Rem drv:
Rem
Rem $Header: host_policies.sql 08-sep-2005.23:39:34 dkjain Exp $
Rem
Rem host_policies.sql
Rem
Rem Copyright (c) 2005, Oracle. All rights reserved.
Rem
Rem NAME
Rem host_policies.sql -
Rem
Rem DESCRIPTION
Rem
Rem
Rem NOTES
Rem
Rem
Rem MODIFIED (MM/DD/YY)
Rem dkjain 09/08/05 - dkjain_bug-4530678
Rem dkjain 07/28/05 - Created
Rem
SET ECHO ON
SET FEEDBACK 1
SET NUMWIDTH 10
SET LINESIZE 80
SET TRIMSPOOL ON
SET TAB OFF
SET PAGESIZE 100
DECLARE
-- Metrics Variable
l_metric_column_list MGMT_METRIC_COLUMN_ARRAY;
l_metric_type NUMBER ;
l_snapshot_list MGMT_SNAPSHOT_ARRAY;
-- Policies Variable
l_ctxList MGMT_VIOL_CTXT_DEF_ARRAY;
l_paramDefList MGMT_POLICY_PARAM_DEF_ARRAY;
l_defaultParamValList MGMT_POLICY_PARAM_VAL_ARRAY;
l_defaultSettingsList MGMT_POLICY_KEY_VAL_ARRAY;
l_10gR1_host_meta_ver VARCHAR2(3) ;
l_valid_if_list MGMT_VALIDIF_ARRAY ;
TYPE METRIC_LIST is table of VARCHAR2(50);
l_metricName VARCHAR2(50);
l_metricNameList METRIC_LIST;
TYPE POLICY_LIST is table of VARCHAR2(50);
l_policyName VARCHAR2(50);
l_policyNameList POLICY_LIST;
BEGIN
l_metricNameList := METRIC_LIST('executeStackRep','openPortsRep','insecureServicesRep','fileSystemTypeRep');
l_policyNameList := POLICY_LIST('Open_ports','Execute_Stack','Insecure_Services','NTFS_File_System');
FOR i IN 1..l_policyNameList.last LOOP
l_policyName := l_policyNameList(i);
ESM.DELETE_POLICY_METADATA(
P_TARGET_TYPE => ESM.HOST_TARGET_TYPE,
P_POLICY_NAME => l_policyName
);
END LOOP;
FOR i IN 1..l_metricNameList.last LOOP
l_metricName := l_metricNameList(i);
MGMT_METRIC.DELETE_METRIC_METADATA(
P_TARGET_TYPE => ESM.HOST_TARGET_TYPE,
P_METRIC_NAME => l_metricName,
P_TYPE_META_VER => NULL
);
END LOOP;
COMMIT ;
l_10gR1_host_meta_ver := '2.0';
l_metric_type := MGMT_GLOBAL.G_METRIC_TYPE_TABLE ;
l_snapshot_list := MGMT_SNAPSHOT_ARRAY(
MGMT_SNAPSHOT_OBJ.NEW(
p_target_type => ESM.HOST_TARGET_TYPE,
p_snapshot_name =>ESM.SECURITY_SNAPSHOT_TYPE));
l_metric_column_list := MGMT_METRIC_COLUMN_ARRAY(
MGMT_METRIC_COLUMN_OBJ.NEW(
p_column_name => 'status',
p_column_type => MGMT_GLOBAL.G_METRIC_TYPE_STRING,
p_is_key => MGMT_GLOBAL.G_FALSE,
p_column_label => 'Status',
p_column_label_nlsid =>'STATUS_COL'));
MGMT_METRIC.CREATE_METRIC(
p_target_type => ESM.HOST_TARGET_TYPE,
p_metric_name => 'executeStackRep',
p_type_meta_ver => l_10gR1_host_meta_ver,
p_valid_if_list => NULL,
p_metric_type => l_metric_type,
p_usage_type => MGMT_GLOBAL.G_USAGE_HIDDEN_COLLECT,
p_metric_label => 'Execute Stack',
p_metric_label_nlsid => 'EXE_STACK_METRIC_LABEL',
p_description => 'Collect the information of whether the execution on the stack is allowed',
p_description_nlsid => 'EXE_STACK_METRIC_DESC',
p_is_repository => MGMT_GLOBAL.G_TRUE ,
p_author => 'ORACLE',
p_source_type => MGMT_GLOBAL.G_METRIC_SOURCE_QUERY,
p_source => 'SELECT target_guid AS TARGET_GUID, value as status '
||'FROM esm_collection_latest '
||'WHERE property=''execute_stack''',
p_snapshot_name_list => l_snapshot_list,
p_metric_column_list => l_metric_column_list
);
COMMIT;
l_ctxList := MGMT_VIOL_CTXT_DEF_ARRAY(
MGMT_VIOL_CTXT_DEF.NEW(
p_metric_column => 'status'));
l_defaultSettingsList := MGMT_POLICY_KEY_VAL_ARRAY(
