Edit D:\app\Administrator\product\11.2.0\dbhome_1\sysman\admin\emdrep\rsc\db\policy\lsnr_policies.dlf
<?xml version="1.0" encoding="UTF-8" ?> <!-- - $Header: lsnr_policies.dlf 06-dec-2007.01:52:23 manosing Exp $ - - Copyright (c) 2004 Oracle. All Rights Reserved. - - NAME - lsnr_policies.dlf - Seed file for the MGMT_MESSAGES table - - DESCRIPTION - This file contains seed data for the EM Messages table. - - NOTES - - MODIFIED (MM/DD/YY) - manosing 12/06/07 - bug 5859285 - manosing 02/01/07 - bug 5859285 - manosing 01/12/07 - XbranchMerge manosing_lastpols from main - manosing 01/10/07 - Translation modifications - manosing 10/09/06 - bug 5673914 - dsukhwal 09/09/05 - add Windows NT policies name - dkjain 06/17/05 - - dsukhwal 05/18/05 - move sqlnet policies to listener - dkjain 02/03/05 - dkjain_esa_lsnr_host_dlf - dkjain 01/30/05 - Created --> <table name="MGMT_MESSAGES"> <!-- lookup-key indicates which columns are used by TransX to recognize a row as a duplicate --> <lookup-key> <column name="MESSAGE_ID"/> <column name="SUBSYSTEM"/> <column name="LANGUAGE_CODE"/> <column name="COUNTRY_CODE"/> </lookup-key> <!-- columns indicates which columns will be loaded as part of processing the dataset and which should be translated by the Translation Group --> <columns> <column name="MESSAGE_ID" type="string" maxsize="256"/> <column name="SUBSYSTEM" type="string" maxsize="64"/> <column name="LANGUAGE_CODE" type="string" constant="en" translate="yes"/> <column name="COUNTRY_CODE" type="string" constant=" " translate="yes"/> <column name="MESSAGE" type="string" maxsize="1000" translate="yes"/> </columns> <!-- dataset specifies the data to be loaded into the repository --> <dataset> <!--Listener_Direct_Administration --> <row> <col name="MESSAGE_ID">LSNR_DIRECT_ADMIN_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Direct Administration</col> </row> <row> <col name="MESSAGE_ID">LSNR_DIRECT_ADMIN_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that no runtime modifications to the listener configuration is allowed</col> </row> <row> <col name="MESSAGE_ID">LSNR_DIRECT_ADMIN_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">An attacker who has access to a running listener can perform runtime modifications (for example, SET operations) using the lsnrctl program.</col> </row> <row> <col name="MESSAGE_ID">LSNR_DIRECT_ADMIN_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">All listeners must have direct administration disabled. Set ADMIN_RESTRICTIONS_listener_name to ON in listener.ora.</col> </row> <!-- Lsnr_Host_Name --> <row> <col name="MESSAGE_ID">LSNR_HOST_NAME_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Use of Hostname in Listener.ora</col> </row> <row> <col name="MESSAGE_ID">LSNR_HOST_NAME_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the listener host is specified as IP address and not hostname in the listener.ora</col> </row> <row> <col name="MESSAGE_ID">LSNR_HOST_NAME_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">An insecure Domain Name System (DNS) Server can be taken advantage of for mounting a spoofing attack. Name server failure can result in the listener unable to resolved the host.</col> </row> <row> <col name="MESSAGE_ID">LSNR_HOST_NAME_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Host should be specified as IP address in listener.ora.</col> </row> <!-- Lsnr_Logfile_Own_Policy--> <row> <col name="MESSAGE_ID">LSNR_LOG_FILE_OWN_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Logfile Owner</col> </row> <row> <col name="MESSAGE_ID">LSNR_LOG_FILE_OWN_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the listener log file is owned by the Oracle software owner</col> </row> <row> <col name="MESSAGE_ID">LSNR_LOG_FILE_OWN_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The information in the logfile can reveal important network and database connection details. Having a log file not owned by the Oracle software owner can expose them to public scrutiny with possible security implications.</col> </row> <row> <col name="MESSAGE_ID">LSNR_LOG_FILE_OWN_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The listener logfile must be owned by Oracle software owner.</col> </row> <!--Policy: Allowed Logon Version --> <row> <col name="MESSAGE_ID">ALLOWED_LOGON_VERSION_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Allowed Logon Version</col> </row> <row> <col name="MESSAGE_ID">ALLOWED_LOGON_VERSION_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the server allows logon from clients with a matching version or higher only</col> </row> <row> <col name="MESSAGE_ID">ALLOWED_LOGON_VERSION_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE"> Setting the parameter SQLNET.ALLOWED_LOGON_VERSION in sqlnet.ora to a version lower than the server version will force the server to use a less secure authentication protocol.