2.1 Getting Started with Running Compliance Checks

Review these topics to get started with Oracle Autonomous Health Framework compliance checking.

2.1.1 Running Oracle ORAchk or Oracle EXAchk as a Non-Root User

You can optionally run Oracle ORAchk or Oracle EXAchk as a non-root user.

When you have installed AHF as root and if non-root users run Oracle ORAchk or Oracle EXAchk and want to change the directory to their own output location, then the non-user will not be able to browse any directory using ls -l in the path before their own output location. However, they can directly cd to the output location.
$ cd /u01/app/crsusr/oracle.ahf/data/host_name/
$ ls -ltra
ls: cannot open directory .: Permission denied
$ cd orachk
$ ls
ls: cannot open directory .: Permission denied
$ cd user_racusr
$ ls -l
total 7456
-r-xr-xr-x 1 root root 6836 Jun 1 13:37 cgrep
rw-rr- 1 root root 5481 Jun 1 13:37 cgrep.pyc
drwxr-xr-x 7 racusr oinstall 274432 Jun 1 14:05 orachk_host_name_ratcdb_060120_133414
rr---- 1 racusr oinstall 7323951 Jun 1 14:05 orachk_host_name_ratcdb_060120_133414.zip
drwx-----T 2 racusr root 4096 Jun 1 14:05 output
drwx-----T 4 racusr root 4096 Jun 1 14:05 work

Non-root users can copy the path of Oracle ORAchk run result and cd directly there, or copy the result. Alternatively, they can run the tfactl showrepo command and it will show them the correct location where their results are available.

$ tfactl showrepo

<<output truncated>>
orachk repository: /u01/app/crsusr/oracle.ahf/data/host_name/orachk/user_racusr/output

2.1.2 Non-Root Users Running Root Privileged Checks on Database Servers

Non-root user can run root privileged checks on the database servers without requiring root password or sudo.

The Oracle Trace File Analyzer daemon must be running on all database servers in cluster.
  1. As root user, grant permission to non-root users to run root privileged checks using the tfactl access promote -user user_name command.
  2. Ensure that the non-root user has been promoted by querying tfactl access lsusers and promoted is true.
    +-----------+---------+----------+
    | User Name | Status | Promoted |
    +-----------+---------+----------+
    | crsusr | Allowed | false |
    | orarom | Allowed | false |
    | racusr | Allowed | true |
    '-----------+---------+----------'
Once the non-root user has been promoted, non-root user can run Oracle ORAchk with the -runasroot option to run root privileged checks.

2.1.3 Automatic Compliance Checking

Use the daemon to configure automatic compliance check runs at scheduled intervals.

Installing Oracle Autonomous Health Framework as root on Linux or Solaris automatically sets up and runs the Oracle ORAchk or Oracle EXAchk daemon.

The daemon restarts at 1 AM every day to discover any environment changes. The daemon runs a full local Oracle ORAchk check once every week at 3 AM, and a partial run of the most impactful checks at 2 AM every day through the oratier1 or exatier1 profiles. The daemon automatically purges the oratier1 or exatier1 profile run that runs daily, after a week. The daemon also automatically purges the full local run after 2 weeks. You can change the daemon settings after enabling auto start. To remove auto start:
orachk -autostop

Note:

Daemon mode is supported only on the Linux and Solaris operating systems.

Note:

If you have an Oracle Engineered System, then in addition to the following usage steps, follow the system-specific instructions.

  1. Set the daemon properties.

    At a minimum, set AUTORUN_SCHEDULE and NOTIFICATION_EMAIL.

