LSNR_DIRECT_ADMIN_NAME
POLICY
Listener Direct Administration
LSNR_DIRECT_ADMIN_DESC
POLICY
Ensures that no runtime modifications to the listener configuration is allowed
LSNR_DIRECT_ADMIN_IMPACT
POLICY
An attacker who has access to a running listener can perform runtime modifications (for example, SET operations) using the lsnrctl program.
LSNR_DIRECT_ADMIN_RECOMM
POLICY
All listeners must have direct administration disabled. Set ADMIN_RESTRICTIONS_listener_name to ON in listener.ora.
LSNR_HOST_NAME_NAME
POLICY
Use of Hostname in Listener.ora
LSNR_HOST_NAME_DESC
POLICY
Ensures that the listener host is specified as IP address and not hostname in the listener.ora
LSNR_HOST_NAME_IMPACT
POLICY
An insecure Domain Name System (DNS) Server can be taken advantage of for mounting a spoofing attack. Name server failure can result in the listener unable to resolved the host.
LSNR_HOST_NAME_RECOMM
POLICY
Host should be specified as IP address in listener.ora.
LSNR_LOG_FILE_OWN_NAME
POLICY
Listener Logfile Owner
LSNR_LOG_FILE_OWN_DESC
POLICY
Ensures that the listener log file is owned by the Oracle software owner
LSNR_LOG_FILE_OWN_IMPACT
POLICY
The information in the logfile can reveal important network and database connection details. Having a log file not owned by the Oracle software owner can expose them to public scrutiny with possible security implications.
LSNR_LOG_FILE_OWN_RECOMM
POLICY
The listener logfile must be owned by Oracle software owner.
ALLOWED_LOGON_VERSION_NAME
POLICY
Allowed Logon Version
ALLOWED_LOGON_VERSION_DESC
POLICY
Ensures that the server allows logon from clients with a matching version or higher only
ALLOWED_LOGON_VERSION_IMPACT
POLICY
Setting the parameter SQLNET.ALLOWED_LOGON_VERSION in sqlnet.ora to a version lower than the server version will force the server to use a less secure authentication protocol.
ALLOWED_LOGON_VERSION_RECOM
POLICY
Set the parameter SQLNET.ALLOWED_LOGON_VERSION in sqlnet.ora to the server's major version. Setting this value to older versions could expose vulnerabilities that may have existed in the authentication protocols.
CLIENT_LOG_DIR_PERM_NAME
POLICY
Oracle Net Client Log Directory Permission
CLIENT_LOG_DIR_PERM_NAME_NT
POLICY
Oracle Net Client Log Directory Permission (Windows)
CLIENT_LOG_DIR_PERM_DESC
POLICY
Ensures that the client log directory is a valid directory owned by Oracle set with no permissions to public
CLIENT_LOG_DIR_PERM_IMPACT
POLICY
Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
CLIENT_LOG_DIR_PERM_RECOMM
POLICY
The client log directory must be a valid directory owned by the Oracle set with no permissions to public.
CLIENT_LOG_DIR_OWN_NAME
POLICY
Oracle Net Client Log Directory Owner
CLIENT_LOG_DIR_OWN_DESC
POLICY
Ensures that the client log directory is a valid directory owned by Oracle set
CLIENT_LOG_DIR_OWN_IMPACT
POLICY
Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
CLIENT_LOG_DIR_OWN_RECOMM
POLICY
The client log directory must be a valid directory owned by the Oracle set.
SERV_LOG_DIR_PERM_NAME
POLICY
Oracle Net Server Log Directory Permission
SERV_LOG_DIR_PERM_NAME_NT
POLICY
Oracle Net Server Log Directory Permission (Windows)
SERV_LOG_DIR_PERM_DESC
POLICY
Ensures that the server log directory is a valid directory owned by Oracle set with no permissions to public
SERV_LOG_DIR_PERM_IMPACT
POLICY
Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
SERV_LOG_DIR_PERM_RECOMM
POLICY
The server log directory must be a valid directory owned by the Oracle set with no permissions to public.
SERV_LOG_DIR_OWN_NAME
POLICY
Oracle Net Server Log Directory Owner
SERV_LOG_DIR_OWN_DESC
POLICY
Ensures that the server log directory is a valid directory owned by Oracle set
SERV_LOG_DIR_OWN_IMPACT
POLICY
Log files provide information contained in an error stack. An error stack refers to the information that is produced by each layer in an Oracle communications stack as the result of a network error. The information in log files can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
SERV_LOG_DIR_OWN_RECOMM
POLICY
The server log directory must be a valid directory owned by the Oracle set.
CLIENT_TRC_DIR_PERM_NAME
POLICY
Oracle Net Client Trace Directory Permission
CLIENT_TRC_DIR_PERM_NAME_NT
POLICY
Oracle Net Client Trace Directory Permission (Windows)
CLIENT_TRC_DIR_PERM_DESC
POLICY
Ensures that the client trace directory is a valid directory owned by Oracle set with no permissions to public
CLIENT_TRC_DIR_PERM_IMPACT
POLICY
Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
CLIENT_TRC_DIR_PERM_RECOMM
POLICY
The client trace directory must be a valid directory owned by the Oracle set with no permissions to public.