</col> </row> <row> <col name="MESSAGE_ID">ALLOWED_LOGON_VERSION_RECOM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Set the parameter SQLNET.ALLOWED_LOGON_VERSION in sqlnet.ora to the server's major version. Setting this value to older versions could expose vulnerabilities that may have existed in the authentication protocols.</col> </row> <!-- sqlnet_Client_Log_Dir --> <row> <col name="MESSAGE_ID">CLIENT_LOG_DIR_PERM_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Client Log Directory Permission</col> </row> <row> <col name="MESSAGE_ID">CLIENT_LOG_DIR_PERM_NAME_NT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Client Log Directory Permission (Windows)</col> </row> <row> <col name="MESSAGE_ID">CLIENT_LOG_DIR_PERM_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the client log directory is a valid directory owned by Oracle set with no permissions to public</col> </row> <row> <col name="MESSAGE_ID">CLIENT_LOG_DIR_PERM_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.</col> </row> <row> <col name="MESSAGE_ID">CLIENT_LOG_DIR_PERM_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The client log directory must be a valid directory owned by the Oracle set with no permissions to public.</col> </row> <!-- sqlnet_Client_Log_Dir_Owner --> <row> <col name="MESSAGE_ID">CLIENT_LOG_DIR_OWN_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Client Log Directory Owner</col> </row> <row> <col name="MESSAGE_ID">CLIENT_LOG_DIR_OWN_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the client log directory is a valid directory owned by Oracle set</col> </row> <row> <col name="MESSAGE_ID">CLIENT_LOG_DIR_OWN_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.</col> </row> <row> <col name="MESSAGE_ID">CLIENT_LOG_DIR_OWN_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The client log directory must be a valid directory owned by the Oracle set.</col> </row> <!-- sqlnet_Server_Log_Dir --> <row> <col name="MESSAGE_ID">SERV_LOG_DIR_PERM_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Server Log Directory Permission</col> </row> <row> <col name="MESSAGE_ID">SERV_LOG_DIR_PERM_NAME_NT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Server Log Directory Permission (Windows)</col> </row> <row> <col name="MESSAGE_ID">SERV_LOG_DIR_PERM_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the server log directory is a valid directory owned by Oracle set with no permissions to public</col> </row> <row> <col name="MESSAGE_ID">SERV_LOG_DIR_PERM_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.</col> </row> <row> <col name="MESSAGE_ID">SERV_LOG_DIR_PERM_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The server log directory must be a valid directory owned by the Oracle set with no permissions to public.</col> </row> <!-- sqlnet_Server_Log_Dir_Owner--> <row> <col name="MESSAGE_ID">SERV_LOG_DIR_OWN_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Server Log Directory Owner</col> </row> <row> <col name="MESSAGE_ID">SERV_LOG_DIR_OWN_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the server log directory is a valid directory owned by Oracle set</col> </row> <row> <col name="MESSAGE_ID">SERV_LOG_DIR_OWN_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.</col> </row> <row> <col name="MESSAGE_ID">SERV_LOG_DIR_OWN_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The server log directory must be a valid directory owned by the Oracle set.</col> </row> <!-- sqlnet_Client_Trace_Dir--> <row> <col name="MESSAGE_ID">CLIENT_TRC_DIR_PERM_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Client Trace Directory Permission</col> </row> <row> <col name="MESSAGE_ID">CLIENT_TRC_DIR_PERM_NAME_NT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Client Trace Directory Permission (Windows)</col> </row> <row> <col name="MESSAGE_ID">CLIENT_TRC_DIR_PERM_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to public</col> </row> <row> <col name="MESSAGE_ID">CLIENT_TRC_DIR_PERM_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.</col> </row> <row> <col name="MESSAGE_ID">CLIENT_TRC_DIR_PERM_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The client trace directory must be a valid directory owned by the Oracle set with no permissions to public.</col> </row> <!--sqlnet_Client_Trace_Dir_Owner --> <row> <col name="MESSAGE_ID">CLIENT_TRC_DIR_OWN_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Client Trace Directory Owner</col> </row> <row> <col name="MESSAGE_ID">CLIENT_TRC_DIR_OWN_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the client trace directory is a valid directory owned by Oracle set</col> </row> <row> <col name="MESSAGE_ID">CLIENT_TRC_DIR_OWN_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.