $OPENSSL_LOW_RETURN -eq "0" ]]; then
  264.                 echo -e "\tFAILED - PERMITS LOW STRENGTH CIPHER CONNECTIONS"
  265.                 FAIL_COUNT=$((FAIL_COUNT+1))
  266.                 FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:Permits LOW strength ciphers"
  267.         else
  268.                 echo -e "\tOK"
  269.         fi
  270.  
  271.  
  272.         echo -ne "\tChecking MEDIUM strength ciphers on $OPENSSL_CHECK_COMPONENT ($OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT)..."
  273.  
  274.         OPENSSL_MEDIUM_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -tls1 -cipher MEDIUM 2>&1 | $GREP Cipher | uniq | $GREP -c 0000`
  275.  
  276.         if [[ $OPENSSL_MEDIUM_RETURN -eq "0" ]]; then
  277.                 echo -e "\tFAILED - PERMITS MEDIUM STRENGTH CIPHER CONNECTIONS"
  278.                 FAIL_COUNT=$((FAIL_COUNT+1))
  279.                 FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:Permits MEDIUM strength ciphers"
  280.         else
  281.                 echo -e "\tOK"
  282.         fi
  283.  
  284.  
  285.  
  286.         echo -ne "\tChecking HIGH strength ciphers on $OPENSSL_CHECK_COMPONENT ($OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT)..."
  287.  
  288.         OPENSSL_HIGH_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -tls1 -cipher HIGH 2>&1 | $GREP Cipher | uniq | $GREP -c 0000`
  289.  
  290.         if [[ $OPENSSL_HIGH_RETURN -eq "0" ]]; then
  291.                 echo -e "\tOK"
  292.         else
  293.                 echo -e "\tFAILED - CANNOT CONNECT WITH HIGH STRENGTH CIPHER"
  294.                 FAIL_COUNT=$((FAIL_COUNT+1))
  295.                 FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:Rejects HIGH strength ciphers"
  296.         fi
  297.         echo
  298. }
  299.  
  300. wlspatchcheck () {
  301.         WLSDIR=$1
  302.         WLSPATCH=$2
  303.  
  304.         WLSCHECK_RETURN=`( cd $MW_HOME/utils/bsu && $MW_HOME/utils/bsu/bsu.sh -report ) | $GREP $WLSPATCH`
  305.         WLSCHECK_COUNT=`echo $WLSCHECK_RETURN | wc -l`
  306.  
  307.         if [[ $WLSCHECK_COUNT -ge "1" ]]; then
  308.                 echo -e "\tOK"
  309.         else
  310.                 echo -e "\tFAILED - PATCH NOT FOUND"
  311.                 FAIL_COUNT=$((FAIL_COUNT+1))
  312.                 FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WLSDIR:Patch $WLSPATCH not found"
  313.         fi
  314.  
  315.         test $VERBOSE_CHECKSEC -ge 2 && echo $WLSCHECK_RETURN
  316.        
  317. }
  318.  
  319. javacheck () {
  320.         WHICH_JAVA=$1
  321.         JAVA_DIR=$2
  322.  
  323.         JAVACHECK_RETURN=`$JAVA_DIR/bin/java -version 2>&1 | $GREP version | awk '{print $3}' | sed -e 's/"//g'`
  324.  
  325.         if [[ "$JAVACHECK_RETURN" == "1.6.0_95" ]]; then
  326.                 echo -e "\tOK"
  327.         else
  328.                 #echo -e "\tFAILED - Found version $JAVACHECK_RETURN"
  329.                 echo -e "\tFAILED"
  330.                 FAIL_COUNT=$((FAIL_COUNT+1))
  331.                 FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WHICH_JAVA Java in ${JAVA_DIR}:Found incorrect version $JAVACHECK_RETURN"
  332.         fi
  333.         test $VERBOSE_CHECKSEC -ge 2 && echo $JAVACHECK_RETURN
  334. }
  335.  
  336. paramcheck () {
  337.         WHICH_PARAM=$1
  338.         WHICH_ORACLE_HOME=$2
  339.         WHICH_FILE=$3
  340.  
  341.         PARAMCHECK_RETURN=`$GREP $WHICH_PARAM $WHICH_ORACLE_HOME/network/admin/$WHICH_FILE | awk -F= '{print $2}' | sed -e 's/\s//g'`
  342.         if [[ "$WHICH_PARAM" == "SSL_VERSION" ]]; then
  343.                 if [[ "$PARAMCHECK_RETURN" == "1.0" ]]; then
  344.                         echo -e "OK"
  345.                 else
  346.                         echo -e "FAILED - Found $WHICH_PARAM = $PARAMCHECK_RETURN"
  347.                         FAIL_COUNT=$((FAIL_COUNT+1))
  348.                         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WHICH_PARAM in $WHICH_FILE for home ${WHICH_ORACLE_HOME}:incorrect parameter value"
  349.                 fi
  350.                 test $VERBOSE_CHECKSEC -ge 2 && echo $PARAMCHECK_RETURN
  351.         fi
  352.  
  353.         if [[ "$WHICH_PARAM" == "SSL_CIPHER_SUITES" ]]; then
  354.                 if [[ "$PARAMCHECK_RETURN" == "(SSL_RSA_WITH_AES128_CBC_SHA,SSL_RSA_WITH_AES256_CBC_SHA)" ]]; then
  355.                         echo -e "OK"
  356.                 else
  357.                         echo -e "FAILED - Found $WHICH_PARAM = $PARAMCHECK_RETURN"
  358.                         FAIL_COUNT=$((FAIL_COUNT+1))
  359.                         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WHICH_PARAM in $WHICH_FILE for home ${WHICH_ORACLE_HOME}:incorrect parameter value"
  360.                 fi
  361.                 test $VERBOSE_CHECKSEC -ge 2 && echo $PARAMCHECK_RETURN
  362.         fi
  363. }
  364.  