MGMT_POLICY_KEY_VAL.NEW(
p_importance => MGMT_GLOBAL.G_IMPORTANCE_NORMAL));
ESM.CREATE_POLICY(
p_target_type => ESM.HOST_TARGET_TYPE,
p_policy_name => 'Execute_Stack', --Policy name
p_metric_name => 'executeStackRep', --Metric name
p_policy_label_nlsid => 'EXE_STACK_NAME',
p_description => 'Ensure that the OS configuration parameter, which enables '||
'execution of code on the user stack, is not enabled',
p_description_nlsid => 'EXE_STACK_DESC',
p_impact => 'Enabling code execution on the user stack may allow a malicious user '||
'to exploit stack buffer overflows. Overflows can cause portions of a '||
'system to fail, or even execute arbitrary code.',
p_impact_nlsid => 'EXE_STACK_IMPACT',
p_recommendation => 'Disable code execution on the user stack.',
p_recommendation_nlsid => 'EXE_STACK_RECOMM',
p_violation_level => MGMT_GLOBAL.G_SEVERITY_WARNING,
p_condition_type => MGMT_GLOBAL.G_CONDITION_SQL,
p_condition => ':status = ''enabled''',
p_message => 'The host is in an insecure state. Executable code on the user stack is enabled.',
p_message_nlsid => 'EXE_STACK_MESG',
p_start_type_meta_ver => l_10gR1_host_meta_ver,
p_cs_consider_percentage => MGMT_GLOBAL.G_TRUE,
p_dflt_param_val_list => l_defaultSettingsList,
p_viol_ctxt_list => l_ctxList
);
COMMIT ;
l_metric_column_list := MGMT_METRIC_COLUMN_ARRAY(
MGMT_METRIC_COLUMN_OBJ.NEW(
p_column_name => 'port',
p_column_type => MGMT_GLOBAL.G_METRIC_TYPE_NUMBER,
p_is_key => MGMT_GLOBAL.G_TRUE,
p_column_label => 'Port Number',
p_column_label_nlsid =>'PORT_COL'),
MGMT_METRIC_COLUMN_OBJ.NEW(
p_column_name => 'dummy',
p_column_type => MGMT_GLOBAL.G_METRIC_TYPE_STRING,
p_is_key => MGMT_GLOBAL.G_FALSE,
p_column_label => 'Dummy',
p_column_label_nlsid =>'DUMMY_COL'));
MGMT_METRIC.CREATE_METRIC(
p_target_type => ESM.HOST_TARGET_TYPE,
p_metric_name => 'openPortsRep',
p_type_meta_ver => l_10gR1_host_meta_ver,
p_valid_if_list => NULL,
p_metric_type => l_metric_type,
p_usage_type => MGMT_GLOBAL.G_USAGE_HIDDEN_COLLECT,
p_metric_label => 'Open Ports',
p_metric_label_nlsid => 'OPEN_PORT_METRIC_LABEL',
p_description => 'Collect the information of TCP/UDP open ports',
p_description_nlsid => 'OPEN_PORT_METRIC_DESC',
p_is_repository => MGMT_GLOBAL.G_TRUE,
p_author => 'ORACLE',
p_source_type => MGMT_GLOBAL.G_METRIC_SOURCE_QUERY,
p_source => 'SELECT target_guid, TO_NUMBER(value) as port,value as dummy '
||'FROM esm_collection_latest '
||'WHERE property=''port''',
p_snapshot_name_list => l_snapshot_list,
p_metric_column_list =>l_metric_column_list
);
COMMIT ;
l_ctxList := MGMT_VIOL_CTXT_DEF_ARRAY(
MGMT_VIOL_CTXT_DEF.NEW(
p_metric_column => 'port'));
l_paramDefList := MGMT_POLICY_PARAM_DEF_ARRAY(
MGMT_POLICY_PARAM_DEF(
param_name => 'DFLT_PORT',
param_name_nlsid => 'DFLT_PORT_PNAME',
param_type => MGMT_POLICY.G_PARAM_TYPE_NUMBER));
l_defaultParamValList := MGMT_POLICY_PARAM_VAL_ARRAY(
MGMT_POLICY_PARAM_VAL.NEW(
p_param_name => 'DFLT_PORT',
p_crit_threshold => '32768'));
l_defaultSettingsList := MGMT_POLICY_KEY_VAL_ARRAY(
MGMT_POLICY_KEY_VAL.NEW(
p_importance => MGMT_GLOBAL.G_IMPORTANCE_NORMAL,
p_param_values => l_defaultParamValList));