</col> </row> <row> <col name="MESSAGE_ID">CLIENT_TRC_DIR_OWN_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The client trace directory must be a valid directory owned by the Oracle set.</col> </row> <!-- sqlnet_Server_Trace_Dir --> <row> <col name="MESSAGE_ID">SERV_TRC_DIR_PERM_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Server Trace Directory Permission</col> </row> <row> <col name="MESSAGE_ID">SERV_TRC_DIR_PERM_NAME_NT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Server Trace Directory Permission (Windows)</col> </row> <row> <col name="MESSAGE_ID">SERV_TRC_DIR_PERM_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to public</col> </row> <row> <col name="MESSAGE_ID">SERV_TRC_DIR_PERM_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.</col> </row> <row> <col name="MESSAGE_ID">SERV_TRC_DIR_PERM_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The server trace directory must be a valid directory owned by the Oracle set with no permissions to public.</col> </row> <!-- sqlnet_Server_Trace_Dir_Owner--> <row> <col name="MESSAGE_ID">SERV_TRC_DIR_OWN_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Server Trace Directory Owner</col> </row> <row> <col name="MESSAGE_ID">SERV_TRC_DIR_OWN_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the server trace directory is a valid directory owned by Oracle set</col> </row> <row> <col name="MESSAGE_ID">SERV_TRC_DIR_OWN_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.</col> </row> <row> <col name="MESSAGE_ID">SERV_TRC_DIR_OWN_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The server trace directory must be a valid directory owned by the Oracle set.</col> </row> <!--Sqlnet_Ora_Restrict_Perms --> <row> <col name="MESSAGE_ID">SQLNET_PERM_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Restrict Sqlnet.ora Permission</col> </row> <row> <col name="MESSAGE_ID">SQLNET_PERM_NAME_NT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Restrict Sqlnet.ora Permission (Windows)</col> </row> <row> <col name="MESSAGE_ID">SQLNET_PERM_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the sqlnet.ora file is not accessible to public</col> </row> <row> <col name="MESSAGE_ID">SQLNET_PERM_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">If sqlnet.ora is public readable a malicious user may attempt to read this hence could lead to sensitive information getting exposed .For example, log and trace destination information of the client and server.</col> </row> <row> <col name="MESSAGE_ID">SQLNET_PERM_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Public should not be given any permissions on the sqlnet.ora file.</col> </row> <!-- Lsnr_Logfile_Perm_Policy --> <row> <col name="MESSAGE_ID">LSNR_LOG_FILE_PERM_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Logfile Permission</col> </row> <row> <col name="MESSAGE_ID">LSNR_LOG_FILE_PERM_NAME_NT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Logfile Permission (Windows)</col> </row> <row> <col name="MESSAGE_ID">LSNR_LOG_FILE_PERM_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the listener logfile cannot be read by or written to by public</col> </row> <row> <col name="MESSAGE_ID">LSNR_LOG_FILE_PERM_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The information in the logfile can reveal important network and database connection details. Allowing access to the log file can expose them to public scrutiny with possible security implications.</col> </row> <row> <col name="MESSAGE_ID">LSNR_LOG_FILE_PERM_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The listener logfile must not allow public to read/write to it. Restrict the file permission to Oracle software owner and DBA group.</col> </row> <!-- Lsnr_Tracedir_Perm_Policy--> <row> <col name="MESSAGE_ID">LSNR_TRACE_DIR_PERM_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Trace Directory Permission</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_DIR_PERM_NAME_NT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Trace Directory Permission (Windows)</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_DIR_PERM_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the listener trace directory does not have public read/write permissions</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_DIR_PERM_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Allowing access to the trace directory can expose them to public scrutiny with possible security implications.</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_DIR_PERM_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The listener trace directory must not allow public to read/write to it. Restrict the directory permission to Oracle software owner and DBA group.