    For example, to set the tool to run at 3 AM every Sunday and email the results to some.body@example.com, run the following command:
    $ orachk –set "AUTORUN_SCHEDULE=3 * * 0 ;NOTIFICATION_EMAIL=some.body@example.com"
    
    $ exachk –set "AUTORUN_SCHEDULE=3 * * 0 ;NOTIFICATION_EMAIL=some.body@example.com"
    Optionally, you can specify the name of the profile. If you do not specify, then id=DEFAULT. For example:
    $ orachk -id dba -set "AUTORUN_SCHEDULE=3 * * 0;NOTIFICATION_EMAIL=some.body@example.com"
    
    $ exachk -id dba -set "AUTORUN_SCHEDULE=3 * * 0;NOTIFICATION_EMAIL=some.body@example.com"
  2. Configure the compliance check daemon as described in "Automated Daemon Mode Operation".
  3. Start the daemon as root (recommended) or as the Oracle Database or Oracle Grid Infrastructure home owner.
    $ orachk –d start
    
    $ exachk –d start
  4. Answer the questions prompted during startup.

2.1.3.1 Running Oracle ORAchk or Oracle EXAchk Scheduler Without the Oracle Trace File Analyzer Daemon

By default, Oracle ORAchk or Oracle EXAchk scheduler is run by the Oracle Trace File Analyzer daemon.
Oracle Trace File Analyzer scheduler:
  • Decides which is the master node.
  • Picks the Oracle ORAchk or Oracle EXAchk entries only on the master node.
  • Runs only on the master node.
  • Runs Oracle ORAchk or Oracle EXAchk clusterwide.
  • Consolidates all the output on the master node.
  • Enters which is the master node in the logs.
  • Notifies through email that points to the master node where the report output is stored.
  1. To run the Oracle ORAchk or Oracle EXAchk scheduler without the Oracle Trace File Analyzer daemon:
    orachk -use_legacy_scheduler 
    
    exachk -use_legacy_scheduler

    Oracle ORAchk or Oracle EXAchk falls back to the legacy mechanism for setting up the daemon:

    • If you have installed Oracle Trace File Analyzer as root and if the Oracle Trace File Analyzer scheduler is down or not running.
    • If you have installed Oracle Trace File Analyzer as a non-root user, so the Oracle Trace File Analyzer scheduler is not available.

    In both the cases, you need not use the orachk –d start | stop commands to start or stop the Oracle ORAchk or Oracle EXAchk daemon, or the initsetup command to set up the daemon for automatic restart and the initrmsetup command to remove automatic restart configuration.

Example 2-1 Oracle ORAchk/Oracle EXAchk scheduler vs Oracle Trace File Analyzer scheduler

orachk -d status
If Oracle ORAchk is using the Oracle Trace File Analyzer scheduler, then Oracle ORAchk displays the message as follows:
orachk is using TFA Scheduler. TFA PID: 19557
If Oracle ORAchk is using the old mechanism, then Oracle ORAchk displays the message as follows:
orachk daemon is running. Daemon PID:20056
exachk -d status
If Oracle EXAchk is using the Oracle Trace File Analyzer scheduler, then Oracle EXAchk displays the message as follows:
exachk is using TFA Scheduler. TFA PID: 19557
If Oracle EXAchk is using the old mechanism, then Oracle EXAchk displays the message as follows:
exachk daemon is running. Daemon PID:20056
orachk -d info
If Oracle ORAchk is using the Oracle Trace File Analyzer scheduler:
------------------------------------------------------------
orachk daemon information
------------------------------------------------------------
Install node = testserver
orachk daemon version = 20.1.0(BETA)
Install location = /opt/oracle.ahf/orachk
Started at = date-and-time
Scheduler type = TFA Scheduler
Service type = TFA Service
If Oracle ORAchk is using the old mechanism:
------------------------------------------------------------
orachk daemon information
------------------------------------------------------------
Install node = testserver
orachk daemon version = 20.1.0(BETA)
Install location = /opt/oracle.ahf/orachk
Started at = date-and-time
Scheduler type = orachk Scheduler
Service type = orachk Service
exachk -d info
If Oracle EXAchk is using the Oracle Trace File Analyzer scheduler:
------------------------------------------------------------
exachk daemon information
------------------------------------------------------------
Install node = testserver
exachk daemon version = 20.1.0(BETA)
Install location = /opt/oracle.ahf/exachk
Started at = date-and-time
Scheduler type = TFA Scheduler
Service type = TFA Service
If Oracle EXAchk is using the old mechanism:
------------------------------------------------------------
exachk daemon information
------------------------------------------------------------
Install node = testserver
exachk daemon version = 20.1.0(BETA)
Install location = /opt/oracle.ahf/exachk
Started at = date-and-time
Scheduler type = exachk Scheduler
Service type = exachk Service
orachk -d nextautorun
Output is same for Oracle Trace File Analyzer scheduler and non-Oracle Trace File Analyzer scheduler as shown below:
ID:orachk.DAEMON_AUTOSTART
Next auto run starts on date-and-time
exachk –d nextautorun
Output is same for Oracle Trace File Analyzer scheduler and non-Oracle Trace File Analyzer scheduler as shown below:
ID:exachk.DAEMON_AUTOSTART
Next auto run starts on date-and-time

