_trace_files_public hidden parameter

The " _trace_files_public" parameter is a hidden parameter whose default value is false and once it's set to true that will allow all users accessing the server where the oracle database is hosted will be able to read the trace files. 

Trace files in an oracle database are generated when there is an issue or we have deliberately enabled it to debug some scenario and the oracle process based on version also creates multiple trace files. These files may have some sensitive information and if you want only the owner of your oracle software and users belonging to the same group can only read them we must keep the "_trace_files_public" parameter to its default value false. This is also a CIS recommendation for oracle database security.

Since this is a hidden parameter and your query its current setting following X$ tables need to be queried:


     select A.ksppinm, B.ksppstvl

     from sys.x$ksppi a,sys.x$ksppcv b

     where A.indx=B.indx

     and A.ksppinm like '\_%trace_files_public' escape '\';


File will look like as below when this parameter is set to false:


     -rw-r----- 1 oracle oinstall   925 May 17 06:21 TESTDB_ora_934343.trc


In case when it's true it will look like:


     -rw-r--r-- 1 oracle oinstall   925 May 17 06:21 TESTDB_ora_934343.trc


To change the value of this parameter, it will need a database bounce after running:


     alter system set "_trace_files_public" = TRUE scope=spfile;


It is not recommended to make this parameter TRUE and only provided in the blog for informational purposes.

Those who want to scan their database for CIS compliance through non-sys users will not be able to run the above-mentioned query on X$ tables. If you want to use a non-sys user to query this, this would need to create views in sys schema and then grant select on these views to other non-sys users. Running scans with sys user also not recommended and creating custom views in sys schema also not accepted as best practices. Let us still discuss about this for informational purpose:


     create view sys.x_$ksppi as select * from sys.x$ksppi;

     create view sys.x_$ksppcv as select * from sys.x$ksppcv;

     grant select on sys.x$ksppi to <role_name>;

     grant select on sys.x$ksppcv to <role_name>;

     grant <role_name> to <non sys scan user>;


Now query to be referencing views in place of tables:


     select A.ksppinm, B.ksppstvl

     from sys.x_$ksppi a,sys.x_$ksppcv b

     where A.indx=B.indx

     and A.ksppinm like '\_%trace_files_public' escape '\';


Speaker Name: Arpit Agrawal

Speaker Profile: Groundbreaker Ambassadors, Oracle ACEs, and Java Champion Details



Comments

Post a Comment

Popular posts from this blog

How to Solve - "WAIT FOR EMON PROCESS NTFNS"

Event Monitor Process in short called as EMON is generally used by oracle to send notification. Often applications uses Database Change Notification process also called as DBCN to be aware of changes in the database, based on these notifications they take further actions. Often clients subscribe to the database and notifications are send as callback to them. In some cases you will notice database sessions are showing wait event "WAIT FOR EMON PROCESS NTFNS" and it can even make your database un-responsive. One observation can be these processes are taking more CPU (may not in be in all cases). As stated EMON process deals with database notification and it's spawn and gets down itself and Administrators have no control on theses processes. Anyone can go through oracle documents to read more EMON functioning process.  EMON uses oracle advanced queues and database queue notifications into them and EMON process these notifications to clients based on their subscriptions. In s
Read more

Query Regression - "OR" Transformation Oracle 19c

Recently while upgrading Oracle Database from version 12.1 to 19.10 found there were couple of queries which was running slow post upgrade. Usually these type of behavior is seen while upgrading to newer version and oracle provide various ways to fix them. The difference between good and bad plan was an introduction of  "MERGE JOIN CARTESIAN" (aka MJC) and that's in where regressed query in 19c taking most of the time. MJC sometimes works for queries but in this case it was clearly not helping.  We had following options here:     1. Copy the profile from 12c to 19c database and it worked, but the problem was not just to specific query but with many similar query. This means profile option is not very attractive in this case.     2. We also tried running query with OFE 12.1 to use the same optimizer features as previous version and query behaves well. Though this option can't be placed as we need to use 19c OFE and can be placed only for testing purpose.           alte
Read more

ORA - 12537: TNS: connection closed

Often when active clone to be done to create a new environment, we land up into couple of issues. I will discuss about one issues during this process. Action : Create a new database on different machine from a source. Error : ORA - 12537: TNS: connection closed In order to duplicate the environment was using below rman log /tmp/duplicate.log connect target sys/<password>@<source tns alias> connect auxiliary sys/<password>@<target tns alias> run{ allocate channel ch1 device type disk; allocate channel ch2 device type disk; allocate channel ch3 device type disk; allocate channel ch4 device type disk; allocate auxiliary channel ax1 device type disk; allocate auxiliary channel ax2 device type disk; allocate auxiliary channel ax3 device type disk; allocate auxiliary channel ax4 device type disk; DUPLICATE TARGET DATABASE TO <TARGET_DBNAME> FROM ACTIVE DATABASE NOFILENAMECHECK; } While making connection to Auxiliary database received mentioned error ORA - 12537:
Read more