Oracle RMAN NetBackup 8.1.2 - new feature!
Since an Oracle backup runs a script as root, NetBackup is now securing these scripts.
When we upgrade to 8.1.2, all oracle backup scripts must be run from a defined area. If the script/directory is not authorized, the backup will fail with error (5449) The script is not approved for execution.
What does this mean to us?
We should determine a standard script path and protect those scripts so only DBA can update them
As we update clients, we need to add a line in each bp.conf listing the script directory path, like “DB_SCRIPT_PATH = /oracle/rman/” Based on script path in policies.
https://www.veritas.com/support/en_US/article.100039639.html
Best Practices for script authorized location management
- The script should not be world writable.
- The client Privileged User should allow DBA's write permission on a script that is in an authorized location so they have the ability to update the script when needed.
- Remove any script or path that is listed as an authorized location in the bp.conf if the script is no longer needed.
- An entry of DB_SCRIPT_PATH=none will not allow any script to execute on a client. This is useful if an administrator wants to completely lock down a server from executing scripts.
Correct.
This was introduced in NBU 8.1:
https://www.veritas.com/content/support/en_US/doc/16226115-126559565-0/v125208570-126559565