STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 1 Release: 17 Benchmark Date: 24 Jan 2020: The DBMS must support the disabling of network protocols deemed by the organization to be non-secure.

DISA Rule

SV-66563r1_rule

Vulnerability Number

V-52347

Group Title

SRG-APP-000020-DB-000194

Rule Version

O112-C2-001700

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Disable any network protocol listed as non-secure in the PPSM documentation.

To disable the protocol deemed not secure, stop the listener by issuing the following command as the Oracle Software owner, typically Oracle.
$ lsnrctl stop
This will stop the listener. Edit the LISTENER.ORA file and remove the protocols deemed not secure and restart the listener.

For example, if TCP was deemed as not secure and the listener.ora would need to be changed and the tcp entry would need to be removed. That would only allow the listener to listen for an IPC connection.

LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521)) - remove this line and properly balance the parentheses -
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(GLOBAL_DBNAME=sales.us.example.com)
(ORACLE_HOME=/oracle11g)
(SID_NAME=sales))
(SID_DESC=
(SID_NAME=plsextproc)
(ORACLE_HOME=/oracle11g)
(PROGRAM=extproc)))

Revise the client side TNSNAMES.ORA to align the PROTOCOL value in the PROTOCOL portion of the connect string. For example, if TCP was deemed as not secure and the listener.ora was changed to listen for an IPC connection the code below would be required:

net_service_name=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=sales1-svr)(PORT=1521))
(ADDRESS=(PROTOCOL=tcp)(HOST=sales2-svr)(PORT=1521))
(CONNECT_DATA=
(SERVICE_NAME=sales.us.example.com)))

Check Contents

Review the PPSM Technical Assurance List to acquire an up-to-date list of network protocols deemed non-secure.
(For definitive information on Ports, Protocols and Services Management (PPSM), refer to http://iase.disa.mil/ppsm/index.html.)

Review DBMS settings to determine if the database is utilizing any network protocols deemed non-secure. If the DBMS is not using any network protocols deemed non-secure, this is not a finding..

If the database is utilizing protocols specified as non-secure in the PPSM, verify the protocols are explicitly identified in the System Security Plan and that they are in support of specific operational requirements. If they are not identified in the SSP or are not supporting specific operational requirements, this is a finding.

If non-secure network protocols are not being used but are not disabled in the DBMS's configuration, this is a finding.

After determining the site-specific operational requirements and which protocols are explicitly defined in the System Security Plan, check the $TNS_ADMIN setting for the location of the Oracle listener.ora file. The listener.ora file is a configuration file for Oracle Net Listener that identifies the following:
A unique name for the listener, typically LISTENER
A protocol address that it is accepting connection requests on, and
A service it is listening for.

If the listener.ora file shows a PROTOCOL= statement and the PROTOCOL is deemed non-secure, that is a finding.

LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521))
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(GLOBAL_DBNAME=sales.us.example.com)
(ORACLE_HOME=/oracle11g)
(SID_NAME=sales))
(SID_DESC=
(SID_NAME=plsextproc)
(ORACLE_HOME=/oracle11g)
(PROGRAM=extproc)))

Protocol Parameters

The Oracle Listener and the Oracle Connection Manager are identified by protocol addresses. The information below contains the "Protocol-Specific Parameters" used by the Oracle protocol support.

Protocol-Specific Parameters

Protocol: IPC Parameter: PROTOCOL Notes: Specify ipc as the value.
Protocol: IPC Parameter: KEY Notes: Specify a unique name for the service. Oracle recommends using the service name or SID of the service.
Example: (PROTOCOL=ipc)(KEY=sales)

Protocol: Named Pipes Parameter: PROTOCOL Notes: Specify nmp as the value.
Protocol: Named Pipes Parameter: SERVER Notes: Specify the name of the Oracle server.
Protocol: Named Pipes Parameter: PIPE Notes: Specify the pipe name used to connect to the database server.
This is the same PIPE keyword specified on the server with Named Pipes. This name can be any name.
Example: (Protocol=nmp) (SERVER=USDOD) (PIPE=dbpipe01)

Protocol: SDP Parameter: PROTOCOL Notes: Specify sdp as the value.
Protocol: SDP Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: SDP Parameter: PORT Notes: Specify the listening port number.
Example:
(PROTOCOL=sdp)(HOST=sales-server)(PORT=1521)
(PROTOCOL=sdp)(HOST=192.168.2.204)(PORT=1521)

