Files
skill-oracle-db-security/references/troubleshooting.md

67 lines
2.4 KiB
Markdown

# Troubleshooting Guide
Use safe diagnostics first. Ask for exact database version, architecture, platform, product versions, recent changes, error text, and whether the issue affects production.
## TDE Performance or Availability
Check:
- Whether the workload is CPU-bound, I/O-bound, or affected by backup/compression changes.
- Tablespace vs column encryption usage.
- AES-NI or platform crypto acceleration availability.
- Backup, Data Guard, RMAN, export/import, and wallet or OKV access path.
- Wallet status and alert log messages.
Safe diagnostics:
```sql
SELECT wrl_type, status, wallet_type FROM v$encryption_wallet;
SELECT tablespace_name, encrypted FROM dba_tablespaces ORDER BY tablespace_name;
```
Gotchas:
- TDE does not stop authorized SQL access.
- Lost or unavailable keys can become an availability incident.
- Test restore and failover, not only encryption enablement.
## OKV and Wallet Integration
Check endpoint enrollment, wallet upload or migration state, network latency, TLS/certificate validity, endpoint permissions, backup of OKV, HA configuration, and separation of duties.
Gotchas:
- Centralization improves governance but increases dependency on OKV availability and operational process.
- Key rotation requires application and operational test windows.
## AVDF and Audit Overhead
Check audit policy selectivity, audit trail growth, collection latency, collector sizing, network reliability, parser support, firewall mode, and report requirements.
Tune:
- Start with high-value events before broad statement auditing.
- Use monitoring mode before blocking mode.
- Forward only meaningful alerts to the SIEM.
- Define retention and purge processes.
## Database Vault Operational Friction
Check realm authorization, command rules, factors, rule sets, application maintenance jobs, patching tasks, and emergency access.
Gotchas:
- Overbroad realms can break DBA workflows.
- Under-tested command rules can interrupt patching or batch jobs.
- Break-glass access must be tightly controlled, time-bound, and audited.
## Data Masking Problems
Check discovery coverage, referential integrity, masking format preservation, application constraints, uniqueness, deterministic masking needs, and downstream dependencies.
Gotchas:
- Masking is usually irreversible.
- Subsetting can break referential integrity if parent-child rules are incomplete.
- Production masking is rarely the right control unless explicitly designed and approved.