2.2 Running Compliance Checks Automatically

Oracle recommends that you use the daemon process to schedule recurring compliance checks at regular intervals.

Note:

Daemon mode is supported only on the Linux and Solaris operating systems.

Configure the daemon to:

• Schedule recurring compliance checks at regular interval

• Send email notifications when the compliance check runs complete, clearly showing any differences since the last run

• Purge collection results after a pre-determined period

• Check and send email notification about stale passwords

• Store multiple profiles for automated compliance check runs

• Restart automatically if the server or node where it is running restarts

Note:

While running, the daemon answers all the prompts required by subsequent on-demand compliance checks.

To run on-demand compliance checks, do not use the daemon process started by others. Run on-demand compliance checks within the same directory where you have started the daemon.

If you change the system configuration such as adding or removing servers or nodes, then restart the daemon.

• Setting and Getting Options for the Daemon
  Set the daemon options before you start the daemon. Reset the daemon options anytime after starting the daemon.
• Starting and Stopping the Daemon
  Start and stop the daemon and force the daemon to stop a compliance check run.
• Querying the Status and Next Planned Daemon Run
  Query the status and next automatic run schedule of the running daemon.
• Configuring the Daemon for Automatic Start
  Installing Oracle Autonomous Health Framework as root on Linux or Solaris automatically sets up and runs the Oracle ORAchk or Oracle EXAchk daemon.
• Configuring the Daemon for Automatic Restart
  By default, you must manually restart the daemon if you restart the server or node on which the daemon is running.

2.2.1 Setting and Getting Options for the Daemon

Set the daemon options before you start the daemon. Reset the daemon options anytime after starting the daemon.

To set the daemon options:

1. Set the daemon options using the –set option.
   Set an option as follows:

   $ orachk –set "option_1=option_1_value"

   $ exachk –set "option_1=option_1_value"

   Set multiple options using the name=value format separated by semicolons as follows:

   $ orachk –set "option_1=option_1_value;option_2=option_2_value;option_n=option_n_value"

   $ exachk –set "option_1=option_1_value;option_2=option_2_value;option_n=option_n_value"

• AUTORUN_SCHEDULE
  Schedule recurring compliance check runs using the AUTORUN_SCHEDULE daemon option.
• AUTORUN_FLAGS
  The AUTORUN_FLAGS daemon option determines how compliance checks are run.
• NOTIFICATION_EMAIL
  Set the NOTIFICATION_EMAIL daemon option to send email notifications to the recipients you specify.
• collection_retention
  Set the collection_retention daemon option to purge health check collection results that are older than a specified number of days.
• PASSWORD_CHECK_INTERVAL
  The PASSWORD_CHECK_INTERVAL daemon option defines the frequency, in hours, for the daemon to validate the passwords entered when the daemon was started the first time.
• Setting Multiple Option Profiles for the Daemon
  Use only one daemon process for each server. Do not start a single daemon on multiple databases in a cluster, or multiple daemons on the same database.
• Getting Existing Options for the Daemon
  Query the values that you set for the daemon options.

2.2.1.1 AUTORUN_SCHEDULE

Schedule recurring compliance check runs using the AUTORUN_SCHEDULE daemon option.

To schedule recurring compliance check runs:

1. Set the AUTORUN_SCHEDULE option, as follows:

   AUTORUN_SCHEDULE=minute hour day month day_of_week

   Where:

   • minute is 0-59 (Optional. If omitted, then 0 is used)

   • hour is 0–23

   • day is 1–31

   • month is 1–12

   • day_of_week is 0–6, where 0=Sunday and 6=Saturday

   Use the asterisk (*) as a wildcard to specify multiple values separated by commas.

