3.1.1 Getting Started with Running Compliance Checks

Review these topics to get started with Oracle Autonomous Health Framework compliance checking.

Parent topic: Compliance Checking with Oracle Orachk and Oracle Exachk

3.1.1.1 Running Oracle Orachk or Oracle Exachk as a Non-Root User

You can optionally run Oracle Orachk or Oracle Exachk as a non-root user.

When you have installed AHF as root and if non-root users run Oracle Orachk or Oracle Exachk and want to change the directory to their own output location, then the non-user will not be able to browse any directory using ls -l in the path before their own output location. However, they can directly cd to the output location.
$ cd /u01/app/crsusr/oracle.ahf/data/host_name/
$ ls -ltra
ls: cannot open directory .: Permission denied
$ cd orachk

$ ls
ls: cannot open directory .: Permission denied
$ cd user_racusr
$ ls -l
total 7456
-r-xr-xr-x 1 root root 6836 Jun 1 13:37 cgrep
rw-rr- 1 root root 5481 Jun 1 13:37 cgrep.pyc
drwxr-xr-x 7 racusr oinstall 274432 Jun 1 14:05 orachk_host_name_ratcdb_060120_133414
rr---- 1 racusr oinstall 7323951 Jun 1 14:05 orachk_host_name_ratcdb_060120_133414.zip
drwx-----T 2 racusr root 4096 Jun 1 14:05 output
drwx-----T 4 racusr root 4096 Jun 1 14:05 work

Non-root users can copy the path of Oracle Orachk run result and cd directly there, or copy the result. Alternatively, they can run the ahfctl showrepo command and it will show them the correct location where their results are available. 

$ ahfctl showrepo

<<output truncated>>
orachk repository: /u01/app/crsusr/oracle.ahf/data/host_name/orachk/user_racusr/output

Related Topics

Parent topic: Getting Started with Running Compliance Checks

3.1.1.2 Non-Root Users Running Root Privileged Checks on Database Servers

Non-root user can run root privileged checks on the database servers without requiring root password or sudo.

The Oracle Trace File Analyzer daemon must be running on all database servers in cluster.
  1. As root user, grant permission to non-root users to run root privileged checks using the tfactl access grant -user user_name -role privileged-compliance-checks command.
  2. Ensure that the non-root user has been assigned to the granted role and promotion is set to n/a.
    tfactl access lsuers
.-------------------------------------------.
|            TFA Users in Node1             |
+-----------+---------+----------+----------+
| User Name | Status  | Promoted | Roles    |
+-----------+---------+----------+----------+
| dbusr     | Allowed | false    | n/a      |
| giusr     | Allowed | true     | n/a      |
| orarom    | Allowed | n/a      | platinum |
'-----------+---------+----------+----------'
Once the non-root user has been assigned to privileged-compliance-checks role, non-root user can run Oracle Orachk with the -runasroot option to run root privileged checks.

Parent topic: Getting Started with Running Compliance Checks

3.1.1.3 Automatic Compliance Checking

Use the daemon to configure automatic compliance check runs at scheduled intervals.

Installing Oracle Autonomous Health Framework as root on Linux or Solaris automatically sets up Oracle Orachk or Oracle Exachk to use the Oracle Trace File Analyzer scheduler daemon.

The daemon runs a full local Oracle Orachk check once every week at 3 AM, and a partial run of the most impactful checks at 2 AM every day through the oratier1 or exatier1 profiles. The daemon automatically purges the oratier1 or exatier1 profile run that runs daily, after a week. The daemon also automatically purges the full local run after 2 weeks. You can change the daemon settings after enabling auto start.

To remove auto start, run:
  • orachk -autostop
  • exachk -autostop
To remove all default unmodified schedulers:
  • orachk -autostop unset
  • exachk -autostop unset

Note:

  • Daemon mode is supported only on the Linux and Solaris operating systems.
  • If you have an Oracle Engineered System, then in addition to the following usage steps, follow the system-specific instructions.
  1. Set the daemon properties.

    At a minimum, set AUTORUN_SCHEDULE and NOTIFICATION_EMAIL.