</col> </row> <!-- Lsnr_Tracedir_Own_Policy --> <row> <col name="MESSAGE_ID">LSNR_TRACE_DIR_OWN_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Trace Directory Owner</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_DIR_OWN_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the listener trace directory is a valid directory owned by Oracle software owner</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_DIR_OWN_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Having a trace directory not owned by the Oracle software owner can expose the trace files to public scrutiny with possible security implications.</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_DIR_OWN_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The listener trace directory must be owned by the Oracle software owner.</col> </row> <!--Lsnr_Tracefile_Own_Policy --> <row> <col name="MESSAGE_ID">LSNR_TRACE_FILE_OWN_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Trace File Owner</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_FILE_OWN_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the listener trace directory is a valid directory owned by Oracle software owner</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_FILE_OWN_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Having a trace directory not owned by the Oracle software owner can expose the trace files to public scrutiny with possible security implications.</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_FILE_OWN_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The listener trace directory must be owned by the Oracle software owner.</col> </row> <!-- Lsnr_Tracefile_Perm_Policy--> <row> <col name="MESSAGE_ID">LSNR_TRACE_FILE_PERM_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Trace File Permission</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_FILE_PERM_NAME_NT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Trace File Permission (Windows)</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_FILE_PERM_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the listener trace file is not accessible to public</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_FILE_PERM_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Allowing access to the trace files can expose them to public scrutiny with possible security implications.</col> </row> <row> <col name="MESSAGE_ID">LSNR_TRACE_FILE_PERM_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">The listener trace file must not allow public to read/write to it. Restrict the file permission to Oracle software owner and DBA group.</col> </row> <!-- Listener_Password--> <row> <col name="MESSAGE_ID">LSNR_PASSWD_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Password</col> </row> <row> <col name="MESSAGE_ID">LSNR_PASSWD_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that access to listener is password protected</col> </row> <row> <col name="MESSAGE_ID">LSNR_PASSWD_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Without password protection, a user can gain access to the listener. Once someone has access to the listener, he/she can stop the listener. He/she can also set a password and prevent others from managing the listener.</col> </row> <row> <col name="MESSAGE_ID">LSNR_PASSWD_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">All listeners should be protected by a non-trivial password using the CHANGE_PASSWORD command.</col> </row> <!--Listener_Logging_Status --> <row> <col name="MESSAGE_ID">LSNR_LOG_STATUS_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Logging Status</col> </row> <row> <col name="MESSAGE_ID">LSNR_LOG_STATUS_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that listener logging is enabled.</col> </row> <row> <col name="MESSAGE_ID">LSNR_LOG_STATUS_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Without listener logging attacks on the listener can go unnoticed.</col> </row> <row> <col name="MESSAGE_ID">LSNR_LOG_STATUS_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Enable listener logging by setting the LOG_STATUS parameter to ON.</col> </row> <!--Listener_Default_Name --> <row> <col name="MESSAGE_ID">LSNR_DFLT_NAME_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Default Name</col> </row> <row> <col name="MESSAGE_ID">LSNR_DFLT_NAME_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the default name of the listener is not used</col> </row> <row> <col name="MESSAGE_ID">LSNR_DFLT_NAME_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Having a listener with the default name increases the risk of unauthorized access and denial of service attacks.