Top STIG – Part 1 (Local Authentication)


A couple of weeks ago I posted a list of all 199 Oracle 12c Database STIG controls, arranged by major security category. One of the two most important categories, and the one that contains the most “CAT I”, or Category One (most severe, high risk) vulnerabilities, is “Hardening and Patching”. This category, along with “Database Access” controls, protect your database from external threats like hacks of the operating system and database software, network session hijacking or interception, or the theft of loss of data files.

In this post I’m going to start going over the CAT I vulnerabilities in a little more detail. Here are the first two, which relate to database initialization parameters and authentication.

V-61425 and V-61427: The Oracle REMOTE_OS_AUTHENT and REMOTE_OS_ROLES parameters must be set to FALSE

Setting REMOTE_OS_AUTHENT to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and connect to the database without having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only information a remote user needs to connect to the database is the name of any user whose account is setup to be authenticated by the operating system.

Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user could impersonate another operating system user over a network connection.

Oracle Database 12c Security Technical Implementation Guide :: Release: 16 Benchmark Date: 24 Jan 2020

The point of these locking down these parameters is that no database should trust its ability to authenticate or authorize users to a remote operating system that could potentially be manipulated or hacked. For instance, if these parameters were set inappropriately a hacker could even configure his own client to identify a user with elevated privileges and connect to the database.

Any security plan that calls for these parameters to be set to “true” should be seriously questioned in today’s interconnected, networked world. The good news is that in Oracle 12c and beyond these settings should be set correctly by default. You can use the “show parameter” command as a DBA user in SQL*Plus to confirm.

SQL> show parameter remote_os

NAME                                 TYPE        VALUE
------------------------------------ ----------- ----------
remote_os_authent                    boolean     FALSE
remote_os_roles                      boolean     FALSE

If you need to reset them, use the following commands:

alter system set remote_os_authent = FALSE scope = spfile;
alter system set remote_os_roles = FALSE scope = spfile;

Changes will not take affect until the database is restarted.

V-61441: The Oracle Listener must be configured to require administration authentication

The third CAT I in our countdown is related to the Oracle Listener configuration.

Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lead to Denial of Service (DoS) exploits; loss of connection audit data, unauthorized reconfiguration or other unauthorized access.

Oracle Database 12c Security Technical Implementation Guide :: Release: 16 Benchmark Date: 24 Jan 2020

From a command prompt as the Oracle software owner account, run “lsnrctl status”:

$ lsnrctl status

LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 06-APR-2020 23:26:17

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 12.1.0.2.0 - Production
Start Date                06-APR-2020 23:26:19
Uptime                    2 days 23 hr. 5 min. 36 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora
Listener Log File         /u01/app/oracle/diag/tnslsnr/localhost/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=5500))(Security=(my_wallet_directory=/u01/app/oracle/admin/cdb0/xdb_wallet))(Presentation=HTTP)(Session=RAW))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=55000))(Security=(my_wallet_directory=/u01/app/oracle/admin/cdb0/xdb_wallet))(Presentation=HTTP)(Session=RAW))
Services Summary...
Service "cdb0.pmdba.net" has 1 instance(s).
  Instance "cdb0", status READY, has 1 handler(s) for this service...
Service "cdb0XDB.pmdba.net" has 1 instance(s).
  Instance "cdb0", status READY, has 1 handler(s) for this service...
Service "pdb0.pmdba.net" has 1 instance(s).
  Instance "cdb0", status READY, has 1 handler(s) for this service...
Service "pdb1.pmdba.net" has 1 instance(s).
  Instance "cdb0", status READY, has 1 handler(s) for this service...
The command completed successfully

The setting for “Security” should return “ON: Local OS Authentication”. Any other setting is a violation. The good news is that like the remote OS initialization parameters in the previous two items, appropriate listener security is enabled by default in Oracle 12c and up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.