   Table 2-1 AUTORUN_SCHEDULE

   Example	Result
   "AUTORUN_SCHEDULE=0,15,30,45 * * * *"	Runs every 15 minutes.
   "AUTORUN_SCHEDULE=* * * *"	Runs every hour.
   "AUTORUN_SCHEDULE=3 * * 0"	Runs at 3 AM every Sunday.
   "AUTORUN_SCHEDULE=2 * * 1, 3, 5"	Runs at 2 AM on Monday, Wednesday, and Friday.
   "AUTORUN_SCHEDULE=4 1 * *"	Runs at 4 AM on the first day of every month.
   "AUTORUN_SCHEDULE=8,20 * * 1, 2, 3, 4, 5"	Runs at 8 AM and 8 PM every Monday, Tuesday, Wednesday, Thursday, and Friday.

For example:

$ orachk –set "AUTORUN_SCHEDULE=3 * * 0"

$ exachk –set "AUTORUN_SCHEDULE=3 * * 0"

Optionally, you can specify the name of the profile. If you do not specify, then id=DEFAULT.

For example:

$ orachk -id dba -set "AUTORUN_SCHEDULE=3 * * 0"

$ exachk -id dba -set "AUTORUN_SCHEDULE=3 * * 0"

2.2.1.2 AUTORUN_FLAGS

The AUTORUN_FLAGS daemon option determines how compliance checks are run.

To configure how compliance checks should run:

1. Set the AUTORUN_FLAGS option as follows:

   AUTORUN_FLAGS=flags

   Where:

   • flags can be any combination of valid command-line flags.

   Table 2-2 AUTORUN_FLAGS

   Example	Result
   "AUTORUN_FLAGS=-profile dba"	Runs only the dba profile checks.
   "AUTORUN_FLAGS=-profile sysadmin –tag syadmin"	Runs only the dba profile checks and tags the output with the value sysadmin.
   -excludeprofile ebs	Runs all checks except the checks in the ebs profile.

For example:

$ orachk –set "AUTORUN_FLAGS=-profile sysadmin –tag sysadmin"

$ exachk –set "AUTORUN_FLAGS=-profile sysadmin –tag sysadmin"

2.2.1.3 NOTIFICATION_EMAIL

Set the NOTIFICATION_EMAIL daemon option to send email notifications to the recipients you specify.

The daemon notifies the recipients each time a health check run completes or when the daemon experiences a problem.

To configure email notifications:

1. Specify a comma-delimited list of email addresses, as follows:

   
   $ orachk –set "NOTIFICATION_EMAIL=some.person@acompany.com,another.person@acompany.com"

   $ exachk –set "NOTIFICATION_EMAIL=some.person@acompany.com,another.person@acompany.com"

   Optionally, you can specify the name of the profile. If you do not specify, then id=DEFAULT.

   For example:

   $ orachk -id dba -set "NOTIFICATION_EMAIL=some.person@acompany.com,another.person@acompany.com"

   $ exachk -id dba -set "NOTIFICATION_EMAIL=some.person@acompany.com,another.person@acompany.com"

2. Test the email notification configuration using the –testemail option, as follows:

   $ orachk -testemail all

   $ exachk -testemail all

After the first health check run, the daemon notifies the recipients with report output attached.

For the subsequent health check runs after the first email notification, the daemon emails the summary of differences between the most recent runs to all recipients specified in the NOTIFICATION_EMAIL list.

2.2.1.4 collection_retention

Set the collection_retention daemon option to purge health check collection results that are older than a specified number of days.

To configure collection retention period:

1. Set the collection_retention option, as follows:

   collection_retention=number_of_days

   If you do not set this option, then the daemon does not purge the stale collection.

2. Set the collection_retention option to an appropriate number of days based on:

   • Frequency of your scheduled collections

   • Size of the collection results

   • Available disk space

For example:

$ orachk –set "collection_retention=60"

$ exachk –set "collection_retention=60"

2.2.1.4.1 To Control Collection Retention Using Size

Set the size in MB using the environment variable RAT_PURGE_SIZE. When the health check collections consume the size specified, then Oracle ORAchk starts purging the old collections, and retains the space specified using RAT_PURGE_SIZE.

