These are the compliance rules for the Oracle Listener compliance standards
The compliance rules for the Basic Security Configuration For Oracle Listener standard follow.
Description: Ensures that the crypto_checksum_server parameter is set to recommended value in sqlnet.ora.
Severity: Warning
Rationale: This option ensures the integrity check for communication to prevent data modification.
Description: Ensures that the encryption_server parameter is set to recommended value in sqlnet.ora
Severity: Warning
Rationale: This option ensures that regardless of the settings on the user, if communication takes place it must be encrypted
Description: Ensures that the ssl_client_authentication parameter is set to TRUE
Severity: Warning
Rationale: If TRUE Both the client and server authenticate to each other using certificates.It is preferable to have mutually authenticated SSL connections verifying the identity of both parties. If possible use client and server certificates for SSL connections. If client certificates are not supported in the enterprise, then set to FALSE.
Description: Ensures that the listener logfile cannot be read by or written to by public
Severity: Critical
Rationale: The information in the logfile can reveal important network and database connection details. Allowing access to the log file can expose them to public scrutiny with possible security implications.
Description: Ensures that the listener logfile cannot be read by or written to by public
Severity: Critical
Rationale: The information in the logfile can reveal important network and database connection details. Allowing access to the log file can expose them to public scrutiny with possible security implications.
Description: Ensures that the listener trace directory does not have public read/write permissions
Severity: Critical
Rationale: Allowing access to the trace directory can expose them to public scrutiny with possible security implications.
Description: Ensures that the listener trace directory does not have public read/write permissions
Severity: Critical
Rationale: Allowing access to the trace directory can expose them to public scrutiny with possible security implications.
Description: Ensures that the listener trace file is not accessible to public
Severity: Critical
Rationale: Allowing access to the trace files can expose them to public scrutiny with possible security implications.
Description: Ensures that the listener trace file is not accessible to public
Severity: Critical
Rationale: Allowing access to the trace files can expose them to public scrutiny with possible security implications.
Description: Ensures that the ssl_cipher_suites parameter is set to recommended value in sqlnet.ora
Severity: Warning
Rationale: This option is used to specify a cipher suite that will be used by the SSL connection. If the recommended cipher suite is not used, the SSL connection could be compromised.
The compliance rules for the High Security Configuration For Oracle Listener standard follow.
Description: Ensures that registration requests are accepted only for TCPS or IPC.
Severity: Warning
Rationale: Not configuring SECURE_REGISTER_listener_name parameter makes listener to accept registration request for any transport of a connection.
Description: Ensures that the crypto_checksum_type_server parameter is set to SHA1 in sqlnet.ora
Severity: Warning
Rationale: This option ensures the integrity check for communication is done using SHA1 Algorithm
Description: Ensures that the parameter EXTPROC_DLLS in listener.ora is set to ONLY
Severity: Warning
Rationale: To achieve a higher level of security in a production environment, to restrict the DLLs that the extproc agent can load by listing them explicitly in the listener.ora file.
Description: Ensures that the default name of the listener is not used
Severity: Warning
Rationale: Having a listener with the default name increases the risk of unauthorized access and denial of service attacks.
Description: Ensures that no runtime modifications to the listener configuration is allowed
Severity: Critical
Rationale: An attacker who has access to a running listener can perform runtime modifications (for example, SET operations) using the lsnrctl program.
Description: Ensures that all incomplete inbound connections to Oracle Listener has a limited lifetime
Severity: Warning
Rationale: This limit protects the listener from consuming and holding resources for client connection requests that do not complete. A malicious user could use this to flood the listener with requests that result in a denial of service to authorized users.
Description: Ensures that the listener log file is owned by the Oracle software owner
Severity: Critical
Rationale: The information in the logfile can reveal important network and database connection details. Having a log file not owned by the Oracle software owner can expose them to public scrutiny with possible security implications.
Description: Ensures that listener logging is enabled
Severity: Warning
Rationale: Without listener logging attacks on the listener can go unnoticed.
Description: Ensures that access to listener is password protected
Severity: Warning
Rationale: Without password protection, a user can gain access to the listener. Once someone has access to the listener, he/she can stop the listener. He/she can also set a password and prevent others from managing the listener.
Description: Ensures that the listener trace directory is a valid directory owned by Oracle software owner
Severity: Critical
Rationale: Having a trace directory not owned by the Oracle software owner can expose the trace files to public scrutiny with possible security implications.
Description: Ensures that the listener trace file owner is same as the Oracle software owner
Severity: Critical
Rationale: Having trace files not owned by the Oracle software owner can expose them to public scrutiny with possible security implications.
Description: Ensures that the file permissions for listener.ora are restricted to the owner of Oracle software
Severity: Critical
Rationale: If the listener.ora file is public readable, passwords may be extracted from this file. This can also lead to exposure of detailed information on the Listener, database,and application configuration. Also, if public has write permissions, a malicious user can remove any password that has been set on the listener.
Description: Ensures that the file permissions for listener.ora are restricted to the owner of Oracle software
Severity: Critical
Rationale: If the listener.ora file is public readable, passwords may be extracted from this file. This can also lead to exposure of detailed information on the Listener, database,and application configuration. Also, if public has write permissions, a malicious user can remove any password that has been set on the listener.
Description: Ensures that all incomplete inbound connections to Oracle Net has a limited lifetime
Severity: Warning
Rationale: Without this parameter or assigning it with a higher value , a client connection to the database server can stay open indefinitely or for the specified duration without authentication. Connections without authentication can introduce possible denial-of-service attacks, whereby malicious clients attempt to flood database servers with connect requests that consume resources.
Description: Ensures that the ssl_cert_revocation parameter is set to recommended value in sqlnet.ora
Severity: Warning
Rationale: This option Ensures revocation is required for checking CRLs for client certificate authentication. Revoked certificates can pose a threat to the integrity of the SSL channel and should not be trusted
Description: Ensures that tcp.validnode_checking parameter is set to yes.
Severity: Minor Warning
Rationale: Not setting valid node check can potentially allow anyone to connect to the sever, including a malicious user.
Description: Ensures that the sqlnet.ora file is not accessible to public
Severity: Critical
Rationale: If sqlnet.ora is public readable a malicious user may attempt to read this hence could lead to sensitive information getting exposed .For example, log and trace destination information of the client and server.
Description: Ensures that the sqlnet.ora file is not accessible to public
Severity: Critical
Rationale: If sqlnet.ora is public readable a malicious user may attempt to read this hence could lead to sensitive information getting exposed .For example, log and trace destination information of the client and server.
Description: Ensures that administration requests are accepted only for TCPS or IPC.
Severity: Warning
Rationale: Not configuring SECURE_CONTROL_listener_name parameter makes listener to serve control command for any transport of a connection.
Description: Ensures that the listener host is specified as IP address and not hostname in the listener.ora
Severity: Warning
Rationale: An insecure Domain Name System (DNS) Server can be taken advantage of for mounting a spoofing attack. Name server failure can result in the listener unable to resolved the host.
Description: Ensures that Administration and Registration requests are accepted only for TCPS or IPC transports
Severity: Warning
Rationale: Makes listener to accept administration and registration request for any transport of a connection