STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 1 Release: 17 Benchmark Date: 24 Jan 2020: Access to external executables must be disabled or restricted.

DISA Rule

SV-74571r2_rule

Vulnerability Number

V-60141

Group Title

SRG-APP-000141-DB-000093

Rule Version

O112-C2-011810

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If the use of external procedure agent is required, then authorize and document the requirement in the System Security Plan.

If the external procedure agent must be accessible to the Oracle listener, then specify this and authorize it in the System Security Plan.

If use of the Oracle External Procedure agent is not required:

- Stop the Oracle Listener process
- Remove all references to extproc in the listener.ora and tnsnames.ora files
- Alter the permissions on the executable files:

UNIX - Remove read/write/execute permissions from owner, group and world
Windows - Remove Groups/Users from the executable (except groups SYSTEM and ADMINISTRATORS) and allow READ [only] for SYSTEM and ADMINISTRATORS groups

If required:

- Restrict extproc execution to only authorized applications.
- Specify EXTPROC_DLLS=ONLY: [list of authorized DLLS] in the extproc.ora and the listener.ora files
- Create a separate, dedicated listener for use by the external procedure agent

Please see the Oracle Net Services Administrators Guides, External Procedures section for detailed configuration information.

Check Contents

Review the System Security Plan to determine if the use of the external procedure agent is authorized.

Review the ORACLE_HOME/bin directory or search the ORACLE_BASE path for the executable extproc (UNIX) or extproc.exe (Windows).

If external procedure agent is not authorized for use in the System Security Plan and the executable file does not exist or is restricted, this is not a finding.

If external procedure agent is not authorized for use in the System Security Plan and the executable file exists and is not restricted, this is a finding.

If use of the external procedure agent is authorized, ensure extproc is restricted to execution of authorized applications.

External jobs are run using the account nobody by default.

Review the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the lines run_user= and run_group=.

If the user assigned to these parameters is not "nobody", this is a finding.

For versions 11.1 and later, the external procedure agent (extproc executable) is available directly from the database and does not require definition in the listener.ora file for use.

Review the contents of the file ORACLE_HOME/hs/admin/extproc.ora.

If external processes are allowed, but the file does not exist, this is a finding.

If the following entry does not appear in the file, this is a finding:

EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:..

[dll full file name] represents a full path and file name.

This list of file names is separated by ":".

If "ONLY" is specified, then the list is restricted to allow execution of only the DLLs specified in the list and is not a finding.

If "ANY" is specified, then there are no restrictions for execution except what is controlled by operating system permissions and is a finding.

If no specification is made, any files located in the %ORACLE_HOME%\bin directory on Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed (the default) and is a finding.

Ensure that EXTPROC is not accessible from the listener.

Review the listener.ora file. If any entries reference "extproc", this is a finding.

Determine if the external procedure agent is in use per Oracle 10.x conventions.

Review the listener.ora file.

If any entries reference "extproc", then the agent is in use.

If external procedure agent is not authorized for use in the System Security Plan and references to "extproc" exist, this is a finding.

Sample listener.ora entries with extproc included:

LISTENER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))
)
EXTLSNR =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
)
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = ORCL)
(ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)
(SID_NAME = ORCL)
)
)
SID_LIST_EXTLSNR =
(SID_LIST =
(SID_DESC =
(PROGRAM = extproc)
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)
(ENVS="EXTPROC_DLLS=ONLY:/home/app1/app1lib.so:/home/app2/app2lib.so,
LD_LIBRARY_PATH=/private/app2/lib:/private/app1,
MYPATH=/usr/fso:/usr/local/packages")
)
)

Sample tnsnames.ora entries with extproc included:

ORCL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
)
EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = extproc))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = PLSExtProc)
)
)

If EXTPROC is in use, confirm that a listener is dedicated to serving the external procedure agent (as shown above).

View the protocols configured for the listener.

For the listener to be dedicated, the only entries will be to specify extproc.

If there is not a dedicated listener in use for the external procedure agent, this is a finding.

If the PROTOCOL= specified is other than IPC, this is a finding.

Verify and ensure extproc is restricted executing authorized external applications only and extproc is restricted to execution of authorized applications.

Review the listener.ora file.

If the following entry does not exist, this is a finding:

EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:...

[dll full file name] represents a full path and file name. This list of file names is separated by ":".

If "ONLY" is specified, then the list is restricted to allow execution of only the DLLs specified in the list and is not a finding.