ESM.CREATE_POLICY(
p_target_type => ESM.HOST_TARGET_TYPE,
p_policy_name =>'Open_ports', --Policy name
p_metric_name =>'openPortsRep', --Metric name
p_policy_label_nlsid =>'OPEN_PORTS_NAME',
p_description =>'Ensure that no unintended ports are left open', -- Text description of test
p_description_nlsid =>'OPEN_PORTS_DESC',
p_impact =>'Open ports may allow a malicious user to take over the host.',-- Text description of impact of violation
p_impact_nlsid =>'OPEN_PORTS_IMPACT',
p_recommendation =>'Do not open insecure ports.',
p_recommendation_nlsid =>'OPEN_PORTS_RECOMM',
p_violation_level =>MGMT_GLOBAL.G_SEVERITY_CRITICAL,
p_condition_type => MGMT_GLOBAL.G_CONDITION_SQL,
p_condition => 'to_number(:port) < :DFLT_PORT', -- Further filter using port
p_message =>'The host is in an insecure state. Port %port% is open.',
p_message_nlsid => 'OPEN_PORTS_MESG',
p_start_type_meta_ver => l_10gR1_host_meta_ver,
p_cs_consider_percentage => MGMT_GLOBAL.G_TRUE,
p_policy_param_list => l_paramDefList,
p_dflt_param_val_list => l_defaultSettingsList,
p_viol_ctxt_list => l_ctxList
);
COMMIT ;
l_metric_column_list := MGMT_METRIC_COLUMN_ARRAY(
MGMT_METRIC_COLUMN_OBJ.NEW(
p_column_name => 'service',
p_column_type => MGMT_GLOBAL.G_METRIC_TYPE_STRING,
p_is_key => MGMT_GLOBAL.G_TRUE,
p_column_label => 'Service Name',
p_column_label_nlsid =>'SERVICE_COL'),
MGMT_METRIC_COLUMN_OBJ.NEW(
p_column_name => 'dummy',
p_column_type => MGMT_GLOBAL.G_METRIC_TYPE_STRING,
p_is_key => MGMT_GLOBAL.G_FALSE,
p_column_label => 'Dummy',
p_column_label_nlsid =>'DUMMY_COL'));
MGMT_METRIC.CREATE_METRIC(
p_target_type => ESM.HOST_TARGET_TYPE,
p_metric_name => 'insecureServicesRep',
p_type_meta_ver =>l_10gR1_host_meta_ver,
p_valid_if_list => NULL,
p_metric_type => l_metric_type,
p_usage_type => MGMT_GLOBAL.G_USAGE_HIDDEN_COLLECT,
p_metric_label => 'Insecure Services',
p_metric_label_nlsid => 'INSEC_SERV_METRIC_LABEL',
p_description => 'Collect the information of those services which are running from the hard coded list of service names',
p_description_nlsid => 'INSEC_SERV_METRIC_DESC',
p_is_repository => MGMT_GLOBAL.G_TRUE ,
p_author => 'ORACLE',
p_source_type => MGMT_GLOBAL.G_METRIC_SOURCE_QUERY,
p_source => 'SELECT target_guid , value as service, value as dummy '
||'FROM esm_collection_latest '
||'WHERE property=''service''',
p_snapshot_name_list => l_snapshot_list,
p_metric_column_list =>l_metric_column_list
);
COMMIT ;
l_ctxList := MGMT_VIOL_CTXT_DEF_ARRAY(
MGMT_VIOL_CTXT_DEF.NEW(
p_metric_column => 'service'));
l_defaultSettingsList := MGMT_POLICY_KEY_VAL_ARRAY(
MGMT_POLICY_KEY_VAL.NEW(
p_importance => MGMT_GLOBAL.G_IMPORTANCE_NORMAL));
ESM.CREATE_POLICY(
p_target_type => ESM.HOST_TARGET_TYPE ,
p_policy_name =>'Insecure_Services', --Policy name
p_metric_name =>'insecureServicesRep', --Metric name
p_policy_label_nlsid =>'INSEC_SERV_NAME',
p_description =>'Ensure that there are no insecure services (for example, telnet and ftp) running on the server',
p_description_nlsid =>'INSEC_SERV_DESC',
p_impact =>'Insecure services may allow a malicious user to take over the host.',
p_impact_nlsid =>'INSEC_SERV_DESC',
