This chapter provides the following information for each of the Host policies:
Brief description of the policy
Summary of the policy's main properties
Default values for the policy: parameters with their default values and objects excluded by default
Impact of the policy violation
Action to perform when the violation occurs
The Host policies are categorized as follows:
The configuration policies for the Host target are:
This policy evaluates and informs the Enterprise Manager administrators of patch advisories that are applicable to various Oracle Homes in the enterprise.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Configuration | Host | Any version of Oracle products in the Oracle Homes could be affected by the patch advisories. | The underlying metric is critcal_patch_advisories_metric. Whenever the RefreshFromMetalink job is run or any HostConfigurationCollection happens, the metric is evaluated. The RefreshFromMetalink job is scheduled to run once every 24 hours but the user can run the job anytime. | Yes | To help ensure a secure and reliable configuration, all relevant and current critical patches should be applied. Vulnerabilities have been identified for the following critical patch advisories. |
Footnote 1 The policy rule is evaluated each time its underlying metric is collected.
Parameters and Their Default Values
None
Objects Excluded by Default
None
Vulnerabilities have been identified for the current critical patch advisories.
The user is advised to apply the critical patches and resolve the vulnerabilities.
The security policies for the Host target are:
This policy ensures that the Operating System configuration parameter, which enables execution of code on the user stack, is not enabled.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Host | All UNIX-Based Operating Systems | The underlying metric is executeStackRep which has a collection frequency of once every 24 hours. | Yes | The host is in an insecure state. Executable code on the user stack is enabled. |
Footnote 1 The policy rule is evaluated each time its underlying metric is collected.
Parameters and Their Default Values
None
Objects Excluded by Default
Not Applicable
Enabling code execution on the user stack may allow a malicious user to exploit stack buffer overflows. Overflows can cause portions of a system to fail, or even execute arbitrary code.
Disable code execution on the user stack.
This policy ensures that there are no insecure services (for example, telnet and FTP) running on the server. When installed, most operating systems run services that are not always necessary, for example Simple Mail Transfer Protocol (SMTP) and File Transfer Protocol (FTP). These services might pose security risks. This policy ensures that such services are shut down.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Host | All Operating Systems | The underlying metric is insecureServicesRep which has a collection frequency of once every 24 hours. | Yes | The host is in an insecure state. The insecure service %service% is running on the host. |
Footnote 1 The policy rule is evaluated each time its underlying metric is collected.
Parameters and Their Default Values
None
Objects Excluded by Default
Not Applicable
Insecure services may allow a malicious user to take over the host.
Do not run insecure services.
This policy ensures that the file system on a Windows operating system uses is NT File System (NTFS).
NTFS is far more secure than File Allocation Table (FAT) because it is tightly integrated with the operating system security. NTFS also allows users to set file-level security and permissions on folders. Local or domain accounts can be used to provide different levels of access to files and folders. Windows 2000 also supports encryption on NTFS partitions, making the partitions more secure.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Host | Windows Operating Systems | The underlying metric is fileSystemTypeRep which has a collection frequency of once every 24 hours. | Yes | The host is in an insecure state. NTFS is not configured on the Windows operating system. |
Footnote 1 The policy rule is evaluated each time its underlying metric is collected.
Parameters and Their Default Values
None
Objects Excluded by Default
Not Applicable
Other than NTFS, file systems on Windows platforms may have serious security risks.
On Windows operating systems, it is strongly recommended to use NTFS as the file system.
This policy ensures that no unintended ports are left open.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Host | All Operating Systems | The underlying metric is openPortsRep which has a collection frequency of once every 24 hours. | Yes | The host is in an insecure state. Port %port% is open. |
Footnote 1 The policy rule is evaluated each time its underlying metric is collected.
Parameters and Their Default Values
Parameter name: DFLT_PORT
Default value: 32767
Objects Excluded by Default
Not Applicable
Open ports may allow a malicious user to take over the host.
Do not open insecure ports. Be sure to close both the User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) ports to ensure security.