E Database Listener Security Recommendations

This appendix lists the security recommendations for protecting the database listener.

Security Checklist for the Database Listener

The following configuration guidelines help enhance the security for your database listener:

  • The database listener configuration file, listener.ora, and the supporting OracleNet configuration file, tnsnames.ora, should have the ADMIN_RESTRICTIONS_LISTENER_SID=ON protection enabled.

  • The database listener configuration file, listener.ora, and the supporting OracleNet configuration file, tnsnames.ora, should have the PLSExtProc listener disabled.

  • The listener should be configured to listen on a non-standard port. This means that the default port (1521) should be changed.

  • The listener should be password protected or leverage operating system (OS) authentication based on the organizational security policy.

  • The listener should use a unique name, which should be different from the default name.

  • The listener.ora file should have the following parameter set:

    INBOUND_CONNECT_TIMEOUT_ListenerName = 10

  • The sqlnet.ora file should have the following parameters set:

    SQLNET.INBOUND_CONNECT_TIMEOUT  = 12
SQLNET.EXPIRE_TIME = 10

  • The listener should have logging enabled as follows:

    LOGGING_LISTENER = ON
LOG_STATUS = ON
LOG_DIRECTORY_ListenerName = Directory_owned_by_Oracle_account
LOG_FILE_ListenerName = File_owned_by_Oracle_account

    Note:

    Only the owner and the DBA group should have permissions over the LOG_DIRECTORY. The owner should have read and write access to the LOG_DIRECTORY and the DBA group should have read access to it.

    Only the owner and the DBA group should have read and write permissions over the LOG_FILE.

  • The listener should have tracing enabled as follows:

    TRACE_DIRECTORY_ListenerName = Directory_owned_by_Oracle_account
TRACE_FILE_ListenerName = File_owned_by_Oracle_account
TRACE_LEVEL = user
TRACE_FILELEN_ListenerName = 512
TRACE_FILENO_ListenerName = 1000
TRACE_TIMESTAMP_ListenerName = dd-mon-yyyy hh:mi:ss:mil

    Note:

    Only the owner and the DBA group should have read and write permissions over the TRACE_DIRECTORY.

    Only the owner and the DBA group should have read and write permissions over the TRACE_FILE.