For example:

$export RAT_PURGE_SIZE=4096

2.2.1.5 PASSWORD_CHECK_INTERVAL

The PASSWORD_CHECK_INTERVAL daemon option defines the frequency, in hours, for the daemon to validate the passwords entered when the daemon was started the first time.

If an invalid password is found due to a password change, then the daemon stops, makes an entry in the daemon log, and then sends an email notification message to the recipients specified in the NOTIFICATION_EMAIL option.

To configure password validation frequency:

1. Set the PASSWORD_CHECK_INTERVAL option, as follows:

   PASSWORD_CHECK_INTERVAL=number_of_hours

   If you do not set the PASSWORD_CHECK_INTERVAL option, then the daemon cannot actively check password validity and fails the next time the daemon tries to run after a password change. Using the PASSWORD_CHECK_INTERVAL option enables you to take corrective action and restart the daemon with the correct password rather than having failed collections.

2. Set the PASSWORD_CHECK_INTERVAL option to an appropriate number of hours based on:

   • Frequency of your scheduled collections

   • Password change policies

For example:

$ orachk –set "PASSWORD_CHECK_INTERVAL=1"

$ exachk –set "PASSWORD_CHECK_INTERVAL=1"

2.2.1.6 Setting Multiple Option Profiles for the Daemon

Use only one daemon process for each server. Do not start a single daemon on multiple databases in a cluster, or multiple daemons on the same database.

The daemon does not start, if the daemon detects another Oracle Autonomous Health Framework daemon process running locally.

Define multiple different run profiles using the same daemon. Defining multiple different run profiles enables you to run multiple different compliance checks with different daemon options, such as different schedules, email notifications, and automatic run flags. The daemon manages all profiles.

Define daemon option profiles using the –id id option before the –set option, where id is the name of the profile.

$ orachk –id id –set "option=value"

$ exachk –id id –set "option=value"

To set multiple option profiles for the daemon:

For example, if the database administrator wants to run checks within the dba profile and the system administrator wants to run checks in the sysadmin profile, then configure the daemon using the profiles option.

1. Define the database administrator profile as follows:

   $ orachk –id dba –set "NOTIFICATION_EMAIL=dba@example.com;\
      AUTORUN_SCHEDULE=4,8,12,16,20 * * *;AUTORUN_FLAGS=-profile dba –tag dba;\
      collection_retention=30"
   
   Created notification_email for ID[dba]
   Created autorun_schedule for ID[dba]
   Created autorun_flags for ID[dba]
   Created collection_retention for ID[dba]

   $ exachk –id dba –set "NOTIFICATION_EMAIL=dba@example.com;\
      AUTORUN_SCHEDULE=4,8,12,16,20 * * *; AUTORUN_FLAGS=-profile dba –tag dba;\
      collection_retention=30"
   
   Created notification_email for ID[dba]
   Created autorun_schedule for ID[dba]
   Created autorun_flags for ID[dba]
   Created collection_retention for ID[dba]

2. Define the system administrator profile as follows:

   $ orachk –id sysadmin –set "NOTIFICATION_EMAIL=sysadmin@example.com;\
      AUTORUN_SCHEDULE=3 * * 1,3,5; AUTORUN_FLAGS=-profile sysadmin –tag sysadmin;\
      collection_retention=60"
   
   Created notification_email for ID[sysadmin]
   Created autorun_schedule for ID[sysadmin]
   Created autorun_flags for ID[sysadmin]
   Created collection_retention for ID[sysadmin]

   $ exachk –id sysadmin –set "NOTIFICATION_EMAIL=sysadmin@example.com;\
      AUTORUN_SCHEDULE=3 * * 1,3,5; AUTORUN_FLAGS=-profile sysadmin –tag sysadmin;\
      collection_retention=60"
   
   Created notification_email for ID[sysadmin]
   Created autorun_schedule for ID[sysadmin]
   Created autorun_flags for ID[sysadmin]
   Created collection_retention for ID[sysadmin]

2.2.1.7 Getting Existing Options for the Daemon

Query the values that you set for the daemon options.