    For example, to set the tool to run at 3 AM every Sunday and email the results to some.body@example.com, run the following command:
    $ exachk –set "AUTORUN_SCHEDULE=3 * * 0 ;NOTIFICATION_EMAIL=some.body@example.com"
    $ orachk –set "AUTORUN_SCHEDULE=3 * * 0 ;NOTIFICATION_EMAIL=some.body@example.com"

    Optionally, you can specify the name of the profile. If you do not specify, then id=DEFAULT.

    For example:

    $ exachk -id dba -set "AUTORUN_SCHEDULE=3 * * 0;NOTIFICATION_EMAIL=some.body@example.com"
    $ orachk -id dba -set "AUTORUN_SCHEDULE=3 * * 0;NOTIFICATION_EMAIL=some.body@example.com"
  2. Configure the compliance check daemon as described in "Running Compliance Checks Automatically".
  3. Start the daemon as the root user.
    • orachk -autostart
    • exachk -autostart
    To start and load the default schedulers: 
    • orachk -autostart reset
    • exachk -autostart reset

    Note:

    You must log in as the root user to run the -autostart and -autostop commands. Non-root users cannot run the TFA Scheduler. 
    $ orachk -autostart
Commands -autostart and -autostop can not be run as non root user. Switch to root user and try again.
    $ orachk -autostop
Commands -autostart and -autostop can not be run as non root user. Switch to root user and try again.

Related Topics

Parent topic: Getting Started with Running Compliance Checks

3.1.1.3.1 Running Oracle Orachk or Oracle Exachk Scheduler With the Oracle Trace File Analyzer Daemon

Oracle Orachk or Oracle Exachk scheduler is run by the Oracle Trace File Analyzer daemon.

Oracle Trace File Analyzer scheduler:

  • Decides which is the master node.
  • Picks the Oracle Orachk or Oracle Exachk entries only on the master node.
  • Runs only on the master node.
  • Runs Oracle Orachk or Oracle Exachk clusterwide.
  • Consolidates all the output on the master node.
  • Enters which is the master node in the logs.
  • Notifies through email that points to the master node where the report output is stored.

Example 3-1 Default configuration of Oracle Oracle Orachk/Oracle Exachk scheduler and daemon information 

# orachk -autostatus
Master node = testserver
orachk daemon version = 221000
Install location = /opt/oracle.ahf/orachk
Started at = Wed Jun 22 20:56:51 UTC 2022
Scheduler type = TFA Scheduler
Scheduler PID:  1766980
 
------------------------------------------------------------
ID: orachk.autostart_client_oratier1
------------------------------------------------------------
AUTORUN_FLAGS  =  -usediscovery -profile oratier1 -dball -showpass -tag autostart_client_oratier1 -readenvconfig
COLLECTION_RETENTION  =  7
AUTORUN_SCHEDULE  =  3 2 * * 1,2,3,4,5,6
------------------------------------------------------------

------------------------------------------------------------
ID: orachk.autostart_client
------------------------------------------------------------
AUTORUN_FLAGS  =  -usediscovery -tag autostart_client -readenvconfig
COLLECTION_RETENTION  =  14
AUTORUN_SCHEDULE  =  3 3 * * 0
------------------------------------------------------------
 
Next auto run starts on Jun 23, 2022 02:03:00 
ID:orachk.AUTOSTART_CLIENT_ORATIER1

Related Topics

3.1.1.4 Email Notification and Report Overview

The following sections provide a brief overview about email notifications and sections of the HTML report output.

  • First Email Notification
    After completing compliance check runs, the daemon emails the assessment report as an HTML attachment to all users that you have specified in the NOTIFICATION_EMAIL list.
  • What does the Compliance Check Report Contain?
    Compliance check reports contain the health status of each system grouped under different sections of the report.
  • Subsequent Email Notifications
    For the subsequent compliance check runs after the first email notification, the daemon emails the summary of differences between the most recent runs.
  • Generating a Diff Report
    The diff report attached to the previous email notification shows a summary of differences between the most recent runs.

Parent topic: Getting Started with Running Compliance Checks

3.1.1.4.1 First Email Notification

After completing compliance check runs, the daemon emails the assessment report as an HTML attachment to all users that you have specified in the NOTIFICATION_EMAIL list.