CLIENT_TRC_DIR_OWN_NAME
POLICY
Oracle Net Client Trace Directory Owner
CLIENT_TRC_DIR_OWN_DESC
POLICY
Ensures that the client trace directory is a valid directory owned by Oracle set
CLIENT_TRC_DIR_OWN_IMPACT
POLICY
Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
CLIENT_TRC_DIR_OWN_RECOMM
POLICY
The client trace directory must be a valid directory owned by the Oracle set.
SERV_TRC_DIR_PERM_NAME
POLICY
Oracle Net Server Trace Directory Permission
SERV_TRC_DIR_PERM_NAME_NT
POLICY
Oracle Net Server Trace Directory Permission (Windows)
SERV_TRC_DIR_PERM_DESC
POLICY
Ensures that the server trace directory is a valid directory owned by Oracle set with no permissions to public
SERV_TRC_DIR_PERM_IMPACT
POLICY
Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
SERV_TRC_DIR_PERM_RECOMM
POLICY
The server trace directory must be a valid directory owned by the Oracle set with no permissions to public.
SERV_TRC_DIR_OWN_NAME
POLICY
Oracle Net Server Trace Directory Owner
SERV_TRC_DIR_OWN_DESC
POLICY
Ensures that the server trace directory is a valid directory owned by Oracle set
SERV_TRC_DIR_OWN_IMPACT
POLICY
Tracing produces a detailed sequence of statements that describe network events as they are executed. Tracing an operation enables you to obtain more information on the internal operations of the components of Oracle Net Services than is provided in a log file. The information in this file can reveal important network and database connection details. Allowing access to the log directory can expose the log files to public scrutiny.
SERV_TRC_DIR_OWN_RECOMM
POLICY
The server trace directory must be a valid directory owned by the Oracle set.
SQLNET_PERM_NAME
POLICY
Restrict Sqlnet.ora Permission
SQLNET_PERM_NAME_NT
POLICY
Restrict Sqlnet.ora Permission (Windows)
SQLNET_PERM_DESC
POLICY
Ensures that the sqlnet.ora file is not accessible to public
SQLNET_PERM_IMPACT
POLICY
If sqlnet.ora is public readable a malicious user may attempt to read this hence could lead to sensitive information getting exposed .For example, log and trace destination information of the client and server.
SQLNET_PERM_RECOMM
POLICY
Public should not be given any permissions on the sqlnet.ora file.
LSNR_LOG_FILE_PERM_NAME
POLICY
Listener Logfile Permission
LSNR_LOG_FILE_PERM_NAME_NT
POLICY
Listener Logfile Permission (Windows)
LSNR_LOG_FILE_PERM_DESC
POLICY
Ensures that the listener logfile cannot be read by or written to by public
LSNR_LOG_FILE_PERM_IMPACT
POLICY
The information in the logfile can reveal important network and database connection details. Allowing access to the log file can expose them to public scrutiny with possible security implications.
LSNR_LOG_FILE_PERM_RECOMM
POLICY
The listener logfile must not allow public to read/write to it. Restrict the file permission to Oracle software owner and DBA group.
LSNR_TRACE_DIR_PERM_NAME
POLICY
Listener Trace Directory Permission
LSNR_TRACE_DIR_PERM_NAME_NT
POLICY
Listener Trace Directory Permission (Windows)
LSNR_TRACE_DIR_PERM_DESC
POLICY
Ensures that the listener trace directory does not have public read/write permissions
LSNR_TRACE_DIR_PERM_IMPACT
POLICY
Allowing access to the trace directory can expose them to public scrutiny with possible security implications.
LSNR_TRACE_DIR_PERM_RECOMM
POLICY
The listener trace directory must not allow public to read/write to it. Restrict the directory permission to Oracle software owner and DBA group.
LSNR_TRACE_DIR_OWN_NAME
POLICY
Listener Trace Directory Owner
LSNR_TRACE_DIR_OWN_DESC
POLICY
Ensures that the listener trace directory is a valid directory owned by Oracle software owner
LSNR_TRACE_DIR_OWN_IMPACT
POLICY
Having a trace directory not owned by the Oracle software owner can expose the trace files to public scrutiny with possible security implications.
LSNR_TRACE_DIR_OWN_RECOMM
POLICY
The listener trace directory must be owned by the Oracle software owner.
LSNR_TRACE_FILE_OWN_NAME
POLICY
Listener Trace File Owner
LSNR_TRACE_FILE_OWN_DESC
POLICY
Ensures that the listener trace directory is a valid directory owned by Oracle software owner
LSNR_TRACE_FILE_OWN_IMPACT
POLICY
Having a trace directory not owned by the Oracle software owner can expose the trace files to public scrutiny with possible security implications.
LSNR_TRACE_FILE_OWN_RECOMM
POLICY
The listener trace directory must be owned by the Oracle software owner.