  365.  
  366. ### MAIN SCRIPT HERE
  367.  
  368.  
  369. echo -e "Performing EM12cR4 security checkup version $VERSION on $OMSHOST at `date`.\n"
  370.  
  371. echo "Using port definitions from configuration files "
  372. echo -e "\t/etc/oragchomelist"
  373. echo -e "\t$EMGC_PROPS"
  374. echo -e "\t$EMBIP_PROPS"
  375. echo -e "\t$OPMN_PROPS"
  376. echo -e "\t$OHS_ADMIN_CONF"
  377. echo
  378. echo -e "\tAgent port found at $OMSHOST:$PORT_AGENT"
  379. echo -e "\tBIPublisher port found at $OMSHOST:$PORT_BIP"
  380. echo -e "\tNodeManager port found at $OMSHOST:$PORT_NODEMANAGER"
  381. echo -e "\tOHSadmin port found at $OMSHOST:$PORT_OHS_ADMIN"
  382. echo -e "\tOMSconsole port found at $OMSHOST:$PORT_OMS"
  383. echo -e "\tOMSproxy port found at $OMSHOST:$PORT_OMS_JAVA"
  384. echo -e "\tOMSupload port found at $OMSHOST:$PORT_UPL"
  385. echo -e "\tOPMN port found at $OMSHOST:$PORT_OPMN"
  386. echo -e "\tWLSadmin found at $OMSHOST:$PORT_ADMINSERVER"
  387. echo
  388. echo -e "\tRepository DB version=$REPOS_DB_VERSION SID=$REPOS_DB_SID host=$REPOS_DB_HOST"
  389.  
  390. if [[ $RUN_DB_CHECK -eq "1" ]]; then
  391.         echo -e "\tRepository DB on OMS server, will check patches/parameters in $REPOS_DB_HOME"
  392. fi
  393.  
  394.  
  395. echo -e "\n(1) Checking SSL/TLS configuration (see notes 1602983.1, 1477287.1, 1905314.1)"
  396.  
  397. echo -e "\n\t(1a) Forbid SSLv2 connections"
  398. sslcheck Agent $OMSHOST $PORT_AGENT ssl2
  399. sslcheck BIPublisher $OMSHOST $PORT_BIP ssl2
  400. sslcheck NodeManager $OMSHOST $PORT_NODEMANAGER ssl2
  401. sslcheck OHSadmin $OMSHOST $PORT_OHS_ADMIN ssl2
  402. sslcheck OMSconsole $OMSHOST $PORT_OMS ssl2
  403. sslcheck OMSproxy $OMSHOST $PORT_OMS_JAVA ssl2
  404. sslcheck OMSupload $OMSHOST $PORT_UPL ssl2
  405. sslcheck OPMN $OMSHOST $PORT_OPMN ssl2
  406. sslcheck WLSadmin $OMSHOST $PORT_ADMINSERVER ssl2
  407.  
  408. echo -e "\n\t(1b) Forbid SSLv3 connections"
  409. sslcheck Agent $OMSHOST $PORT_AGENT ssl3
  410. sslcheck BIPublisher $OMSHOST $PORT_BIP ssl3
  411. sslcheck NodeManager $OMSHOST $PORT_NODEMANAGER ssl3
  412. sslcheck OHSadmin $OMSHOST $PORT_OHS_ADMIN ssl3
  413. sslcheck OMSconsole $OMSHOST $PORT_OMS ssl3
  414. sslcheck OMSproxy $OMSHOST $PORT_OMS_JAVA ssl3
  415. sslcheck OMSupload $OMSHOST $PORT_UPL ssl3
  416. sslcheck OPMN $OMSHOST $PORT_OPMN ssl3
  417. sslcheck WLSadmin $OMSHOST $PORT_ADMINSERVER ssl3
  418.  
  419. echo -e "\n\t(1c) Permit TLSv1 connections"
  420. sslcheck Agent $OMSHOST $PORT_AGENT tls1
  421. sslcheck BIPublisher $OMSHOST $PORT_BIP tls1
  422. sslcheck NodeManager $OMSHOST $PORT_NODEMANAGER tls1
  423. sslcheck OHSadmin $OMSHOST $PORT_OHS_ADMIN tls1
  424. sslcheck OMSconsole $OMSHOST $PORT_OMS tls1
  425. sslcheck OMSproxy $OMSHOST $PORT_OMS_JAVA tls1
  426. sslcheck OMSupload $OMSHOST $PORT_UPL tls1
  427. sslcheck OPMN $OMSHOST $PORT_OPMN tls1
  428. sslcheck WLSadmin $OMSHOST $PORT_ADMINSERVER tls1
  429.  
  430. echo -e "\n(2) Checking supported ciphers at SSL/TLS endpoints (see notes 1477287.1, 1905314.1, 1067411.1)"
  431. ciphercheck Agent $OMSHOST $PORT_AGENT
  432. ciphercheck BIPublisher $OMSHOST $PORT_BIP
  433. ciphercheck NodeManager $OMSHOST $PORT_NODEMANAGER
  434. ciphercheck OHSadmin $OMSHOST $PORT_OHS_ADMIN
  435. ciphercheck OMSconsole $OMSHOST $PORT_OMS
  436. ciphercheck OMSproxy $OMSHOST $PORT_OMS_JAVA
  437. ciphercheck OMSupload $OMSHOST $PORT_UPL
  438. ciphercheck OPMN $OMSHOST $PORT_OPMN
  439. ciphercheck WLSadmin $OMSHOST $PORT_ADMINSERVER
  440.  