If "ANY" is specified, then there are no restrictions for execution except what is controlled by operating system permissions and is a finding.

If no specification is made, any files located in the %ORACLE_HOME%\bin directory on Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed (the default) and is a finding.

View the listener.ora file (usually in ORACLE_HOME/network/admin or directory specified by the TNS_ADMIN environment variable).

If multiple listener processes are running, then the listener.ora file for each must be viewed.

For each process, determine the directory specified in the ORACLE_HOME or TNS_ADMIN environment variable defined for the process account to locate the listener.ora file.

Vulnerability Number

V-60141

Documentable

False

Rule Version

O112-C2-011810

Severity Override Guidance

Review the System Security Plan to determine if the use of the external procedure agent is authorized.

Review the ORACLE_HOME/bin directory or search the ORACLE_BASE path for the executable extproc (UNIX) or extproc.exe (Windows).

If external procedure agent is not authorized for use in the System Security Plan and the executable file does not exist or is restricted, this is not a finding.

If external procedure agent is not authorized for use in the System Security Plan and the executable file exists and is not restricted, this is a finding.

If use of the external procedure agent is authorized, ensure extproc is restricted to execution of authorized applications.

External jobs are run using the account nobody by default.

Review the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the lines run_user= and run_group=.

If the user assigned to these parameters is not "nobody", this is a finding.

For versions 11.1 and later, the external procedure agent (extproc executable) is available directly from the database and does not require definition in the listener.ora file for use.

Review the contents of the file ORACLE_HOME/hs/admin/extproc.ora.

If external processes are allowed, but the file does not exist, this is a finding.

If the following entry does not appear in the file, this is a finding:

EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:..

[dll full file name] represents a full path and file name.

This list of file names is separated by ":".

If "ONLY" is specified, then the list is restricted to allow execution of only the DLLs specified in the list and is not a finding.

If "ANY" is specified, then there are no restrictions for execution except what is controlled by operating system permissions and is a finding.

If no specification is made, any files located in the %ORACLE_HOME%\bin directory on Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed (the default) and is a finding.

Ensure that EXTPROC is not accessible from the listener.

Review the listener.ora file. If any entries reference "extproc", this is a finding.

Determine if the external procedure agent is in use per Oracle 10.x conventions.

Review the listener.ora file.

If any entries reference "extproc", then the agent is in use.

If external procedure agent is not authorized for use in the System Security Plan and references to "extproc" exist, this is a finding.

Sample listener.ora entries with extproc included:

LISTENER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))
)
EXTLSNR =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
)
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = ORCL)
(ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)
(SID_NAME = ORCL)
)
)
SID_LIST_EXTLSNR =
(SID_LIST =
(SID_DESC =
(PROGRAM = extproc)
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)
(ENVS="EXTPROC_DLLS=ONLY:/home/app1/app1lib.so:/home/app2/app2lib.so,
LD_LIBRARY_PATH=/private/app2/lib:/private/app1,
MYPATH=/usr/fso:/usr/local/packages")
)
)

Sample tnsnames.ora entries with extproc included:

ORCL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
)
EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = extproc))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = PLSExtProc)
)
)

If EXTPROC is in use, confirm that a listener is dedicated to serving the external procedure agent (as shown above).

View the protocols configured for the listener.

For the listener to be dedicated, the only entries will be to specify extproc.

If there is not a dedicated listener in use for the external procedure agent, this is a finding.

If the PROTOCOL= specified is other than IPC, this is a finding.

Verify and ensure extproc is restricted executing authorized external applications only and extproc is restricted to execution of authorized applications.

Review the listener.ora file.

If the following entry does not exist, this is a finding:

EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:...

[dll full file name] represents a full path and file name. This list of file names is separated by ":".

If "ONLY" is specified, then the list is restricted to allow execution of only the DLLs specified in the list and is not a finding.

If "ANY" is specified, then there are no restrictions for execution except what is controlled by operating system permissions and is a finding.

If no specification is made, any files located in the %ORACLE_HOME%\bin directory on Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed (the default) and is a finding.

View the listener.ora file (usually in ORACLE_HOME/network/admin or directory specified by the TNS_ADMIN environment variable).

If multiple listener processes are running, then the listener.ora file for each must be viewed.

For each process, determine the directory specified in the ORACLE_HOME or TNS_ADMIN environment variable defined for the process account to locate the listener.ora file.

Check Content Reference

M

Target Key

2669

Comments