2.1.4 Email Notification and Report Overview

The following sections provide a brief overview about email notifications and sections of the HTML report output.

2.1.4.1 First Email Notification

After completing compliance check runs, the daemon emails the assessment report as an HTML attachment to all users that you have specified in the NOTIFICATION_EMAIL list.

2.1.4.2 What does the Compliance Check Report Contain?

Compliance check reports contain the health status of each system grouped under different sections of the report.

The HTML report output contains the following:

  • Health score

  • Summary of compliance check runs

  • Table of contents

  • Controls for report features

  • Findings

  • Recommendations

Details of the report output are different on each system. The report is dynamic, and therefore the tools display certain sections only if applicable.

System Health Score and Summary

System Health Score and Summary report provide:

  • A high-level health score based on the number of passed or failed checks

  • A summary of compliance check run includes:
    • Name, for example, Cluster Name

    • Version of the operating system kernel

    • Path, version, name of homes, for example, CRS, DB, and EM Agent

    • Version of the component checked, for example, Exadata

    • Number of nodes checked, for example, database server, storage servers, InfiniBand switches

    • Version of Oracle ORAchk and Oracle EXAchk

    • Name of the collection output

    • Date and time of collection

    • Duration of the check

    • Name of the user who ran the check, for example, root

    • How long the check is valid

Table of Contents and Report Feature

The Table of Contents section provides links to major sections in the report:

  • Database Server

  • Storage Server

  • InfiniBand Switch

  • Cluster Wide

  • Maximum Availability Architecture (MAA) Scorecard

  • Infrastructure Software and Configuration Summary

  • Findings needing further review

  • Platinum Certification

  • System-wide Automatic Service Request (ASR) compliance check

  • Skipped Checks

  • Top 10 Time Consuming Checks

The Report Feature section enables you to:

  • Filter checks based on their statuses

  • Select the regions

  • Expand or collapse all checks

  • View check IDs

  • Remove findings from the report

  • Get a printable view

Report Findings

The Report Findings section displays the result of each compliance check grouped by technology components, such as Database Server, Storage Server, InfiniBand Switch, and Cluster Wide.

Each section shows:

  • Check status (FAIL, WARNING, INFO, or PASS)

  • Type of check

  • Check message

  • Where the check was run

  • Link to expand details for further findings and recommendation

Click View for more information about the compliance check results and the recommendations.

  • What to do to solve the problem

  • Where the recommendation applies

  • Where the problem does not apply

  • Links to relevant documentation or My Oracle Support notes

  • Example of data on which the recommendation is based

Maximum Availability Architecture (MAA) Score Card

Maximum Availability Architecture (MAA) Score Card displays the recommendations for the software installed on your system.

The details include:

  • Outage Type

  • Status of the check

  • Description of the problem

  • Components found

  • Host location

  • Version of the components compared to the recommended version

  • Status based on comparing the version found to the recommended version

2.1.4.3 Subsequent Email Notifications

For the subsequent compliance check runs after the first email notification, the daemon emails the summary of differences between the most recent runs.

Specify a list of comma-delimited email addresses in the NOTIFICATION_EMAIL option.