  441. echo -e "\n(3) Checking self-signed and demonstration certificates at SSL/TLS endpoints (see notes 1367988.1, 1399293.1, 1593183.1, 1527874.1, 123033.1, 1937457.1)"
  442. certcheck Agent $OMSHOST $PORT_AGENT
  443. democertcheck Agent $OMSHOST $PORT_AGENT
  444. certcheck BIPublisher $OMSHOST $PORT_BIP
  445. democertcheck BIPublisher $OMSHOST $PORT_BIP
  446. certcheck NodeManager $OMSHOST $PORT_NODEMANAGER
  447. democertcheck NodeManager $OMSHOST $PORT_NODEMANAGER
  448. certcheck OHSadmin $OMSHOST $PORT_OHS_ADMIN
  449. democertcheck OHSadmin $OMSHOST $PORT_OHS_ADMIN
  450. certcheck OMSconsole $OMSHOST $PORT_OMS
  451. democertcheck OMSconsole $OMSHOST $PORT_OMS
  452. certcheck OMSproxy $OMSHOST $PORT_OMS_JAVA
  453. democertcheck OMSproxy $OMSHOST $PORT_OMS_JAVA
  454. certcheck OMSupload $OMSHOST $PORT_UPL
  455. democertcheck OMSupload $OMSHOST $PORT_UPL
  456. certcheck OPMN $OMSHOST $PORT_OPMN
  457. democertcheck OPMN $OMSHOST $PORT_OPMN
  458. certcheck WLSadmin $OMSHOST $PORT_ADMINSERVER
  459. democertcheck WLSadmin $OMSHOST $PORT_ADMINSERVER
  460.  
  461.  
  462. echo -e "\n(4) Checking EM12c Oracle home patch levels against $PATCHDATE baseline (see notes 1664074.1, 1900943.1, 822485.1, 1470197.1, 1967243.1)"
  463.  
  464. #echo -ne "\n\t(4a) OMS ($OMS_HOME) PSU2 Patch 19830994... "
  465. #opatchcheck OMS $OMS_HOME 19830994
  466.  
  467. #echo -ne "\n\t(4a) OMS ($OMS_HOME) ENTERPRISE MANAGER BASE PLATFORM - OMS 12.1.0.4.3 PSU Patch (20392036)... "
  468. #opatchcheck OMS $OMS_HOME 20392036
  469.  
  470. #echo -ne "\n\t(4a) OMS ($OMS_HOME) ENTERPRISE MANAGER BASE PLATFORM - OMS 12.1.0.4.4 PSU Patch (20870437)... "
  471. #opatchcheck OMS $OMS_HOME 20870437
  472.  
  473. echo -ne "\n\t(4a) OMS ($OMS_HOME) ENTERPRISE MANAGER BASE PLATFORM - OMS 12.1.0.4.5 PSU Patch (21462217)... "
  474. opatchcheck OMS $OMS_HOME 21462217
  475.  
  476. echo -ne "\n\t(4a) OMS HOME ($AGENT_HOME) JDBC Merge Patch (18502187)... "
  477. opatchcheck OMS $OMS_HOME 18502187
  478.  
  479. #echo -ne "\n\t(4a) OMS ($OMS_HOME) DO NOT CREATE INCIDENT WHEN A COMMAND IS OVER RUN IN JOB WORKER (17714229)... "
  480. #opatchcheck OMS $OMS_HOME 17714229
  481.  
  482. echo -ne "\n\t(4b) BI Publisher ($BIP_HOME) CPUJAN2015 Patch (19822893)... "
  483. opatchcheck BIP $BIP_HOME 19822893
  484.  
  485. echo -ne "\n\t(4b) BI Publisher ($BIP_HOME) Merge Patch (20444447)... "
  486. opatchcheck BIP $BIP_HOME 20444447
  487.  
  488. #echo -ne "\n\t(4b) BI Publisher ($BIP_HOME) ORACLE BI PUBLISHER PATCH BUG FOR PRIVATE EMCC PS3 MANDATORY INSTALL PATCH (17888172)... "
  489. #opatchcheck BIP $BIP_HOME 17888172
  490.  
  491. echo -ne "\n\t(4c) AS Common ($COMMON_HOME) CVE-2015-0426 Oracle Help Patch (20075252)... "
  492. opatchcheck COMMON $COMMON_HOME 20075252
  493.  
  494. #echo -ne "\n\t(4c) AS Common ($COMMON_HOME) ADF MERGE REQUEST ON TOP OF 11.1.1.7.1 FOR BUGS 20465665 18820382 20645397 (20747356)... "
  495. #opatchcheck COMMON $COMMON_HOME 20747356
  496.  
  497. echo -ne "\n\t(4c) AS Common ($COMMON_HOME) WEBCENTER PORTAL BUNDLE PATCH 11.1.1.7.1 (16761779)... "
  498. opatchcheck COMMON $COMMON_HOME 16761779
  499.  
  500. # Replaced 20747356, commented out above
  501. echo -ne "\n\t(4c) AS Common ($COMMON_HOME) CVE-2015-4742 MERGE REQUEST ON TOP OF 11.1.1.7.1 FOR BUGS 20747356 18274008 (21068288)... "
  502. opatchcheck COMMON $COMMON_HOME 21068288
  503.  
  504.  
  505. #echo -ne "\n\t(4d) WebLogic Server ($WL_HOME) 10.3.6.0.10 12UV Patch (19637463)... "
  506. #wlspatchcheck $WL_HOME 19637463
  507.  
  508. #echo -ne "\n\t(4d) WebLogic Server ($WL_HOME) 10.3.6.0.11 YUIS Patch (20181997)... "
  509. #wlspatchcheck $WL_HOME 20181997
  510.  
