Skip Headers
Oracle® Database Vault Installation Guide
10g Release 2 (10.2) for Linux x86

B25165-09
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

E Database Listener Security Recommendations

This appendix lists the security recommendations for protecting the database listener.

E.1 Security Checklist for the Database Listener

The following configuration guidelines help enhance the security for your database listener:

  • The database listener configuration file, listener.ora, and the supporting OracleNet configuration file, tnsnames.ora, should have the ADMIN_RESTRICTIONS_LISTENER_SID=ON protection enabled.

  • The database listener configuration file, listener.ora, and the supporting OracleNet configuration file, tnsnames.ora, should have the PLSExtProc listener disabled.

  • The listener should be configured to listen on a non-standard port. This means that the default port (1521) should be changed.

  • The listener should be password protected or leverage operating system (OS) authentication based on the organizational security policy.

  • The listener should use a unique name, which should be different from the default name.

  • The listener.ora file should have the following parameter set:

    INBOUND_CONNECT_TIMEOUT_ListenerName = 10
    
  • The sqlnet.ora file should have the following parameters set:

    SQLNET.INBOUND_CONNECT_TIMEOUT  = 12
    SQLNET.EXPIRE_TIME = 10
    
  • The listener should have logging enabled as follows:

    LOGGING_LISTENER = ON
    LOG_STATUS = ON
    LOG_DIRECTORY_ListenerName = Directory_owned_by_Oracle_account
    LOG_FILE_ListenerName = File_owned_by_Oracle_account
    

    Note:

    Only the owner and the DBA group should have permissions over the LOG_DIRECTORY.The owner should have read and write access to the LOG_DIRECTORY and the DBA group should have read access to it.

    Only the owner and the DBA group should have read and write permissions over the LOG_FILE.

  • The listener should have tracing enabled as follows:

    TRACE_DIRECTORY_ListenerName = Directory_owned_by_Oracle_account
    TRACE_FILE_ListenerName = File_owned_by_Oracle_account
    TRACE_LEVEL = user
    TRACE_FILELEN_ListenerName = 512
    TRACE_FILENO_ListenerName = 1000
    TRACE_TIMESTAMP_ListenerName = dd-mon-yyyy hh:mi:ss:mil
    

    Note:

    Only the owner and the DBA group should have read and write permissions over the TRACE_DIRECTORY.

    Only the owner and the DBA group should have read and write permissions over the TRACE_FILE.