Parent topic: Email Notification and Report Overview

3.1.1.4.2 What does the Compliance Check Report Contain?

Compliance check reports contain the health status of each system grouped under different sections of the report.

The HTML report output contains the following:

  • Health score
  • Summary of compliance check runs
  • Table of contents
  • Controls for report features
  • Findings
  • Recommendations

Details of the report output are different on each system. The report is dynamic, and therefore the tools display certain sections only if applicable.

System Health Score and Summary

System Health Score and Summary report provide:

  • A high-level health score based on the number of passed or failed checks
  • A summary of compliance check run includes:
    • Name, for example, Cluster Name
    • Version of the operating system kernel
    • Path, version, name of homes, for example, CRS, DB, and EM Agent
    • Version of the component checked, for example, Exadata
    • Number of nodes checked, for example, database server, storage servers, InfiniBand switches
    • Version of Oracle Orachk and Oracle Exachk
    • Name of the collection output
    • Date and time of collection
    • Duration of the check
    • Name of the user who ran the check, for example, root
    • How long the check is valid

Table of Contents and Report Feature

The Table of Contents section provides links to major sections in the report:

  • Database Server
  • Storage Server
  • InfiniBand Switch
  • Cluster Wide
  • Maximum Availability Architecture (MAA) Scorecard
  • Infrastructure Software and Configuration Summary
  • Findings needing further review
  • Platinum Certification
  • System-wide Automatic Service Request (ASR) compliance check
  • Skipped Checks
  • Top 10 Time Consuming Checks

The Report Feature section enables you to:

  • Filter checks based on their statuses
  • Select the regions
  • Expand or collapse all checks
  • View check IDs
  • Remove findings from the report
  • Get a printable view

Report Findings

The Report Findings section displays the result of each compliance check grouped by technology components, such as Database Server, Storage Server, InfiniBand Switch, and Cluster Wide.

Each section shows:

  • Check status (FAIL, WARNING, INFO, or PASS)
  • Type of check
  • Check message
  • Where the check was run
  • Link to expand details for further findings and recommendation

Click View for more information about the compliance check results and the recommendations.

  • What to do to solve the problem
  • Where the recommendation applies
  • Where the problem does not apply
  • Links to relevant documentation or My Oracle Support notes
  • Example of data on which the recommendation is based

Maximum Availability Architecture (MAA) Score Card

Maximum Availability Architecture (MAA) Score Card displays the recommendations for the software installed on your system.

The details include:

  • Outage Type
  • Status of the check
  • Description of the problem
  • Components found
  • Host location
  • Version of the components compared to the recommended version
  • Status based on comparing the version found to the recommended version

Related Topics

Parent topic: Email Notification and Report Overview

3.1.1.4.3 Subsequent Email Notifications

For the subsequent compliance check runs after the first email notification, the daemon emails the summary of differences between the most recent runs.

Specify a list of comma-delimited email addresses in the NOTIFICATION_EMAIL option.

The email notification contains:

  • System Health Score of this run compared to the previous run

  • Summary of number of checks that were run and the differences between runs

  • Most recent report result as attachment

  • Previous report result as attachment

  • Diff report as attachment

Parent topic: Email Notification and Report Overview

3.1.1.4.4 Generating a Diff Report

The diff report attached to the previous email notification shows a summary of differences between the most recent runs.

To identify the changes since the last run:

  1. Run the following command:
    $ orachk –diff report_1 report_2

    Review the diff report to see a baseline comparison of the two reports and then a list of differences.

Related Topics

Parent topic: Email Notification and Report Overview

3.1.1.5 Recommended On-Demand Usage

This section summarizes the scenarios that Oracle recommends running compliance checks on-demand.

Apart from scheduled compliance check runs, run compliance checks on-demand by running the following commands:
$ orachk

$ exachk

Oracle recommends that you run compliance checks in the following on-demand scenarios:

  • Pre- or post-upgrades

  • Machine relocations from one subnet to another

  • Hardware failure or repair

  • Problem troubleshooting

  • In addition to go-live testing

While running pre- or post-upgrade checks, Oracle Autonomous Health Framework automatically detects the databases that are registered with Oracle Clusterware and presents the list of databases to check.