The email notification contains:

  • System Health Score of this run compared to the previous run

  • Summary of number of checks that were run and the differences between runs

  • Most recent report result as attachment

  • Previous report result as attachment

  • Diff report as attachment

2.1.4.4 Generating a Diff Report

The diff report attached to the previous email notification shows a summary of differences between the most recent runs.

To identify the changes since the last run:

  1. Run the following command:
    $ orachk –diff report_1 report_2

    Review the diff report to see a baseline comparison of the two reports and then a list of differences.

2.1.5 Recommended On-Demand Usage

This section summarizes the scenarios that Oracle recommends running compliance checks on-demand.

Apart from scheduled compliance check runs, run compliance checks on-demand by running the following commands:
$ orachk
$ exachk

Oracle recommends that you run compliance checks in the following on-demand scenarios:

  • Pre- or post-upgrades

  • Machine relocations from one subnet to another

  • Hardware failure or repair

  • Problem troubleshooting

  • In addition to go-live testing

While running pre- or post-upgrade checks, Oracle Autonomous Health Framework automatically detects the databases that are registered with Oracle Clusterware and presents the list of databases to check.

Run the pre-upgrade checks during the upgrade planning phase. Oracle Autonomous Health Framework prompts you for the version to which you are planning to upgrade:
$ orachk –u –o pre
$ exachk –u –o pre
After upgrading, run the post-upgrade checks:
$ orachk –u –o post
$ exachk –u –o post

2.1.6 Running Compliance Checks on a Remote Node

Run compliance checks on remote nodes using RSA/DSA SSH private and public keys.

  1. Generate RSA/DSA SSH private and public keys on each of the remote nodes as root user.
  2. Add the content of the above generated public key to the authorized_keys file for each of the remote nodes.
    For example:
    cat $HOME/.ssh/id_dsa.pub >> $HOME/.ssh/authorized_keys
  3. Copy the private keys of all the remote nodes where you want to run the checks, for example, in the PRIVATEKEYDIR directory.
  4. Rename each of the private keys as id_encryption.remote_hostname.remote_user.
    Where:
    • remote_user is the Linux user who created the key
    • encryption can be RSA/DSA
    • remote_host is the hostname (not FQDN) of the remote node
    For example:
    id_dsa.node1.root
    id_rsa.node2.oradb

Ensure that passwordless SSH between the local node and remote node is present. ssh –i id_encryption.remote_host.remote_user remote_user@remote_host must be able to log in to the remote_host without any password.

2.1.6.1 Synchronous Remote Run

This is a blocking-call. Outputs the stdout of the remote run. User gets the prompt or control only when the remote run is completed. Once completed, the collection will be available at the working directory.

# orachk –remotehost remote_host remote_args -remoteuser remote_user -remotedestdir remote_dest_dir -identitydir PRIVATEKEYDIR
# exachk –remotehost remote_host remote_args -remoteuser remote_user -remotedestdir remote_dest_dir -identitydir PRIVATEKEYDIR
For example:
orachk -remotehost node2 -profile asm -remoteuser root -remotedestdir /scratch/user/ -identitydir /scratch/user/privatekeys/
exachk -remotehost node1 -localonly -c X4-2,MAA -remoteuser oracle -remotedestdir /scratch/user/ -identitydir /scratch/user/privatekeys/
$ orachk -remotehost node2 -profile asm -remoteuser root -remotedestdir /scratch/user1/ -identitydir .privatekeys/
 
Starting orachk run on node2. For more detail about run check /scratch/user1/orachkremote/orachk_node2_112818_040034_run.log
 
Clusterware stack is running from /scratch/app/11.2.0.4/grid. Is this the correct Clusterware Home?[y/n][y]
 
Checking ssh user equivalency settings on all nodes in cluster for root

2.1.6.2 Asynchronous Remote Run

This is a non-blocking-call. Oracle ORAchk and Oracle EXAchk initiate the remote run, display a _run.log file, and give control to the user. Check the _run.log file to ensure the completion of the remote run. Once completed, the collection will be available at the working directory

