| Oracle® Enterprise Manager Policy Reference Manual 10g Release 2 (10.2) Part Number B16231-01 |
|
|
View PDF |
| Oracle® Enterprise Manager Policy Reference Manual 10g Release 2 (10.2) Part Number B16231-01 |
|
|
View PDF |
This chapter provides the following information for each of the Listener policies:
Brief description of the policy
Summary of the policy's main properties
Default values for the policy: parameters with their default values and objects excluded by default
Impact of the policy violation
Action to perform when the violation occurs
The Listener policies are categorized as follows:
The security policies for the Listener target on UNIX are:
This policy ensures that the server allows logon from clients with a matching version or higher only.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The SQLNET.ALLOWED_LOGON_VERSION parameter is set to %version%. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
None
Impact of Violation
Setting the parameter SQLNET.ALLOWED_LOGON_VERSION in sqlnet.ora to a version lower than the server version will force the server to use a less secure authentication protocol.
Action
Set the parameter SQLNET.ALLOWED_LOGON_VERSION in sqlnet.ora to the server's major version. Setting this value to older versions could expose vulnerabilities that may have existed in the authentication protocols.
This policy ensures that the default name of the listener is not used.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. The listener is addressed by the default name. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
Not Applicable
Impact of Violation
Having a listener with the default name increases the risk of unauthorized access and denial of service attacks.
Action
Avoid having a listener with the default name (LISTENER).
This policy ensures that no runtime modifications to the listener configuration is allowed.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. Direct administration is enabled. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
Not Applicable
Impact of Violation
A malicious user who has access to a running listener can perform runtime modifications (for example, SET operations) using the lsnrctl program.
Action
All listeners must have direct administration disabled. Set ADMIN_RESTRICTIONS_<listener_name> to ON in listener.ora.
This policy ensures that the listener log file is owned by the Oracle software owner.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. The listener log file %file_name% is owned by %file_owner%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The information in the log file can reveal important network and database connection details. Having a log file not owned by the Oracle software owner can expose them to public scrutiny with possible security implications.
Action
The listener log file must be owned by Oracle software owner.
This policy ensures that the listener log file cannot be read by or written to by public.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. The listener log file %file_name% has permission %file_permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The information in the log file can reveal important network and database connection details. Allowing access to the log file can expose them to public scrutiny with possible security implications.
Action
The listener log file must not allow public to read or write to it. Restrict the file permission to Oracle software owner and DBA group.
This policy ensures that listener logging is enabled.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. Logging is not enabled. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
Not Applicable
Impact of Violation
Without listener logging attacks on the listener can go unnoticed.
Action
Enable listener logging by setting the LOG_STATUS parameter to ON.
This policy ensures that access to listener is password protected.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. Listener %listener% is running without password protection. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
Not Applicable
Impact of Violation
Without password protection, a user can gain access to the listener. Once someone has access to the listener, he or she can stop the listener. He or she can also set a password and prevent others from managing the listener.
Action
All listeners should be protected by a non-trivial password using the CHANGE_PASSWORD command.
This policy ensures that the listener trace directory is a valid directory owned by Oracle software owner.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. The listener trace directory %dir_name% is owned by %dir_owner%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Having a trace directory not owned by the Oracle software owner can expose the trace files to public scrutiny with possible security implications.
Action
The listener trace directory must be owned by the Oracle software owner.
This policy ensures that the listener trace directory does not have public read or write permissions.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. The listener trace directory %dir_name% has permission %dir_permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Allowing access to the trace directory can expose them to public scrutiny with possible security implications.
Action
The listener trace directory must not allow public to read or write to it. Restrict the directory permission to Oracle software owner and DBA group.
This policy ensures that the listener trace file owner is the same as the Oracle software owner.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. The listener trace file %file_name% is owned by %file_owner%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Having trace files not owned by the Oracle software owner can expose them to public scrutiny with possible security implications.
Action
The listener trace file must be owned by Oracle software owner.
This policy ensures that the listener trace file is not accessible to public.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. The listener trace file %file_name% has permission %file_permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Allowing access to the trace files can expose them to public scrutiny with possible security implications.
Action
The listener trace file must not allow public to read or write to it. Restrict the file permission to Oracle software owner and DBA group.
This policy ensures that the file permissions for listener.ora are restricted to the owner of Oracle software.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. Permissions of listener.ora are not restricted to the Oracle set. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
Not Applicable
Impact of Violation
If the listener.ora file is public readable, passwords may be extracted from this file. This can also lead to exposure of detailed information on the Listener, database, and application configuration. Also, if public has write permissions, a malicious user can remove any password that has been set on the listener.