Run the pre-upgrade checks during the upgrade planning phase. Oracle Autonomous Health Framework prompts you for the version to which you are planning to upgrade:
$ orachk –u –o pre

$ exachk –u –o pre
After upgrading, run the post-upgrade checks:
$ orachk –u –o post

$ exachk –u –o post

Related Topics

Parent topic: Getting Started with Running Compliance Checks

3.1.1.6 Running Compliance Checks on a Remote Node

Run compliance checks on remote nodes using RSA/DSA SSH private and public keys.

  1. Generate RSA/DSA SSH private and public keys on each of the remote nodes as root user.
  2. Add the content of the above generated public key to the authorized_keys file for each of the remote nodes.
    For example:
    cat $HOME/.ssh/id_dsa.pub >> $HOME/.ssh/authorized_keys
  3. Copy the private keys of all the remote nodes where you want to run the checks, for example, in the PRIVATEKEYDIR directory.
  4. Rename each of the private keys as id_encryption.remote_hostname.remote_user.
    Where:
    • remote_user is the Linux user who created the key
    • encryption can be RSA/DSA
    • remote_host is the hostname (not FQDN) of the remote node
    For example:
    id_dsa.node1.root
    id_rsa.node2.oradb

Ensure that passwordless SSH between the local node and remote node is present. ssh –i id_encryption.remote_host.remote_user remote_user@remote_host must be able to log in to the remote_host without any password.

Parent topic: Getting Started with Running Compliance Checks

3.1.1.6.1 Synchronous Remote Run

This is a blocking-call. Outputs the stdout of the remote run. User gets the prompt or control only when the remote run is completed. Once completed, the collection will be available at the working directory. 

# orachk –remotehost remote_host remote_args -remoteuser remote_user -remotedestdir remote_dest_dir -identitydir PRIVATEKEYDIR
# exachk –remotehost remote_host remote_args -remoteuser remote_user -remotedestdir remote_dest_dir -identitydir PRIVATEKEYDIR
For example:
orachk -remotehost node2 -profile asm -remoteuser root -remotedestdir /scratch/user/ -identitydir /scratch/user/privatekeys/
exachk -remotehost node1 -localonly -c X4-2,MAA -remoteuser oracle -remotedestdir /scratch/user/ -identitydir /scratch/user/privatekeys/
$ orachk -remotehost node2 -profile asm -remoteuser root -remotedestdir /scratch/user1/ -identitydir .privatekeys/
 
Starting orachk run on node2. For more detail about run check /scratch/user1/orachkremote/orachk_node2_112818_040034_run.log
 
Clusterware stack is running from /scratch/app/11.2.0.4/grid. Is this the correct Clusterware Home?[y/n][y]
 
Checking ssh user equivalency settings on all nodes in cluster for root

Parent topic: Running Compliance Checks on a Remote Node

3.1.1.6.2 Asynchronous Remote Run

This is a non-blocking-call. Oracle Orachk and Oracle Exachk initiate the remote run, display a _run.log file, and give control to the user. Check the _run.log file to ensure the completion of the remote run. Once completed, the collection will be available at the working directory 

# orachk –remotehost remote_host remote_args -remoteuser remote_user -remotedestdir remote_dest_dir  -identitydir PRIVATEKEYDIR -asynch
# exachk –remotehost remote_host remote_args -remoteuser remote_user -remotedestdir remote_dest_dir -identitydir PRIVATEKEYDIR -asynch
Where:
  • remote_host is the host name of the remote node.
  • remote_args are the arguments that needs to be passed to the Oracle Orachk and Oracle Exachk run in the remote node.
  • remote_user is the remote user who runs Oracle Orachk and Oracle Exachk.
  • remote_dest_dir is the remote directory where orachk.zip or exachk.zip is extracted.
  • PRIVATEKEYDIR is the directory contains the private keys of the remote nodes in the specified format.