  511. echo -ne "\n\t(4d) WebLogic Server ($WL_HOME) 10.3.6.0.12 EJUW Patch (20780171)... "
  512. wlspatchcheck $WL_HOME 20780171
  513.  
  514. echo -ne "\n\t(4d) WebLogic Server ($WL_HOME) SU Patch [GDFA]: WEBLOGIC.STORE.PERSISTENTSTOREEXCEPTION: [STORE:280040] OCCURS EASILEY (16420963)... "
  515. wlspatchcheck $WL_HOME 16420963
  516.  
  517. # Commented this patch out 4/17/2015, as Oracle no longer recommends it for EM12c installations.
  518. # This patch still appears in note 1664074.1 for EM12c.
  519. # Per personal communication w/Oracle I do NOT recommend using it.
  520. #echo -ne "\n\t(4e) WebTier ($WEBTIER_HOME) CPUJAN2015 Patch (19948000)... "
  521. #opatchcheck WebTier $WEBTIER_HOME 19948000
  522.  
  523. echo -ne "\n\t(4e) WebTier ($WEBTIER_HOME) OHS SECURITY PATCH UPDATE 11.1.1.7.0 CPUOCT2015 Patch (21640624)... "
  524. opatchcheck WebTier $WEBTIER_HOME 21640624
  525.  
  526. echo -ne "\n\t(4e) WebTier ($WEBTIER_HOME) CVE-2014-4212 OPMN Patch (19345576)... "
  527. opatchcheck WebTier $WEBTIER_HOME 19345576
  528.  
  529. #echo -ne "\n\t(4e) WebTier ($WEBTIER_HOME) CVE-2013-3836 PLACEHOLDER FOR SECURITY PATCH FOR WEBCACHE 11.1.1.7.0 WITH OCT2013 CPU (17306880)... "
  530. #opatchcheck WebTier $WEBTIER_HOME 17306880
  531.  
  532. echo -ne "\n\t(4e) WebTier ($WEBTIER_HOME) CVE 2015-2658 MERGE REQUEST ON TOP OF 11.1.1.7.0 FOR BUGS 16370190 20310323 20715657 (20807683)... "
  533. opatchcheck WebTier $WEBTIER_HOME 20807683
  534.  
  535. echo -ne "\n\t(4e) WebTier ($WEBTIER_HOME) CVE-2013-0169,CVE-2011-3389 OSS SECURITY PATCH UPDATE 11.1.1.7.0 CPUOCT2013 (17337741)... "
  536. opatchcheck WebTier $WEBTIER_HOME 17337741
  537.  
  538. echo -ne "\n\t(4e) WebTier ($WEBTIER_HOME) WLSPLUGINS (OHS) SECURITY PATCH UPDATE 11.1.1.7.0 CPUJUL2014 (18423831)... "
  539. opatchcheck WebTier $WEBTIER_HOME 18423831
  540.  
  541. #echo -ne "\n\t(4f) OMS ($OMS_HOME) DB PLUGIN BUNDLE 12.1.0.7.2 (20613714)... "
  542. #opatchautocheck OMS $OMS_HOME 20613714
  543.  
  544. #echo -ne "\n\t(4f) OMS ($OMS_HOME) DB PLUGIN BUNDLE PATCH 12.1.0.7.3 (20804122)... "
  545. #opatchautocheck OMS $OMS_HOME 20804122
  546.  
  547. #echo -ne "\n\t(4f) OMS ($OMS_HOME) DB PLUGIN BUNDLE PATCH 12.1.0.7.4 (20950048)... "
  548. #opatchautocheck OMS $OMS_HOME 20950048
  549.  
  550. #echo -ne "\n\t(4f) OMS ($OMS_HOME) DB PLUGIN BUNDLE PATCH 12.1.0.7.5 (21167937)... "
  551. #opatchautocheck OMS $OMS_HOME 21167937
  552.  
  553. #echo -ne "\n\t(4f) OMS ($OMS_HOME) DB PLUGIN BUNDLE PATCH 12.1.0.7.6 (21324654)... "
  554. #opatchautocheck OMS $OMS_HOME 21324654
  555.  
  556. #echo -ne "\n\t(4f) OMS ($OMS_HOME) DB PLUGIN BUNDLE PATCH 12.1.0.7.7 (21506301)... "
  557. #opatchautocheck OMS $OMS_HOME 21506301
  558.  
  559. #echo -ne "\n\t(4f) OMS ($OMS_HOME) DB PLUGIN BUNDLE PATCH 12.1.0.7.8 (21744938)... "
  560. #opatchautocheck OMS $OMS_HOME 21744938
  561.  
  562. echo -ne "\n\t(4f) *UPDATED* OMS ($OMS_HOME) DB PLUGIN BUNDLE PATCH 12.1.0.7.10 (22062307)... "
  563. opatchautocheck OMS $OMS_HOME 22062307
  564.  
  565. #echo -ne "\n\t(4g) OMS ($OMS_HOME) FMW PLUGIN BUNDLE 12.1.0.7.2 (20613870)... "
  566. #opatchautocheck OMS $OMS_HOME 20613870
  567.  
  568. #echo -ne "\n\t(4g) OMS ($OMS_HOME) FMW PLUGIN BUNDLE PATCH 12.1.0.7.3 (20804213)... "
  569. #opatchautocheck OMS $OMS_HOME 20804213
  570.  
  571. #echo -ne "\n\t(4g) OMS ($OMS_HOME) FMW PLUGIN BUNDLE PATCH 12.1.0.7.4 (20950040)... "
  572. #opatchautocheck OMS $OMS_HOME 20950040
  573.  