To query the values, use [-id ID] -get option | all.

Where:

• ID is a daemon option profile.
• option is a specific daemon option you want to retrieve.
• all returns values of all options.

To get existing options for the daemon:

1. To get a specific daemon option: –get option

   $ orachk –get NOTIFICATION_EMAIL
   
   ID: orachk.default
   ------------------------------------------
   notification_email = some.body@example.com

   $ exachk –get NOTIFICATION_EMAIL
   
   ID: exachk.default
   ------------------------------------------
   notification_email = some.body@example.com

2. To query multiple daemon option profiles: –get option:

   $ orachk –get NOTIFICATION_EMAIL
   
   ID: orachk.default
   ------------------------------------------
   notification_email = some.body@example.com
   
   ID: dba
   ------------------------------------------
   notification_email = dba@example.com
   
   ID: sysadmin
   ------------------------------------------
   notification_email = sysadmin@example.com

   $ exachk –get NOTIFICATION_EMAIL
   
   ID: exachk.default
   ------------------------------------------
   notification_email = some.person@example.com
   
   ID: dba
   ------------------------------------------
   notification_email = dba@example.com
   
   ID: sysadmin
   ------------------------------------------
   notification_email = sysadmin@example.com

3. To limit the request to a specific daemon option profile: –id ID -get option
   To get the NOTIFICATION_EMAIL for a daemon profile called dba:

   $ orachk –id dba –get NOTIFICATION_EMAIL
   
   ID: dba
   ------------------------------------------
   notification_email = dba@example.com

   $ exachk –id dba –get NOTIFICATION_EMAIL
   
   ID: dba
   ------------------------------------------
   notification_email = dba@example.com

4. To get all options set: –get all

   $ orachk –get all
   
   ID: orachk.default
   ------------------------------------------
   notification_email = some.body@example.com
   autorun_schedule = 3 * * 0
   collection_retention = 30
   password_check_interval = 1

   $ exachk –get all
   
   ID: exachk.default
   ------------------------------------------
   notification_email = some.body@example.com
   autorun_schedule = 3 * * 0
   collection_retention = 30
   password_check_interval = 1

5. To query all daemon option profiles: –get all

   $ orachk –get all
   
   ID: orachk.default
   ------------------------------------------
   notification_email = some.body@example.com
   autorun_schedule = 3 * * 0
   collection_retention = 30
   password_check_interval = 12
   
   ID: dba
   ------------------------------------------
   notification_email = dba@example.com
   autorun_schedule = 4,8,12,16,20 * * *
   autorun_flags = -profile dba –tag dba
   collection_retention = 30
   password_check_interval = 1
   
   ID: sysadmin
   ------------------------------------------
   notification_email = sysadmin@example.com
   autorun_schedule = 3 * * 1,3,5
   autorun_flags = -profile sysadmin –tag sysadmin
   collection_retension = 60
   password_check_interval = 1

   $ exachk –get all
   
   ID: exachk.default
   ------------------------------------------
   notification_email = some.body@example.com
   autorun_schedule = 3 * * 0
   collection_retention = 30
   password_check_interval = 1
   
   ID: dba
   ------------------------------------------
   notification_email = dba@example.com
   autorun_schedule = 4,8,12,16,20 * * *
   autorun_flags = -profile dba –tag dba
   collection_retention = 30
   password_check_interval = 1
   
   ID: sysadmin
   ------------------------------------------
   notification_email = sysadmin@example.com
   autorun_schedule = 3 * * 1,3,5
   autorun_flags = -profile sysadmin –tag sysadmin
   collection_retension = 60
   password_check_interval = 1

6. To limit the request to a specific daemon option profile: –id ID -get all

   To get all the options set for a daemon profile called dba:

   $ orachk –id dba –get all
   
   ID: dba
   ------------------------------------------
   notification_email = dba@example.com
   autorun_schedule = 4,8,12,16,20 * * *
   autorun_flags = -profile dba –tag dba
   collection_retention = 30
   password_check_interval = 1

   $ exachk –id dba –get all
   
   ID: dba
   ------------------------------------------
   notification_email = dba@example.com
   autorun_schedule = 4,8,12,16,20 * * *
   autorun_flags = -profile dba –tag dba
   collection_retention = 30
   password_check_interval = 1

2.2.2 Starting and Stopping the Daemon

Start and stop the daemon and force the daemon to stop a compliance check run.