Protocol: TCP/IP Parameter: PROTOCOL Notes: Specify TCP as the value.
Protocol: TCP/IP Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: TCP/IP Parameter: PORT Notes: Specify the listening port number.
Example:
(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)
(PROTOCOL=tcp)(HOST=192.168.2.204)(PORT=1521)

Protocol: TCP/IP with SSL Parameter: PROTOCOL Notes: Specify tcps as the value.
Protocol: TCP/IP with SSL Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: TCP/IP with SSL Parameter: PORT Notes: Specify the listening port number.
Example:
(PROTOCOL=tcps)(HOST=sales-server) (PORT=2484)
(PROTOCOL=tcps)(HOST=192.168.2.204)(PORT=2484)

Vulnerability Number

V-52347

Documentable

False

Rule Version

O112-C2-001700

Severity Override Guidance

Review the PPSM Technical Assurance List to acquire an up-to-date list of network protocols deemed non-secure.
(For definitive information on Ports, Protocols and Services Management (PPSM), refer to http://iase.disa.mil/ppsm/index.html.)

Review DBMS settings to determine if the database is utilizing any network protocols deemed non-secure. If the DBMS is not using any network protocols deemed non-secure, this is not a finding..

If the database is utilizing protocols specified as non-secure in the PPSM, verify the protocols are explicitly identified in the System Security Plan and that they are in support of specific operational requirements. If they are not identified in the SSP or are not supporting specific operational requirements, this is a finding.

If non-secure network protocols are not being used but are not disabled in the DBMS's configuration, this is a finding.

After determining the site-specific operational requirements and which protocols are explicitly defined in the System Security Plan, check the $TNS_ADMIN setting for the location of the Oracle listener.ora file. The listener.ora file is a configuration file for Oracle Net Listener that identifies the following:
A unique name for the listener, typically LISTENER
A protocol address that it is accepting connection requests on, and
A service it is listening for.

If the listener.ora file shows a PROTOCOL= statement and the PROTOCOL is deemed non-secure, that is a finding.

LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521))
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(GLOBAL_DBNAME=sales.us.example.com)
(ORACLE_HOME=/oracle11g)
(SID_NAME=sales))
(SID_DESC=
(SID_NAME=plsextproc)
(ORACLE_HOME=/oracle11g)
(PROGRAM=extproc)))

Protocol Parameters

The Oracle Listener and the Oracle Connection Manager are identified by protocol addresses. The information below contains the "Protocol-Specific Parameters" used by the Oracle protocol support.

Protocol-Specific Parameters

Protocol: IPC Parameter: PROTOCOL Notes: Specify ipc as the value.
Protocol: IPC Parameter: KEY Notes: Specify a unique name for the service. Oracle recommends using the service name or SID of the service.
Example: (PROTOCOL=ipc)(KEY=sales)

Protocol: Named Pipes Parameter: PROTOCOL Notes: Specify nmp as the value.
Protocol: Named Pipes Parameter: SERVER Notes: Specify the name of the Oracle server.
Protocol: Named Pipes Parameter: PIPE Notes: Specify the pipe name used to connect to the database server.
This is the same PIPE keyword specified on the server with Named Pipes. This name can be any name.
Example: (Protocol=nmp) (SERVER=USDOD) (PIPE=dbpipe01)

Protocol: SDP Parameter: PROTOCOL Notes: Specify sdp as the value.
Protocol: SDP Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: SDP Parameter: PORT Notes: Specify the listening port number.
Example:
(PROTOCOL=sdp)(HOST=sales-server)(PORT=1521)
(PROTOCOL=sdp)(HOST=192.168.2.204)(PORT=1521)

Protocol: TCP/IP Parameter: PROTOCOL Notes: Specify TCP as the value.
Protocol: TCP/IP Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: TCP/IP Parameter: PORT Notes: Specify the listening port number.
Example:
(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)
(PROTOCOL=tcp)(HOST=192.168.2.204)(PORT=1521)

Protocol: TCP/IP with SSL Parameter: PROTOCOL Notes: Specify tcps as the value.
Protocol: TCP/IP with SSL Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: TCP/IP with SSL Parameter: PORT Notes: Specify the listening port number.
Example:
(PROTOCOL=tcps)(HOST=sales-server) (PORT=2484)
(PROTOCOL=tcps)(HOST=192.168.2.204)(PORT=2484)

Check Content Reference

M

Target Key

2669

Comments