  574. #echo -ne "\n\t(4g) OMS ($OMS_HOME) FMW PLUGIN BUNDLE PATCH 12.1.0.7.5 (21167980)... "
  575. #opatchautocheck OMS $OMS_HOME 21167980
  576.  
  577. #echo -ne "\n\t(4g) OMS ($OMS_HOME) FMW PLUGIN BUNDLE PATCH 12.1.0.7.6 (21324861)... "
  578. #opatchautocheck OMS $OMS_HOME 21324861
  579.  
  580. #echo -ne "\n\t(4g) OMS ($OMS_HOME) FMW PLUGIN BUNDLE PATCH 12.1.0.7.7 (21506335)... "
  581. #opatchautocheck OMS $OMS_HOME 21506335
  582.  
  583. #echo -ne "\n\t(4g) OMS ($OMS_HOME) FMW PLUGIN BUNDLE PATCH 12.1.0.7.8 (21744989)... "
  584. #opatchautocheck OMS $OMS_HOME 21744989
  585.  
  586. echo -ne "\n\t(4g) *UPDATED* OMS ($OMS_HOME) FMW PLUGIN BUNDLE PATCH 12.1.0.7.10 (22062375)... "
  587. opatchautocheck OMS $OMS_HOME 22062375
  588.  
  589. #echo -ne "\n\t(4h) OMS ($OMS_HOME) MOS PLUGIN BUNDLE PATCH 12.1.0.6.4 (20613886)... "
  590. #opatchautocheck OMS $OMS_HOME 20613886
  591.  
  592. #echo -ne "\n\t(4h) OMS ($OMS_HOME) MOS PLUGIN BUNDLE PATCH 12.1.0.6.5 (20822914)... "
  593. #opatchautocheck OMS $OMS_HOME 20822914
  594.  
  595. #echo -ne "\n\t(4h) OMS ($OMS_HOME) MOS PLUGIN BUNDLE PATCH 12.1.0.6.6 (21167991)... "
  596. #opatchautocheck OMS $OMS_HOME 21167991
  597.  
  598. #echo -ne "\n\t(4h) OMS ($OMS_HOME) MOS PLUGIN BUNDLE PATCH 12.1.0.6.7 (21506428)... "
  599. #opatchautocheck OMS $OMS_HOME 21506428
  600.  
  601. echo -ne "\n\t(4h) OMS ($OMS_HOME) MOS PLUGIN BUNDLE PATCH 12.1.0.6.8 (21745018)... "
  602. opatchautocheck OMS $OMS_HOME 21745018
  603.  
  604. #echo -ne "\n\t(4i) OMS ($OMS_HOME) EXADATA PLUGIN BUNDLE 12.1.0.6.6 (20613853)... "
  605. #opatchautocheck OMS $OMS_HOME 20613853
  606.  
  607. #echo -ne "\n\t(4i) OMS ($OMS_HOME) EXADATA PLUGIN BUNDLE PATCH 12.1.0.6.7 (20822866)... "
  608. #opatchautocheck OMS $OMS_HOME 20822866
  609.  
  610. #echo -ne "\n\t(4i) OMS ($OMS_HOME) EXADATA PLUGIN BUNDLE PATCH 12.1.0.6.8 (20962507)... "
  611. #opatchautocheck OMS $OMS_HOME 20962507
  612.  
  613. #echo -ne "\n\t(4i) OMS ($OMS_HOME) EXADATA PLUGIN BUNDLE PATCH 12.1.0.6.9 (21167953)... "
  614. #opatchautocheck OMS $OMS_HOME 21167953
  615.  
  616. #echo -ne "\n\t(4i) OMS ($OMS_HOME) EXADATA PLUGIN BUNDLE PATCH 12.1.0.6.10 (21324852)... "
  617. #opatchautocheck OMS $OMS_HOME 21324852
  618.  
  619. echo -ne "\n\t(4i) *UPDATED* OMS ($OMS_HOME) EXADATA PLUGIN BUNDLE PATCH 12.1.0.6.11 (21744966)... "
  620. opatchautocheck OMS $OMS_HOME 21744966
  621.  
  622. #echo -ne "\n\t(4j) OMS CHAINED AGENT HOME ($AGENT_HOME) EM-AGENT BUNDLE 12.1.0.4.7 (20613931)... "
  623. #opatchcheck Agent $AGENT_HOME 20613931
  624.  
  625. #echo -ne "\n\t(4j) OMS ($OMS_HOME) CFW PLUGIN BUNDLE PATCH 12.1.0.2.1 (20385040)... "
  626. #opatchautocheck OMS $OMS_HOME 20385040
  627.  
  628. #echo -ne "\n\t(4j) OMS ($OMS_HOME) CFW PLUGIN BUNDLE PATCH 12.1.0.2.2 (21167573)... "
  629. #opatchautocheck OMS $OMS_HOME 21167573
  630.  
  631. #echo -ne "\n\t(4j) OMS ($OMS_HOME) CFW PLUGIN BUNDLE PATCH 12.1.0.2.3 (21324632)... "
  632. #opatchautocheck OMS $OMS_HOME 21324632
  633.  
  634. echo -ne "\n\t(4j) *UPDATED* OMS ($OMS_HOME) CFW PLUGIN BUNDLE PATCH 12.1.0.2.4 (21972104)... "
  635. opatchautocheck OMS $OMS_HOME 21972104
  636.  
  637. #echo -ne "\n\t(4k) OMS CHAINED AGENT HOME ($AGENT_HOME) EM-AGENT BUNDLE PATCH 12.1.0.4.9 (20950034)... "
  638. #opatchcheck Agent $AGENT_HOME 20950034
  639.  