Note:

If you use DSA keys, then set the RAT_SSH_ENCR environment variable to dsa before running the Oracle Orachk and Oracle Exachk remote run commands.
For example:
orachk -remotehost node2 -remoteuser oradb -remotedestdir /scratch/user/ -identitydir /scratch/user/privatekeys/ -asynch
exachk -remotehost node1 -cells node1 -c X4-2,MAA -remoteuser root -remotedestdir /scratch/user/ -identitydir /scratch/user/privatekeys/ -asynch
$ orachk -remotehost node2 -localonly -remoteuser root -identitydir .privatekeys/ -asynch

Starting orachk run on node2. For more detail about run check /scratch/user1/orachkremote/orachk_node2_112818_041037_run.log
Private key files
$ ls PRIVATEKEYDIR/
id_dsa.node1.oracle    id_dsa.node4.root    id_dsa.node6.oracle    id_dsa.node8.root    id_dsa.node11.oracle
id_dsa.node2.root      id_dsa.node5.oracle  id_dsa.node6.root      id_dsa.node9.root
id_dsa.node3.root      id_dsa.node5.root    id_dsa.node7.root      id_dsa.node10.oracle

Parent topic: Running Compliance Checks on a Remote Node

3.1.1.7 Creating, Modifying, and Deleting User-Defined Profiles

Specify a comma-delimited list of check IDs to create and modify custom profiles.

Specify valid check IDs and descriptive unique profile name.
  1. To create a profile:
    orachk -createprofile profile_name check_ids 

    exachk -createprofile profile_name check_ids
    orachk -createprofile customprofile1 E94AC6ACDA502F3BE04312C0E50A290A,
F01E3FEDBD2B243EE04312C0E50A4DC5, 
F02293F7261D1BCAE04312C0E50A4118,
F9370B4F5707076DE04312C0E50A78AE

Validating checks...

Profile customprofile1 created successfully...

    Oracle Orachk and Oracle Exachk validate profile names and check IDs before creating the profile and print appropriate messages if any discrepancies found. Oracle Orachk and Oracle Exachk create the profiles only if the profile names are unique and check IDs are valid.

  2. To modify a profile:
    orachk -modifyprofile profile_name check_ids 

    exachk -modifyprofile profile_name check_ids
    exachk -modifyprofile customprofile1 21B57D4065DDEA3DE0530D98EB0A8205,
39128FBB540C098AE0530D98EB0AFB1A,
9AD8AF3966FB3027E040E50A1EC0308F,
019F5085951978CAE05313C0E50A4FCB

Validating checks...

Modifying profile customprofile1...

Profile customprofile1 modified successfully...


Added Checks:
21B57D4065DDEA3DE0530D98EB0A8205
9AD8AF3966FB3027E040E50A1EC0308F
019F5085951978CAE05313C0E50A4FCB
--------------------------------
Removed Checks:
39128FBB540C098AE0530D98EB0AFB1A
    You cannot modify the profile name. You can only add to or remove check IDs form the profile.

    If the check IDs are in the profile, then Oracle Orachk and Oracle Exachk remove them from the profile.

    If the check IDs are not in the profile, then Oracle Orachk and Oracle Exachk add them to the profile.

  3. To delete a profile:
    orachk -deleteprofile profile_name 

    exachk -deleteprofile profile_name
    orachk -deleteprofile customprofile1

Deleting profile customprofile1...

Profile customprofile1 deleted successfully...

    Oracle Orachk and Oracle Exachk delete the profile by removing the profile entry ID from the profiles.dat file, and deleting the corresponding profiles.prf file.

Parent topic: Getting Started with Running Compliance Checks

3.1.1.8 Sanitizing Sensitive Information in the Diagnostic Collections

Oracle Autonomous Health Framework uses Adaptive Classification and Redaction (ACR) to sanitize sensitive data.

Note:

The -sanitize parameter has been deprecated and removed in 23.3. Oracle recommends using the ahfctl redact command instead.

After collecting copies of diagnostic data, Oracle Orachk and Oracle Exachk use Adaptive Classification and Redaction (ACR) to sanitize sensitive data in the collections. ACR uses a machine learning based engine to redact a pre-defined set of entity types in a given set of files. ACR also sanitizes or masks entities that occur in path names.