Action
Listener.ora permissions should be restricted to the owner of Oracle software installation and DBA group.
This policy ensures that the client log directory is a valid directory owned by Oracle set with no permissions to the PUBLIC role.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The client log directory %dir_name% has permission %permissions%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The client log directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the client log directory is a valid directory owned by Oracle set with no permissions to the PUBLIC role.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The client log directory %dir_name% has permission %permissions%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The client log directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to the public.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The client trace directory %dir_name% has permission %permissions%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The client trace directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to the public.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The client trace directory %dir_name% has permission %permissions%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The client trace directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the server log directory is a valid directory owned by Oracle set with no permissions to the public.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The server log directory %dir_name% has permission %permissions%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The server log directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the server log directory is a valid directory owned by Oracle set with no permissions to the public.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The server log directory %dir_name% has permission %permissions%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The server log directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to the public.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The server trace directory %dir_name% has permission %permissions%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The server trace directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to the public.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The server trace directory %dir_name% has permission %permissions%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The server trace directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the sqlnet.ora file is not accessible to the public.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The sqlnet.ora file has permission %permission%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
If the sqlnet.ora file is public readable, a malicious user may attempt to read this file which could lead to sensitive information being exposed. For example, log and trace destination information of the client and server could be exposed.
Action
Public should not be given any permissions on the sqlnet.ora file.
This policy ensures that the listener host is specified as IP address and not hostname in the listener.ora file.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Host is not specified as IP address in listener.ora. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
Not Applicable
Impact of Violation
An insecure Domain Name System (DNS) Server can be taken advantage of for mounting a spoofing attack. Name server failure can result in the listener unable to resolved the host.
Action
Host should be specified as IP address in listener.ora.
The security policies for the Listener target on Windows are:
This policy ensures that the listener log file cannot be read by or written to by public. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state.The users %users% have critical permissions on the listener log file %file_name%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
The information in the log file can reveal important network and database connection details. Allowing access to the log file can expose them to public scrutiny with possible security implications.
Action
The listener log file must not allow public to read or write to it. Restrict the file permission to Oracle software owner and DBA group.
This policy ensures that the listener trace directory does not have public read or write permissions. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. The users %users% have critical permissions on the listener trace directory %dir_name%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Allowing access to the trace directory can expose them to public scrutiny with possible security implications.
Action
The listener trace directory must not allow public to read or write to it. Restrict the directory permission to Oracle software owner and DBA group.
This policy ensures that the listener trace file is not accessible to public. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Informational | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. The users %users% have critical permissions on the listener trace file %file_name%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Allowing access to the trace files can expose them to public scrutiny with possible security implications.
Action
The listener trace file must not allow public to read or write to it. Restrict the file permission to Oracle software owner and DBA group.
This policy ensures that the file permissions for listener.ora are restricted to the owner of Oracle software. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Listener is in an insecure state. Permissions of listener.ora are not restricted to the Oracle set. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
Not Applicable
Impact of Violation
If the listener.ora file is public readable, passwords may be extracted from this file. This can also lead to exposure of detailed information on the Listener, database, and application configuration. Also, if public has write permissions, a malicious user can remove any password that has been set on the listener.
Action
Listener.ora permissions should be restricted to the owner of Oracle software installation and DBA group.
This policy ensures that the client log directory is a valid directory owned by Oracle set with no permissions to the PUBLIC role. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state.The users %users% have critical permissions on the client log directory %dir_name%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The client log directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to the public. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The users %users% have critical permissions on the client trace directory %dir_name%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The client trace directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the server log directory is a valid directory owned by Oracle set with no permissions to the public. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The users %users% have critical permissions on the server log directory %dir_name%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The server log directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to the public. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | The database is in an insecure state. The users %users% have critical permissions on the server trace directory %dir_name%. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
Action
The server trace directory must be a valid directory owned by the Oracle set with no permissions to public.
This policy ensures that the sqlnet.ora file is not accessible to the public. The following permissions on Windows NT based platforms are considered critical: DELETE, WRITE_DAC, WRITE_OWNER, CHANGE, ADD, and FULL. The policy gives the number of users or user groups which have been granted such permissions, and lists the users and user groups in parentheses.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Listener | Oracle Server 8 or later | The underlying metric has a collection frequency of once every 24 hours. | Yes | Database is in insecure state. The users %users% have critical permissions on the sqlnet.ora file. |
Defaults
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Impact of Violation
If the sqlnet.ora file is public readable, a malicious user may attempt to read this file which could lead to sensitive information being exposed. For example, log and trace destination information of the client and server could be exposed.
Action
Public should not be given any permissions on the sqlnet.ora file.