  640. #echo -ne "\n\t(4k) OMS CHAINED AGENT HOME ($AGENT_HOME) EM-AGENT BUNDLE PATCH 12.1.0.4.10 (21168025)... "
  641. #opatchcheck Agent $AGENT_HOME 21168025
  642.  
  643. #echo -ne "\n\t(4k) OMS CHAINED AGENT HOME ($AGENT_HOME) EM-AGENT BUNDLE PATCH 12.1.0.4.11 (21325110)... "
  644. #opatchcheck Agent $AGENT_HOME 21325110
  645.  
  646. #echo -ne "\n\t(4k) OMS CHAINED AGENT HOME ($AGENT_HOME) EM-AGENT BUNDLE PATCH 12.1.0.4.12 (21506284)... "
  647. #opatchcheck Agent $AGENT_HOME 21506284
  648.  
  649. #echo -ne "\n\t(4k) OMS CHAINED AGENT HOME ($AGENT_HOME) EM-AGENT BUNDLE PATCH 12.1.0.4.13 (21759280)... "
  650. #opatchcheck Agent $AGENT_HOME 21759280
  651.  
  652. echo -ne "\n\t(4k) *UPDATED* OMS CHAINED AGENT HOME ($AGENT_HOME) EM-AGENT BUNDLE PATCH 12.1.0.4.14 (21913823)... "
  653. opatchcheck Agent $AGENT_HOME 21913823
  654.  
  655. echo -ne "\n\t(4k) OMS CHAINED AGENT HOME ($AGENT_HOME) Merge Patch (18502187)... "
  656. opatchcheck Agent $AGENT_HOME 18502187
  657.  
  658. echo -ne "\n\t(4k) OMS CHAINED AGENT HOME ($AGENT_HOME) JDBC Security Patch (18721761)... "
  659. opatchcheck Agent $AGENT_HOME 18721761
  660.  
  661. if [[ "$HOST_OS" == "Linux" && "$HOST_ARCH" == "x86_64" ]]; then
  662.         echo -ne "\n\t(4k) OMS CHAINED AGENT HOME ($AGENT_HOME) CVE 2012-3137 EM Agent only: Instant Client Security Patch (20114054)... "
  663.         opatchcheck Agent $AGENT_HOME 20114054
  664. fi
  665.  
  666. #echo -ne "\n\t(4k) OMS CHAINED AGENT DB PLUGIN ($AGENT_DB_PLUGIN_HOME) DB PLUGIN BUNDLE 12.1.0.7.2 AGENT-SIDE 20676926... "
  667. #opatchcheck AgentDBPlugin $AGENT_DB_PLUGIN_HOME 20676926
  668.  
  669. #echo -ne "\n\t(4l) OMS CHAINED AGENT DB PLUGIN ($AGENT_DB_PLUGIN_HOME) DB PLUGIN BUNDLE 12.1.0.7.4 AGENT-SIDE MONITORING (21065223)... "
  670. #opatchcheck AgentDBPlugin $AGENT_DB_PLUGIN_HOME 21065223
  671.  
  672. #echo -ne "\n\t(4l) OMS CHAINED AGENT DB PLUGIN ($AGENT_DB_PLUGIN_HOME) DB PLUGIN BUNDLE 12.1.0.7.5 AGENT-SIDE MONITORING (21229731)... "
  673. #opatchcheck AgentDBPlugin $AGENT_DB_PLUGIN_HOME 21229731
  674.  
  675. #echo -ne "\n\t(4l) OMS CHAINED AGENT DB PLUGIN ($AGENT_DB_PLUGIN_HOME) DB PLUGIN BUNDLE 12.1.0.7.6 AGENT-SIDE MONITORING (21415075)... "
  676. #opatchcheck AgentDBPlugin $AGENT_DB_PLUGIN_HOME 21415075
  677.  
  678. #echo -ne "\n\t(4l) OMS CHAINED AGENT DB PLUGIN ($AGENT_DB_PLUGIN_HOME) DB PLUGIN BUNDLE 12.1.0.7.7 AGENT-SIDE MONITORING (21603371)... "
  679. #opatchcheck AgentDBPlugin $AGENT_DB_PLUGIN_HOME 21603371
  680.  
  681. #echo -ne "\n\t(4l) OMS CHAINED AGENT DB PLUGIN ($AGENT_DB_PLUGIN_HOME) DB PLUGIN BUNDLE 12.1.0.7.8 AGENT-SIDE MONITORING (21806804)... "
  682. #opatchcheck AgentDBPlugin $AGENT_DB_PLUGIN_HOME 21806804
  683.  
  684. echo -ne "\n\t(4l) *UPDATED* OMS CHAINED AGENT DB PLUGIN ($AGENT_DB_PLUGIN_HOME) DB PLUGIN BUNDLE 12.1.0.7.10 AGENT-SIDE MONITORING (22140476)... "
  685. opatchcheck AgentDBPlugin $AGENT_DB_PLUGIN_HOME 22140476
  686.  
  687. echo -ne "\n\t(4l) OMS CHAINED AGENT DB PLUGIN ($AGENT_DB_PLUGIN_DISC_HOME) DB PLUGIN BUNDLE 12.1.0.7.4 AGENT-SIDE DISCOVERY (21065239)... "
  688. opatchcheck AgentDBPlugin $AGENT_DB_PLUGIN_DISC_HOME 21065239
  689.  
  690. #echo -ne "\n\t(4l) OMS CHAINED AGENT FMW PLUGIN ($AGENT_FMW_PLUGIN_HOME) FMW PLUGIN BUNDLE 12.1.0.7.2 AGENT-SIDE MONITORING (20677020)... "
  691. #opatchcheck AgentFMWPlugin $AGENT_FMW_PLUGIN_HOME 20677020
  692.  
