This is my third blog post about an issue that we may encounter with uprobes and the recent kernel/oracle version.
As the name of this article suggest i will show here how we can put a probe point on oracle functions using systemtap based on the workaround that i described previously.
As explained in my previous post there is some issues with uprobes and the recent kernel/oracle version.Based on the workaround that i described i will show in this short blog post how we can put a probe point on oracle function using Linux Perf. Sadly i haven’t figured out a way to do that using systemtap (Special thanks to Frank Ch. Eigler for his help)
If you are using dynamic tracing tools like systemtap/perf for user space probing (based on uprobes/uretprobes) with recent oracle/kernel version you may have hit this issue.As stated by Luca Canali Ref
“Issues with uprobes and Oracle versions: uprobes works OK for tracing Oracle 11.2. However, for Oracle 12.1 I find that uprobes works OK on RHEL7.0 (kernel 3.10.0-123) and UEK (kernel 3.8.x), but does not work for kernels that ship with RHEL 7.1,7,2 and anything higher (including UEK4). When testing the easiest is to use Oracle 11.2 or if you want to test Oracle 12.1 use UEK3 or RHEL 7.0 kernel. More investigations are needed on this topic.”
Let’s check :
In my last blog post “CREATE ANY DIRECTORY”=DBA=SYSDBA ! Ouch ! i talked about the potential threat that can represent the PREPROCESSOR feature introduced in oracle 11gr2 in a consolidated environment and how to develop a systemtap live patch to help preventing that.As Frank Pachot also stated a new parameter “PDB_OS_CREDENTIAL” was introduced in oracle 12.2.0.1 which is meant to prevent that in CDB databases:
As Kamil Stawiarski explained in some great articles :
“A lot companies consolidates databases into one appliance – like for example Oracle Exadata. So you can have a lot of different databases in one physical cluster. And what if I tell you that you can execute any OS command as an oracle user, having just access to a database user with appropriate privileges? What if I tell you that DBA=SYSDBA? And not just SYSDBA for one database but for every database in a cluster?” Ref1
This is possible using only three elements thanks to the PREPROCESSOR feature introduced in oracle 11G Ref2 :
Hatem Mahmoud's blog 