To start and stop the daemon:

1. To start the daemon:

   $ orachk –d start

   $ exachk –d start

   The tools prompt you to provide required information during startup.

2. To stop the daemon:

   $ orachk –d stop

   $ exachk –d stop

   If a compliance check run is progress when you run the stop command, then the daemon indicates so and continues running.

3. To force the daemon to stop a compliance check run:

   $ orachk –d stop_client

   $ exachk –d stop_client

The daemon stops the compliance check run and then confirms when it is done. If necessary, then stop the daemon using the –d stop option.

2.2.3 Querying the Status and Next Planned Daemon Run

Query the status and next automatic run schedule of the running daemon.

-d status|info|nextautorun

Where:

• -d status: Checks if the daemon is running.
• -d info: Displays information about the running daemon.
• -d nextautorun [-id ID]: Displays the next automatic run time.

To query the status and next planned daemon run:

1. To check if the daemon is running:

   $ orachk –d status

   $ exachk –d status

   If the daemon is running, then the daemon confirms and displays the PID.

2. To query more detailed information about the daemon:

   $ orachk –d info

   $ exachk –d info

   The daemon responds with the following information:

   • Node on which the daemon is installed

   • Version

   • Install location

   • Time when the daemon was started

3. To query the next scheduled compliance check run:

   $ orachk –d nextautorun

   $ exachk –d nextautorun

   The daemon responds with details of schedule.

   If you have configured multiple daemon option profiles, then the output shows whichever is scheduled to run next.

   If you have configured multiple daemon option profiles, then query the next scheduled compliance check run of a specific profile using –id ID -d nextautorun:

   $ orachk –d ID –d nextautorun

   $ exachk –d ID –d nextautorun

   The daemon responds with details of the schedule for the daemon options profile ID you have specified.

2.2.4 Configuring the Daemon for Automatic Start

Installing Oracle Autonomous Health Framework as root on Linux or Solaris automatically sets up and runs the Oracle ORAchk or Oracle EXAchk daemon.

To configure the daemon to stop or start automatically:

Run these commands as root.

1. To remove auto start configuration:

   $ orachk -autostop

   $ exachk -autostop

2. To configure the daemon to start automatically:

   $ orachk -autostart

   $ exachk -autostart

   The daemon restarts at 1 am every day to discover any environment changes. The daemon runs a full local Oracle ORAchk check once every week at 3 am, and a partial run of the most impactful checks at 2 am every day through the oratier1 or exatier1 profiles. The daemon automatically purges the oratier1 or exatier1 profile run that runs daily, after a week. The daemon also automatically purges the full local run after 2 weeks. You can change the daemon settings after enabling auto start.

2.2.5 Configuring the Daemon for Automatic Restart

By default, you must manually restart the daemon if you restart the server or node on which the daemon is running.

However, if you use the automatic restart option, the daemon restarts automatically after the server or node reboot.

Configure the daemons to auto restart as root.

To configure the daemon to restart automatically:

1. To configure the daemon to restart automatically:

   $ orachk –initsetup

   $ exachk –initsetup

   The tool prompts you to provide the required information during startup.

   Note:

   Stop the daemon before running –initsetup, if the daemon is already running.
2. To query automatic restart status of the daemon:

   $ orachk –initcheck

   $ exachk –initcheck

3. To remove automatic restart configuration:

   $ orachk –initrmsetup

   $ exachk –initrmsetup