  693. #echo -ne "\n\t(4m) OMS CHAINED AGENT FMW PLUGIN ($AGENT_FMW_PLUGIN_HOME) FMW PLUGIN BUNDLE 12.1.0.7.4 AGENT-SIDE MONITORING (21065760)... "
  694. #opatchcheck AgentFMWPlugin $AGENT_FMW_PLUGIN_HOME 21065760
  695.  
  696. #echo -ne "\n\t(4m) OMS CHAINED AGENT FMW PLUGIN ($AGENT_FMW_PLUGIN_HOME) FMW PLUGIN BUNDLE 12.1.0.7.5 AGENT-SIDE MONITORING (21229821)... "
  697. #opatchcheck AgentFMWPlugin $AGENT_FMW_PLUGIN_HOME 21229821
  698.  
  699. #echo -ne "\n\t(4m) OMS CHAINED AGENT FMW PLUGIN ($AGENT_FMW_PLUGIN_HOME) FMW PLUGIN BUNDLE 12.1.0.7.6 AGENT-SIDE MONITORING (21415166)... "
  700. #opatchcheck AgentFMWPlugin $AGENT_FMW_PLUGIN_HOME 21415166
  701.  
  702. #echo -ne "\n\t(4m) OMS CHAINED AGENT FMW PLUGIN ($AGENT_FMW_PLUGIN_HOME) FMW PLUGIN BUNDLE 12.1.0.7.7 AGENT-SIDE MONITORING (21603497)... "
  703. #opatchcheck AgentFMWPlugin $AGENT_FMW_PLUGIN_HOME 21603497
  704.  
  705. #echo -ne "\n\t(4m) OMS CHAINED AGENT FMW PLUGIN ($AGENT_FMW_PLUGIN_HOME) FMW PLUGIN BUNDLE 12.1.0.7.8 AGENT-SIDE MONITORING (21806984)... "
  706. #opatchcheck AgentFMWPlugin $AGENT_FMW_PLUGIN_HOME 21806984
  707.  
  708. #echo -ne "\n\t(4m) OMS CHAINED AGENT FMW PLUGIN ($AGENT_FMW_PLUGIN_HOME) FMW PLUGIN BUNDLE 12.1.0.7.8 AGENT-SIDE MONITORING (21806984)... "
  709. #opatchcheck AgentFMWPlugin $AGENT_FMW_PLUGIN_HOME 21806984
  710.  
  711. echo -ne "\n\t(4m) *UPDATED* OMS CHAINED AGENT FMW PLUGIN ($AGENT_FMW_PLUGIN_HOME) FMW PLUGIN BUNDLE 12.1.0.7.9 AGENT-SIDE MONITORING (21941290)... "
  712. opatchcheck AgentFMWPlugin $AGENT_FMW_PLUGIN_HOME 21941290
  713.  
  714. #echo -ne "\n\t(4m) OMS CHAINED AGENT FMW PLUGIN ($AGENT_FMW_PLUGIN_DISC_HOME) FMW PLUGIN BUNDLE 12.1.0.7.2 AGENT-SIDE DISCOVERY (20677038)... "
  715. #opatchcheck AgentFMWPlugin $AGENT_FMW_PLUGIN_DISC_HOME 20677038
  716.  
  717. #echo -ne "\n\t(4m) OMS CHAINED AGENT FMW PLUGIN ($AGENT_FMW_PLUGIN_DISC_HOME) FMW PLUGIN BUNDLE 12.1.0.7.5 AGENT-SIDE DISCOVERY (21229841)... "
  718. #opatchcheck AgentFMWPlugin $AGENT_FMW_PLUGIN_DISC_HOME 21229841
  719.  
  720. echo -ne "\n\t(4m) OMS CHAINED AGENT FMW PLUGIN ($AGENT_FMW_PLUGIN_DISC_HOME) FMW PLUGIN BUNDLE 12.1.0.7.7 AGENT-SIDE DISCOVERY (21611921)... "
  721. opatchcheck AgentFMWPlugin $AGENT_FMW_PLUGIN_DISC_HOME 21611921
  722.  
  723. #echo -ne "\n\t(4n) OMS CHAINED AGENT BEACON PLUGIN ($AGENT_BEACON_PLUGIN_HOME) EM-BEACON BUNDLE PATCH 12.1.0.4.1 (20466772)... "
  724. #opatchcheck AgentBeaconPlugin $AGENT_BEACON_PLUGIN_HOME 20466772
  725.  
  726. echo -ne "\n\t(4n) *UPDATED* OMS CHAINED AGENT BEACON PLUGIN ($AGENT_BEACON_PLUGIN_HOME) EM-BEACON BUNDLE PATCH 12.1.0.4.2 (21928148)... "
  727. opatchcheck AgentBeaconPlugin $AGENT_BEACON_PLUGIN_HOME 21928148
  728.  
  729. echo -ne "\n\t(4o) OMS CHAINED AGENT EM-OH BUNDLE PATCH 12.1.0.4.1 (20855134)... "
  730. opatchcheck AgentOHPlugin $AGENT_OH_PLUGIN_HOME 20855134
  731.  
  732.  
  733. if [[ $RUN_DB_CHECK -eq 1 ]]; then
  734.  
  735. #       if [[ "$REPOS_DB_VERSION" == "11.2.0.4.0" ]]; then
  736. #               echo -ne "\n\t(4m) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) PSU 11.2.0.4.5 19769489... "
  737. #               opatchcheck ReposDBHome $REPOS_DB_HOME 19769489
  738. #
  739. #               echo -ne "\n\t(4m) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) ORACLE JAVAVM COMPONENT 11.2.0.4.2 DATABASE PSU (JAN2015) 19877440... "
  740. #               opatchcheck ReposDBHome $REPOS_DB_HOME 19877440
  741. #       fi
  742.  