# orachk –remotehost remote_host remote_args -remoteuser remote_user -remotedestdir remote_dest_dir  -identitydir PRIVATEKEYDIR -asynch
# exachk –remotehost remote_host remote_args -remoteuser remote_user -remotedestdir remote_dest_dir -identitydir PRIVATEKEYDIR -asynch
Where:
  • remote_host is the host name of the remote node.
  • remote_args are the arguments that needs to be passed to the Oracle ORAchk and Oracle EXAchk run in the remote node.
  • remote_user is the remote user who runs Oracle ORAchk and Oracle EXAchk.
  • remote_dest_dir is the remote directory where orachk.zip or exachk.zip is extracted.
  • PRIVATEKEYDIR is the directory contains the private keys of the remote nodes in the specified format.

Note:

If you use DSA keys, then set the RAT_SSH_ENCR environment variable to dsa before running the Oracle ORAchk and Oracle EXAchk remote run commands.
For example:
orachk -remotehost node2 -remoteuser oradb -remotedestdir /scratch/user/ -identitydir /scratch/user/privatekeys/ -asynch
exachk -remotehost node1 -cells node1 -c X4-2,MAA -remoteuser root -remotedestdir /scratch/user/ -identitydir /scratch/user/privatekeys/ -asynch
$ orachk -remotehost node2 -localonly -remoteuser root -identitydir .privatekeys/ -asynch

Starting orachk run on node2. For more detail about run check /scratch/user1/orachkremote/orachk_node2_112818_041037_run.log
Private key files
$ ls PRIVATEKEYDIR/
id_dsa.node1.oracle    id_dsa.node4.root    id_dsa.node6.oracle    id_dsa.node8.root    id_dsa.node11.oracle
id_dsa.node2.root      id_dsa.node5.oracle  id_dsa.node6.root      id_dsa.node9.root
id_dsa.node3.root      id_dsa.node5.root    id_dsa.node7.root      id_dsa.node10.oracle

2.1.7 Creating, Modifying, and Deleting User-Defined Profiles

Specify a comma-delimited list of check IDs to create and modify custom profiles.

Specify valid check IDs and descriptive unique profile name.
  1. To create a profile:
    orachk -createprofile profile_name check_ids 
    
    exachk -createprofile profile_name check_ids
    orachk -createprofile customprofile1 E94AC6ACDA502F3BE04312C0E50A290A,
    F01E3FEDBD2B243EE04312C0E50A4DC5, 
    F02293F7261D1BCAE04312C0E50A4118,
    F9370B4F5707076DE04312C0E50A78AE
    
    Validating checks...
    
    Profile customprofile1 created successfully...

    Oracle ORAchk and Oracle EXAchk validate profile names and check IDs before creating the profile and print appropriate messages if any discrepancies found. Oracle ORAchk and Oracle EXAchk create the profiles only if the profile names are unique and check IDs are valid.

  2. To modify a profile:
    orachk -modifyprofile profile_name check_ids 
    
    exachk -modifyprofile profile_name check_ids
    exachk -modifyprofile customprofile1 21B57D4065DDEA3DE0530D98EB0A8205,
    39128FBB540C098AE0530D98EB0AFB1A,
    9AD8AF3966FB3027E040E50A1EC0308F,
    019F5085951978CAE05313C0E50A4FCB
    
    Validating checks...
    
    Modifying profile customprofile1...
    
    Profile customprofile1 modified successfully...
    
    
    Added Checks:
    21B57D4065DDEA3DE0530D98EB0A8205
    9AD8AF3966FB3027E040E50A1EC0308F
    019F5085951978CAE05313C0E50A4FCB
    --------------------------------
    Removed Checks:
    39128FBB540C098AE0530D98EB0AFB1A
    You cannot modify the profile name. You can only add to or remove check IDs form the profile.

    If the check IDs are in the profile, then Oracle ORAchk and Oracle EXAchk remove them from the profile.

    If the check IDs are not in the profile, then Oracle ORAchk and Oracle EXAchk add them to the profile.