LSNR_TRACE_FILE_PERM_NAME
POLICY
Listener Trace File Permission
LSNR_TRACE_FILE_PERM_NAME_NT
POLICY
Listener Trace File Permission (Windows)
LSNR_TRACE_FILE_PERM_DESC
POLICY
Ensures that the listener trace file is not accessible to public
LSNR_TRACE_FILE_PERM_IMPACT
POLICY
Allowing access to the trace files can expose them to public scrutiny with possible security implications.
LSNR_TRACE_FILE_PERM_RECOMM
POLICY
The listener trace file must not allow public to read/write to it. Restrict the file permission to Oracle software owner and DBA group.
LSNR_PASSWD_NAME
POLICY
Listener Password
LSNR_PASSWD_DESC
POLICY
Ensures that access to listener is password protected
LSNR_PASSWD_IMPACT
POLICY
Without password protection, a user can gain access to the listener. Once someone has access to the listener, he/she can stop the listener. He/she can also set a password and prevent others from managing the listener.
LSNR_PASSWD_RECOMM
POLICY
All listeners should be protected by a non-trivial password using the CHANGE_PASSWORD command.
LSNR_LOG_STATUS_NAME
POLICY
Listener Logging Status
LSNR_LOG_STATUS_DESC
POLICY
Ensures that listener logging is enabled.
LSNR_LOG_STATUS_IMPACT
POLICY
Without listener logging attacks on the listener can go unnoticed.
LSNR_LOG_STATUS_RECOMM
POLICY
Enable listener logging by setting the LOG_STATUS parameter to ON.
LSNR_DFLT_NAME_NAME
POLICY
Listener Default Name
LSNR_DFLT_NAME_DESC
POLICY
Ensures that the default name of the listener is not used
LSNR_DFLT_NAME_IMPACT
POLICY
Having a listener with the default name increases the risk of unauthorized access and denial of service attacks.
LSNR_DFLT_NAME_RECOM
POLICY
Avoid having a listener with the default name (LISTENER).
LSNR_ORA_PERM_NAME
POLICY
Listener.ora Permission
LSNR_ORA_PERM_NAME_NT
POLICY
Listener.ora Permission (Windows)
LSNR_ORA_PERM_DESC
POLICY
Ensures that the file permissions for listener.ora are restricted to the owner of Oracle software
LSNR_ORA_PERM_IMPACT
POLICY
If the listener.ora file is public readable, passwords may be extracted from this file. This can also lead to exposure of detailed information on the Listener, database, and application configuration. Also, if public has write permissions, a malicious user can remove any password that has been set on the listener.
LSNR_ORA_PERM_RECOMM
POLICY
Listener.ora permissions should be restricted to the owner of Oracle software installation and DBA group.
Sqlnetora_Inbound_Connect_Timeout_NAME
POLICY
Oracle Net Inbound Connect Timeout
Sqlnetora_Inbound_Connect_Timeout_IMPACT
POLICY
Without this parameter or assigning it with a higher value , a client connection to the database server can stay open indefinitely or for the specified duration without authentication. Connections without authentication can introduce possible denial-of-service attacks, whereby malicious clients attempt to flood database servers with connect requests that consume resources.
Sqlnetora_Inbound_Connect_Timeout_DESC
POLICY
Ensures that all incomplete inbound connections to Oracle Net has a limited lifetime
Sqlnetora_Inbound_Connect_Timeout_RECOMM
POLICY
Set the lowest possible value for the SQLNET.INBOUND_CONNECT_TIMEOUT parameter in sqlnet.ora. Ensure that the value of this parameter is higher than the value of INBOUND_CONNECT_TIMEOUT_listener_name parameter in the listener.ora file.
Lsnrora_Inbound_Connect_Timeout_NAME
POLICY
Listener Inbound Connect Timeout
Lsnrora_Inbound_Connect_Timeout_IMPACT
POLICY
This limit protects the listener from consuming and holding resources for client connection requests that do not complete. A malicious user could use this to flood the listener with requests that result in a denial of service to authorized users.
Lsnrora_Inbound_Connect_Timeout_DESC
POLICY
Ensures that all incomplete inbound connections to Oracle Listener has a limited lifetime
Lsnrora_Inbound_Connect_Timeout_RECOMM
POLICY
Set the lowest possible value for the INBOUND_CONNECT_TIMEOUT_listener_name parameter in listener.ora. Ensure that the value of this parameter is lower than the value of SQLNET.INBOUND_CONNECT_TIMEOUT parameter in the sqlnet.ora file.
Ssl_Server_DN_Match_NAME
POLICY
Oracle Net SSL_SERVER_DN_MATCH
Ssl_Server_DN_Match_IMPACT
POLICY
If ssl_server_dn_match parameter is disabled, then SSL performs the check but allows the connection, regardless if there is a match. Not enforcing the match allows the server to potentially fake its identity.
Ssl_Server_DN_Match_DESC
POLICY
Ensures ssl_server_dn_match is enabled in sqlnet.ora and in turn SSL ensures that the certificate is from the server
Ssl_Server_DN_Match_RECOMM
POLICY
Enable ssl_server_dn_match parameter in the sqlnet.ora file.