  743.         if [[ "$REPOS_DB_VERSION" == "11.2.0.4.0" ]]; then
  744.                 #echo -ne "\n\t(4p) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) PSU 11.2.0.4.6 (APR2015) (20299013)... "
  745.                 #opatchcheck ReposDBHome $REPOS_DB_HOME 20299013
  746.  
  747.                 echo -ne "\n\t(4p) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) PSU 11.2.0.4.8 (OCT2015) (21352635)... "
  748.                 opatchcheck ReposDBHome $REPOS_DB_HOME 21352635
  749.  
  750.                 #echo -ne "\n\t(4p) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) ORACLE JAVAVM COMPONENT 11.2.0.4.3 DATABASE PSU (APR2015) (20406239)... "
  751.                 #opatchcheck ReposDBHome $REPOS_DB_HOME 20406239
  752.  
  753.                 echo -ne "\n\t(4p) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) ORACLE JAVAVM COMPONENT 11.2.0.4.5 DATABASE PSU (OCT2015) (21555791)... "
  754.                 opatchcheck ReposDBHome $REPOS_DB_HOME 21555791
  755.         fi
  756.  
  757. #       if [[ "$REPOS_DB_VERSION" == "12.1.0.2.0" ]]; then
  758. #               echo -ne "\n\t(4m) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) Required Patch 20243268... "
  759. #               opatchcheck ReposDBHome $REPOS_DB_HOME 20243268
  760. #
  761. #               echo -ne "\n\t(4m) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) PSU 12.1.0.2.2 19769480... "
  762. #               opatchcheck ReposDBHome $REPOS_DB_HOME 19769480
  763. #
  764. #               echo -ne "\n\t(4m) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) ORACLE JAVAVM COMPONENT 12.1.0.2.2 ORACLE JAVAVM COMPONENT 12.1.0.2.2 DATABASE PSU (JAN2015) 19877336... "
  765. #               opatchcheck ReposDBHome $REPOS_DB_HOME 19877336
  766. #       fi
  767.  
  768.         if [[ "$REPOS_DB_VERSION" == "12.1.0.2.0" ]]; then
  769.                 echo -ne "\n\t(4p) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) Required Patch (20243268)... "
  770.                 opatchcheck ReposDBHome $REPOS_DB_HOME 20243268
  771.  
  772.                 #echo -ne "\n\t(4p) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) PSU 12.1.0.2.3 (APR2015) (20299023)... "
  773.                 #opatchcheck ReposDBHome $REPOS_DB_HOME 20299023
  774.  
  775.                 echo -ne "\n\t(4p) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) PSU 12.1.0.2.5 (OCT2015) (21359755)... "
  776.                 opatchcheck ReposDBHome $REPOS_DB_HOME 21359755
  777.  
  778.                 #echo -ne "\n\t(4p) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) ORACLE JAVAVM COMPONENT 12.1.0.2.3 DATABASE PSU (APR2015) (20415564)... "
  779.                 #opatchcheck ReposDBHome $REPOS_DB_HOME 20415564
  780.  
  781.                 echo -ne "\n\t(4p) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) ORACLE JAVAVM COMPONENT 12.1.0.2.5 DATABASE PSU (OCT2015) (21555660)... "
  782.                 opatchcheck ReposDBHome $REPOS_DB_HOME 21555660
  783.         fi
  784.  
  785.         echo -ne "\n\t(4q) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) sqlnet.ora SSL_VERSION parameter (1545816.1)... "
  786.         paramcheck SSL_VERSION $REPOS_DB_HOME sqlnet.ora
  787.  
  788.         echo -ne "\n\t(4q) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) sqlnet.ora SSL_CIPHER_SUITES parameter (1545816.1)... "
  789.         paramcheck SSL_CIPHER_SUITES $REPOS_DB_HOME sqlnet.ora
  790.  
  791.         echo -ne "\n\t(4q) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) listener.ora SSL_VERSION parameter (1545816.1)... "
  792.         paramcheck SSL_VERSION $REPOS_DB_HOME listener.ora
  793.  
  794.         echo -ne "\n\t(4q) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) listener.ora SSL_CIPHER_SUITES parameter (1545816.1)... "
  795.         paramcheck SSL_CIPHER_SUITES $REPOS_DB_HOME listener.ora
  796. fi
  797.  
  798. echo
  799.  
  800. echo -e "\n(5) Checking EM12c Java versions against baseline (see notes 1506916.1, 1492980.1)"
  801.  
  802. echo -ne "\n\t(5a) MW ($MW_HOME/jdk16/jdk) Java version 1.6.0_95 (9553040)... "
  803. javacheck MW $MW_HOME/jdk16/jdk 1.6.0_95
  804.  
  805. echo -ne "\n\t(5b) WebTier ($WEBTIER_HOME/jdk) Java version 1.6.0_95 (9553040)... "
  806. javacheck WebTier $WEBTIER_HOME/jdk 1.6.0_95
  807.  
  808. echo
  809.  
  810. if [[ $FAIL_COUNT -gt "0" ]]; then
  811.         echo "Failed test count: $FAIL_COUNT - Review output"
  812.         test $VERBOSE_CHECKSEC -ge 1 && echo -e $FAIL_TESTS
  813. else
  814.         echo "All tests succeeded."
  815. fi
  816.  
  817. echo
  818. echo "Visit https://pardydba.wordpress.com/2015/03/09/em12c-r4-ssl-security-checkup-script/ for the latest version."
  819. echo
  820.  
  821. exit
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top