  3. To delete a profile:
    orachk -deleteprofile profile_name 
    
    exachk -deleteprofile profile_name
    orachk -deleteprofile customprofile1
    
    Deleting profile customprofile1...
    
    Profile customprofile1 deleted successfully...

    Oracle ORAchk and Oracle EXAchk delete the profile by removing the profile entry ID from the profiles.dat file, and deleting the corresponding profiles.prf file.

2.1.8 Sanitizing Sensitive Information in the Diagnostic Collections

Oracle Autonomous Health Framework uses Adaptive Classification and Redaction (ACR) to sanitize sensitive data.

After collecting copies of diagnostic data, Oracle ORAchk and Oracle EXAchk use Adaptive Classification and Redaction (ACR) to sanitize sensitive data in the collections. ACR uses a machine learning based engine to redact a pre-defined set of entity types in a given set of files. ACR also sanitizes or masks entities that occur in path names.

  • Sanitization replaces a sensitive value with random characters.
  • Masking replaces a sensitive value with a series of asterisks ("*").

ACR currently sanitizes the following entity types:

  • Host names
  • IP addresses
  • MAC addresses
  • Oracle Database names
  • Tablespace names
  • Service names
  • Ports
  • Operating system user names

ACR also masks Personally Identifiable Information (PII), that is, user data from the database appearing in block and redo dumps. There is no separate command for it.

To sanitize sensitive information:

orachk -sanitize comma_delimited_list_of_collection_IDs

or

exachk -sanitize comma_delimited_list_of_collection_IDs
Block dumps before redaction:
14A533F40 00000000 00000000 00000000 002C0000 [..............,.]
14A533F50 35360C02 30352E30 31322E37 380C3938 [..650.507.2189.8]
14A533F60 31203433 37203332 2C303133 360C0200 [34 123 7310,...6]
Block dumps after redaction:
14A533F40 ******** ******** ******** ******** [****************]
14A533F50 ******** ******** ******** ******** [****************]
14A533F60 ******** ******** ******** ******** [****************]
Redo dumps before redaction:
col 74: [ 1] 80
col 75: [ 5] c4 0b 19 01 1f
col 76: [ 7] 78 77 06 16 0c 2f 26
Redo dumps after redaction:
col 74: [ 1] **
col 75: [ 5] ** ** ** ** **
col 76: [ 7] ** ** ** ** ** ** **

To print the reverse map of sanitized elements:

orachk -rmap all|comma_delimited_list_of_element_IDs

or

exachk -rmap all|comma_delimited_list_of_element_IDs

2.1.8.1 Sanitizing Sensitive Information in Oracle ORAchk or Oracle EXAchk Output

  1. If you specify a file name that does not follow the naming convention:
    For example:
    $ orachk -sanitize orachk_invalid.html
    /scratch/testuser/may31/orachk_invalid.html is not a valid orachk collection
  2. If you specify a file that does not exist:
    For example:
    $ orachk -sanitize /tmp/orachk_invalid.html
    /tmp/orachk_invalid.html does not exist
  3. If you sanitize a file that exists with valid Oracle Autonomous Health Framework naming convention, but the file is not generated by Oracle Autonomous Health Framework:
    For example:
    $ orachk -sanitize orachk_invalidcollection.zip
    orachk is sanitizing /scratch/testuser/may31/orachk_invalidcollection.zip. Please
    wait...
    ACR error occurred while sanitizing orachk collection
  4. To sanitize a file with relative path:
    For example:
    $ orachk -sanitize new/orachk_node061919_053119_001343.zip 
    orachk is sanitizing
    /scratch/testuser/may31/new/orachk_node061919_053119_001343.zip. Please wait...
    
    Sanitized collection is:
    /scratch/testuser/may31/orachk_aydv061919_053119_001343.zip
    $ orachk -sanitize .orachk_node061919_053119_001343.zip 
    orachk is sanitizing
    /scratch/testuser/may31/.orachk_node061919_053119_001343.zip. Please wait...
    