  • Sanitization replaces a sensitive value with random characters.
  • Masking replaces a sensitive value with a series of asterisks ("*").

ACR currently sanitizes the following entity types:

  • Host names
  • IP addresses
  • MAC addresses
  • Oracle Database names
  • Tablespace names
  • Service names
  • Ports
  • Operating system user names

ACR also masks Personally Identifiable Information (PII), that is, user data from the database appearing in block and redo dumps. There is no separate command for it.

To sanitize sensitive information: 

orachk -sanitize comma_delimited_list_of_collection_IDs

or

exachk -sanitize comma_delimited_list_of_collection_IDs
Block dumps before redaction:
14A533F40 00000000 00000000 00000000 002C0000 [..............,.]
14A533F50 35360C02 30352E30 31322E37 380C3938 [..650.507.2189.8]
14A533F60 31203433 37203332 2C303133 360C0200 [34 123 7310,...6]
Block dumps after redaction:
14A533F40 ******** ******** ******** ******** [****************]
14A533F50 ******** ******** ******** ******** [****************]
14A533F60 ******** ******** ******** ******** [****************]
Redo dumps before redaction:
col 74: [ 1] 80
col 75: [ 5] c4 0b 19 01 1f
col 76: [ 7] 78 77 06 16 0c 2f 26
Redo dumps after redaction:
col 74: [ 1] **
col 75: [ 5] ** ** ** ** **
col 76: [ 7] ** ** ** ** ** ** **

To print the reverse map of sanitized elements:

orachk -rmap all|comma_delimited_list_of_element_IDs

or

exachk -rmap all|comma_delimited_list_of_element_IDs

Parent topic: Getting Started with Running Compliance Checks

3.1.1.8.1 Sanitizing Sensitive Information in Oracle Orachk or Oracle Exachk Output

Note:

The -sanitize parameter has been deprecated and removed in 23.3. Oracle recommends using the ahfctl redact command instead.

  1. If you specify a file name that does not follow the naming convention:
    For example:
    $ orachk -sanitize orachk_invalid.html
/scratch/testuser/may31/orachk_invalid.html is not a valid orachk collection
  2. If you specify a file that does not exist:
    For example:
    $ orachk -sanitize /tmp/orachk_invalid.html
/tmp/orachk_invalid.html does not exist
  3. If you sanitize a file that exists with valid Oracle Autonomous Health Framework naming convention, but the file is not generated by Oracle Autonomous Health Framework:
    For example:
    $ orachk -sanitize orachk_invalidcollection.zip
orachk is sanitizing /scratch/testuser/may31/orachk_invalidcollection.zip. Please
wait...
ACR error occurred while sanitizing orachk collection
  4. To sanitize a file with relative path:
    For example:
    $ orachk -sanitize new/orachk_node061919_053119_001343.zip 
orachk is sanitizing
/scratch/testuser/may31/new/orachk_node061919_053119_001343.zip. Please wait...

Sanitized collection is:
/scratch/testuser/may31/orachk_aydv061919_053119_001343.zip
    $ orachk -sanitize .orachk_node061919_053119_001343.zip 
orachk is sanitizing
/scratch/testuser/may31/.orachk_node061919_053119_001343.zip. Please wait...

Sanitized collection is:
/scratch/testuser/may31/orachk_aydv061919_053119_001343.zip
  5. To sanitize Oracle Autonomous Health Framework debug log:
    For example:
    $ orachk -sanitize new/orachk_debug_053119_023653.log
orachk is sanitizing /scratch/testuser/may31/new/orachk_debug_053119_023653.log.
Please wait...

Sanitized collection is: /scratch/testuser/may31/orachk_debug_053119_023653.log
  6. To run full sanity check:
    For example:
    $ orachk -localonly -profile asm -sanitize -silentforce

Detailed report (html) - 
/scratch/testuser/may31/orachk_node061919_053119_04448/orachk_node061919_053119_04448.html

orachk is sanitizing /scratch/testuser/may31/orachk_node061919_053119_04448.
Please wait...