</col> </row> <row> <col name="MESSAGE_ID">LSNR_DFLT_NAME_RECOM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Avoid having a listener with the default name (LISTENER).</col> </row> <!-- Lsnr_Ora_Restrict_Perms--> <row> <col name="MESSAGE_ID">LSNR_ORA_PERM_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener.ora Permission</col> </row> <row> <col name="MESSAGE_ID">LSNR_ORA_PERM_NAME_NT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener.ora Permission (Windows)</col> </row> <row> <col name="MESSAGE_ID">LSNR_ORA_PERM_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that the file permissions for listener.ora are restricted to the owner of Oracle software</col> </row> <row> <col name="MESSAGE_ID">LSNR_ORA_PERM_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">If the listener.ora file is public readable, passwords may be extracted from this file. This can also lead to exposure of detailed information on the Listener, database, and application configuration. Also, if public has write permissions, a malicious user can remove any password that has been set on the listener.</col> </row> <row> <col name="MESSAGE_ID">LSNR_ORA_PERM_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener.ora permissions should be restricted to the owner of Oracle software installation and DBA group.</col> </row> <!-- sqlnet_inbound_connect_timeout--> <row> <col name="MESSAGE_ID">Sqlnetora_Inbound_Connect_Timeout_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net Inbound Connect Timeout</col> </row> <row> <col name="MESSAGE_ID">Sqlnetora_Inbound_Connect_Timeout_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Without this parameter or assigning it with a higher value , a client connection to the database server can stay open indefinitely or for the specified duration without authentication. Connections without authentication can introduce possible denial-of-service attacks, whereby malicious clients attempt to flood database servers with connect requests that consume resources. </col> </row> <row> <col name="MESSAGE_ID">Sqlnetora_Inbound_Connect_Timeout_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that all incomplete inbound connections to Oracle Net has a limited lifetime</col> </row> <row> <col name="MESSAGE_ID">Sqlnetora_Inbound_Connect_Timeout_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Set the lowest possible value for the SQLNET.INBOUND_CONNECT_TIMEOUT parameter in sqlnet.ora. Ensure that the value of this parameter is higher than the value of INBOUND_CONNECT_TIMEOUT_listener_name parameter in the listener.ora file.</col> </row> <!-- lsnr_inbound_connect_timeout--> <row> <col name="MESSAGE_ID">Lsnrora_Inbound_Connect_Timeout_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Listener Inbound Connect Timeout</col> </row> <row> <col name="MESSAGE_ID">Lsnrora_Inbound_Connect_Timeout_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">This limit protects the listener from consuming and holding resources for client connection requests that do not complete. A malicious user could use this to flood the listener with requests that result in a denial of service to authorized users.</col> </row> <row> <col name="MESSAGE_ID">Lsnrora_Inbound_Connect_Timeout_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures that all incomplete inbound connections to Oracle Listener has a limited lifetime</col> </row> <row> <col name="MESSAGE_ID">Lsnrora_Inbound_Connect_Timeout_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Set the lowest possible value for the INBOUND_CONNECT_TIMEOUT_listener_name parameter in listener.ora. Ensure that the value of this parameter is lower than the value of SQLNET.INBOUND_CONNECT_TIMEOUT parameter in the sqlnet.ora file.</col> </row> <!-- ssl_server_dn_match--> <row> <col name="MESSAGE_ID">Ssl_Server_DN_Match_NAME</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Oracle Net SSL_SERVER_DN_MATCH</col> </row> <row> <col name="MESSAGE_ID">Ssl_Server_DN_Match_IMPACT</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">If ssl_server_dn_match parameter is disabled, then SSL performs the check but allows the connection, regardless if there is a match. Not enforcing the match allows the server to potentially fake its identity.</col> </row> <row> <col name="MESSAGE_ID">Ssl_Server_DN_Match_DESC</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Ensures ssl_server_dn_match is enabled in sqlnet.ora and in turn SSL ensures that the certificate is from the server</col> </row> <row> <col name="MESSAGE_ID">Ssl_Server_DN_Match_RECOMM</col> <col name="SUBSYSTEM">POLICY</col> <col name="MESSAGE">Enable ssl_server_dn_match parameter in the sqlnet.ora file.</col> </row> </dataset> </table>
Ms-Dos/Windows
Unix
Write backup
jsp File Browser version 1.2 by
www.vonloesch.de