    Sanitized collection is:
    /scratch/testuser/may31/orachk_aydv061919_053119_001343.zip
  5. To sanitize Oracle Autonomous Health Framework debug log:
    For example:
    $ orachk -sanitize new/orachk_debug_053119_023653.log
    orachk is sanitizing /scratch/testuser/may31/new/orachk_debug_053119_023653.log.
    Please wait...
    
    Sanitized collection is: /scratch/testuser/may31/orachk_debug_053119_023653.log
  6. To run full sanity check:
    For example:
    $ orachk -localonly -profile asm -sanitize -silentforce
    
    Detailed report (html) - 
    /scratch/testuser/may31/orachk_node061919_053119_04448/orachk_node061919_053119_04448.html
    
    orachk is sanitizing /scratch/testuser/may31/orachk_node061919_053119_04448.
    Please wait...
    
    Sanitized collection is: /scratch/testuser/may31/orachk_aydv061919_053119_04448
    
    UPLOAD [if required] - /scratch/testuser/may31/orachk_node061919_053119_04448.zip
  7. To print the reverse map of sanitized elements:
    For example:
    orachk -rmap pu406jKxg,kEvGFDT
    ________________________________________________________________________________
    | Entity Type | Substituted Entity Name | Original Entity Name |
    ________________________________________________________________________________
    | dbname      | XTT_MANUR               | ASM_POWER            |
    | dbname      | fcb63u2                 | rac12c2              |
    ________________________________________________________________________________
    orachk -rmap all

2.1.9 Problem Repair Automation Options

Starting in release 19.3, Oracle ORAchk and Oracle EXAchk have the capability to automatically fix problems when found.

Certain checks have a repair command associated with them. To see what the repair command actually does, run the -showrepair command.
orachk -showrepair check_id
exachk -showrepair check_id
To run the repair commands include one of the following options:
orachk -repair all
orachk -repair check_id,[check_id,check_id...]
orachk -repair file
exachk -repair all
exachk -repair check_id,[check_id,check_id...]
exachk -repair file
  • check_id: Refers to specific checks that you want to repair. Specify a check ID or a list of comma-delimited list of check IDs.
  • file: A text file that contains a list of check IDs. Add one check ID per line.
    For example:
    
    check ID1
    check ID2
    check IDn

2.1.10 Integration of Oracle DBSAT into Oracle Autonomous Health Framework

DBSAT is a lightweight utility that will not impair system performance in a measurable way.

The Oracle Database Security Assessment Tool (Oracle DBSAT):
  • Analyzes database configurations
  • Users and their entitlements
  • Security policies
  • Identifies where sensitive data resides to uncover security risks (not executed in Oracle Autonomous Health Framework)
  • Improves the security posture of Oracle Databases within your organization

Oracle Autonomous Health Framework always includes the latest DBSAT and runs DBSAT on all databases if you use the -security profile. For example, # orachk -profile security.

You can use Oracle DBSAT report findings to:
  • Fix immediate short-term risks
  • Implement a comprehensive security strategy
  • Support your regulatory compliance program
  • Promote security best practices

Figure 2-1 Oracle Database Security Assessment Report

Description of Figure 2-1 follows
Description of "Figure 2-1 Oracle Database Security Assessment Report"

For more information, see Oracle Database Security Assessment Report.

2.1.11 Integration of AutoUpgrade utility into Oracle Autonomous Health Framework

The AutoUpgrade utility identifies issues before upgrades, performs pre- and postupgrade actions, deploys upgrades, performs postupgrade actions, and starts the upgraded Oracle Database.

Before the upgrade, in Analyze mode, the AutoUpgrade utility performs read-only analysis of databases before upgrade, so that it can identify issues that require fixing.

When you run Oracle ORAchk in pre-upgrade mode, Oracle ORAchk in turn runs the AutoUpgrade utility to check if each database is ready to upgrade or not.

Figure 2-2 Database AutoUpgrade Result

Description of Figure 2-2 follows
Description of "Figure 2-2 Database AutoUpgrade Result"

For more information, see Using AutoUpgrade for Oracle Database Upgrades.