p_recommendation =>'Do not run insecure services.',
p_recommendation_nlsid =>'INSEC_SERV_RECOMM',
p_violation_level =>MGMT_GLOBAL.G_SEVERITY_WARNING,
p_condition_type =>MGMT_GLOBAL.G_CONDITION_SQL,
p_condition =>'rownum > 0',--check for existence of a row
p_message =>'The host is in an insecure state. The insecure service %service% is running on the host.',
p_message_nlsid =>'INSEC_SERV_MESG',
p_start_type_meta_ver =>l_10gR1_host_meta_ver,
p_cs_consider_percentage =>MGMT_GLOBAL.G_TRUE,
p_dflt_param_val_list =>l_defaultSettingsList,
p_viol_ctxt_list =>l_ctxList
);
COMMIT ;
l_valid_if_list := MGMT_VALIDIF_ARRAY(
MGMT_VALIDIF_OBJ.NEW(
p_catprop_1_choices => MGMT_CATEGORY_PROP_ARRAY('Windows'))
);
l_metric_column_list := MGMT_METRIC_COLUMN_ARRAY(
MGMT_METRIC_COLUMN_OBJ.NEW(
p_column_name => 'filesystem',
p_column_type => MGMT_GLOBAL.G_METRIC_TYPE_STRING,
p_is_key => MGMT_GLOBAL.G_FALSE,
p_column_label => 'File System',
p_column_label_nlsid =>'FILE_SYS_COL'));
MGMT_METRIC.CREATE_METRIC(
p_target_type => ESM.HOST_TARGET_TYPE,
p_metric_name => 'fileSystemTypeRep',
p_type_meta_ver => ESM.HOST_TYPE_META_VERSION,
p_valid_if_list => l_valid_if_list,
p_metric_type => l_metric_type,
p_usage_type => MGMT_GLOBAL.G_USAGE_HIDDEN_COLLECT,
p_metric_label => 'File System Type',
p_metric_label_nlsid => 'FILE_SYS_TYPE_METRIC_LABEL',
p_description => 'Collect the information file system type on windows',
p_description_nlsid => 'FILE_SYS_TYPE_METRIC_DESC',
p_is_repository => MGMT_GLOBAL.G_TRUE,
p_author => 'ORACLE',
p_source_type => MGMT_GLOBAL.G_METRIC_SOURCE_QUERY,
p_source => 'SELECT target_guid , value as filesystem '
||'FROM esm_collection_latest '
||'WHERE property=''file_system_type''',
p_snapshot_name_list => l_snapshot_list,
p_metric_column_list =>l_metric_column_list
);
COMMIT ;
l_ctxList := MGMT_VIOL_CTXT_DEF_ARRAY(
MGMT_VIOL_CTXT_DEF.NEW(
p_metric_column => 'filesystem'));
l_defaultSettingsList := MGMT_POLICY_KEY_VAL_ARRAY(
MGMT_POLICY_KEY_VAL.NEW(
p_importance => MGMT_GLOBAL.G_IMPORTANCE_NORMAL));
ESM.CREATE_POLICY(
p_target_type => ESM.HOST_TARGET_TYPE,
p_policy_name =>'NTFS_File_System', --Policy name
p_metric_name =>'fileSystemTypeRep', --Metric name
p_policy_label_nlsid =>'FILE_SYS_TYPE_NAME',
p_description =>'Ensure that the file system on a Windows operating system uses NTFS',
p_description_nlsid =>'FILE_SYS_TYPE_DESC',
p_impact =>'Other than NTFS, file systems on Windows platforms may have serious security risks.',
p_impact_nlsid =>'FILE_SYS_TYPE_IMPACT',
p_recommendation =>'On Windows operating systems, it is strongly recommended to use NTFS as the file system.',
p_recommendation_nlsid =>'FILE_SYS_TYPE_RECOMM',
p_violation_level =>MGMT_GLOBAL.G_SEVERITY_CRITICAL,
p_condition_type =>MGMT_GLOBAL.G_CONDITION_SQL,
p_condition =>'rownum > 0',
p_message =>'The host is in an insecure state. NTFS is not configured on the Windows operating system.',
p_message_nlsid =>'FILE_SYS_TYPE_MESG',
p_start_type_meta_ver => ESM.HOST_TYPE_META_VERSION,
p_cs_consider_percentage => MGMT_GLOBAL.G_TRUE,
p_dflt_param_val_list => l_defaultSettingsList,
p_viol_ctxt_list => l_ctxList
);
COMMIT ;
END;
/
show errors ;