Sanitized collection is: /scratch/testuser/may31/orachk_aydv061919_053119_04448

UPLOAD [if required] - /scratch/testuser/may31/orachk_node061919_053119_04448.zip
  7. To print the reverse map of sanitized elements:
    For example:
    orachk -rmap pu406jKxg,kEvGFDT
________________________________________________________________________________
| Entity Type | Substituted Entity Name | Original Entity Name |
________________________________________________________________________________
| dbname      | XTT_MANUR               | ASM_POWER            |
| dbname      | fcb63u2                 | rac12c2              |
________________________________________________________________________________
    orachk -rmap all

3.1.1.8.2 Setting up Staging Server for Adaptive Classification and Redaction (ACR)

Adaptive Classification and Redaction (ACR) is a CPU intensive task as it examines data in each file to redact sensitive entities. ACR spawns multiple processes to redact the files across these processes. Whenever an ACR process is scheduled on a CPU, it may utilise the CPU fully (can reach ~100% CPU utilisation). But, since ACR does not run at an elevated priority, it does not starve other processes on the system. However, since ACR is sharing the resources with other processes running on the production environment, it can affect those processes. Hence, to not affect the processes and applications on the production environment, it is recommended to set up a staging server dedicated for redacting the collections using ACR.

For more information about setting up staging server for Adaptive Classification and Redaction (ACR), see My Oracle Support note 2882798.1.

Related Topics

3.1.1.9 Problem Repair Automation Options

Starting in release 19.3, Oracle Orachk and Oracle Exachk have the capability to automatically fix problems when found.

Certain checks have a repair command associated with them. To see what the repair command actually does, run the -showrepair command.
orachk -showrepair check_id

exachk -showrepair check_id
To run the repair commands include one of the following options:
orachk -repair all

orachk -repair check_id,[check_id,check_id...]
orachk -repair file
exachk -repair all

exachk -repair check_id,[check_id,check_id...]

exachk -repair file
  • check_id: Refers to specific checks that you want to repair. Specify a check ID or a list of comma-delimited list of check IDs.
  • file: A text file that contains a list of check IDs. Add one check ID per line.
    For example:
    
check ID1
check ID2
check IDn

Parent topic: Getting Started with Running Compliance Checks

3.1.1.10 Integration of Oracle DBSAT into Oracle Autonomous Health Framework

DBSAT is a lightweight utility that will not impair system performance in a measurable way.

The Oracle Database Security Assessment Tool (Oracle DBSAT):
  • Analyzes database configurations
  • Users and their entitlements
  • Security policies
  • Identifies where sensitive data resides to uncover security risks (not executed in Oracle Autonomous Health Framework)
  • Improves the security posture of Oracle Databases within your organization

Oracle Autonomous Health Framework always includes the latest DBSAT and runs DBSAT on all databases if you use the -security profile. For example, orachk -profile security.

To generate an AHF best practice report including security recommendations, you can also run:
ahfctl compliance -profile security
You can use Oracle DBSAT report findings to:
  • Fix immediate short-term risks
  • Implement a comprehensive security strategy
  • Support your regulatory compliance program
  • Promote security best practices

Figure 3-1 Oracle Database Security Assessment Report

Description of Figure 3-1 follows
Description of "Figure 3-1 Oracle Database Security Assessment Report"

For more information, see Oracle Database Security Assessment Report.

Related Topics

Parent topic: Getting Started with Running Compliance Checks

3.1.1.11 Integration of AutoUpgrade utility into Oracle Autonomous Health Framework

The AutoUpgrade utility identifies issues before upgrades, performs pre- and postupgrade actions, deploys upgrades, performs postupgrade actions, and starts the upgraded Oracle Database.

Before the upgrade, in Analyze mode, the AutoUpgrade utility performs read-only analysis of databases before upgrade, so that it can identify issues that require fixing.

When you run Oracle Orachk in pre-upgrade mode, Oracle Orachk in turn runs the AutoUpgrade utility to check if each database is ready to upgrade or not.

Figure 3-2 Database AutoUpgrade Result

Description of Figure 3-2 follows
Description of "Figure 3-2 Database AutoUpgrade Result"

For more information, see Using AutoUpgrade for Oracle Database Upgrades.

Related Topics

Parent topic: Getting Started with Running Compliance Checks