Proof of installed security patches

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Oracle database installation, upgrades and patches Oracle's Java database continues push into embedded database market How to use the Oracle Database Upgrade Assistant (DBUA) Oracle delivers database fixes in Critical Patch Update How to get the most out of Toad for Oracle 10 Coca-Cola Bottling swaps out Oracle for DB2 Oracle renews push into embedded open source software market Oracle releases new database, says 11g upgrade will cut costs Comparing servers for Oracle database 11g upgrades Choosing the right server hardware is all about choosing the right software The best of the Oracle 11g-ready servers Oracle database security Oracle delivers database fixes in Critical Patch Update How to use DBMS_CRYPTO package for Oracle password encryption/hashing How to decrypt an Oracle password using John the Ripper and checkpwd How to use the CREATE SESSION command to track Oracle database logins How to troubleshoot Oracle critical patch updates using OPatch Can I automate Oracle patching when installing Oracle Standard Edition? Is it possible to automate Oracle CPUs for a DoD project? Three steps to help improve Oracle database security Tips for auditing and securing database backups in Oracle How to prevent a SQL injection attack in Oracle

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 10g  (SearchOracle.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

If the Alert #68 patch was installed against a set of Oracle8i binaries, it may be difficult to prove that the patch was, in fact, installed. What I typically like to do is copy the patch into a patches subdirectory under the relevant $ORACLE_HOME. This way, when I need to go back and verify that a patch was applied, I can tell right away.

If a patch's subdirectory was created under the 8i ORACLE_HOME and the patch was installed from there, you should see a file called undo_pre3821967_8.1.7.4.0.sh which is created by the patch for backout purposes (on UNIX). If, on the other hand, the patch was applied from a central location across all servers, it might be more difficult to prove that the patch was applied.

With Oracle9i, however, the patch would have been installed with the opatch utility. You can use the opatch utility to list the installed patches. Set your environment to a 9i database on the server, navigate to where the opatch utility is installed (or include it in your path) and type:

opatch lsinventory

This will read the inventory and list any patches that were installed. If security alert #68 was installed, you should see lines similar to this in the output (this example is from Solaris):

Installed Patch List:  
=====================  
1) Patch 3811887 applied on Thu Oct 14 12:43:51 MDT 2004      
[ Base Bug(s): 3828166 3811887  ]

Also, with Oracle9i, you can look in $ORACLE_HOME/.patch_storage for log files. If this hidden directory (.patch_storage) was created prior to applying the patch, opatch would have sent all log files to this subdirectory by default.