A couple of weeks ago I posted a list of all 199 Oracle 12c Database STIG controls, arranged by major security category. One of the two most important categories, and the one that contains the most “CAT I”, or Category One (most severe, high risk) vulnerabilities, is “Hardening and Patching”. This category, along with “Database Access” controls, protect your database from external threats like hacks of the operating system and database software, network session hijacking or interception, or the theft of loss of data files.
In this post I’m going to start going over the CAT I vulnerabilities in a little more detail. Here are the first two, which relate to database initialization parameters and authentication.
V-61425 and V-61427: The Oracle REMOTE_OS_AUTHENT and REMOTE_OS_ROLES parameters must be set to FALSE
Setting REMOTE_OS_AUTHENT to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and connect to the database without having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only information a remote user needs to connect to the database is the name of any user whose account is setup to be authenticated by the operating system.
Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user could impersonate another operating system user over a network connection.Oracle Database 12c Security Technical Implementation Guide :: Release: 16 Benchmark Date: 24 Jan 2020
The point of these locking down these parameters is that no database should trust its ability to authenticate or authorize users to a remote operating system that could potentially be manipulated or hacked. For instance, if these parameters were set inappropriately a hacker could even configure his own client to identify a user with elevated privileges and connect to the database.
Any security plan that calls for these parameters to be set to “true” should be seriously questioned in today’s interconnected, networked world. The good news is that in Oracle 12c and beyond these settings should be set correctly by default. You can use the “show parameter” command as a DBA user in SQL*Plus to confirm.
SQL> show parameter remote_os NAME TYPE VALUE ------------------------------------ ----------- ---------- remote_os_authent boolean FALSE remote_os_roles boolean FALSE
If you need to reset them, use the following commands:
alter system set remote_os_authent = FALSE scope = spfile; alter system set remote_os_roles = FALSE scope = spfile;
Changes will not take affect until the database is restarted.
V-61441: The Oracle Listener must be configured to require administration authentication
The third CAT I in our countdown is related to the Oracle Listener configuration.
Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lead to Denial of Service (DoS) exploits; loss of connection audit data, unauthorized reconfiguration or other unauthorized access.Oracle Database 12c Security Technical Implementation Guide :: Release: 16 Benchmark Date: 24 Jan 2020
From a command prompt as the Oracle software owner account, run “lsnrctl status”:
$ lsnrctl status LSNRCTL for Linux: Version 18.104.22.168.0 - Production on 06-APR-2020 23:26:17 Copyright (c) 1991, 2014, Oracle. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 22.214.171.124.0 - Production Start Date 06-APR-2020 23:26:19 Uptime 2 days 23 hr. 5 min. 36 sec Trace Level off Security ON: Local OS Authentication SNMP OFF Listener Parameter File /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora Listener Log File /u01/app/oracle/diag/tnslsnr/localhost/listener/alert/log.xml Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521))) (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=5500))(Security=(my_wallet_directory=/u01/app/oracle/admin/cdb0/xdb_wallet))(Presentation=HTTP)(Session=RAW)) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=55000))(Security=(my_wallet_directory=/u01/app/oracle/admin/cdb0/xdb_wallet))(Presentation=HTTP)(Session=RAW)) Services Summary... Service "cdb0.pmdba.net" has 1 instance(s). Instance "cdb0", status READY, has 1 handler(s) for this service... Service "cdb0XDB.pmdba.net" has 1 instance(s). Instance "cdb0", status READY, has 1 handler(s) for this service... Service "pdb0.pmdba.net" has 1 instance(s). Instance "cdb0", status READY, has 1 handler(s) for this service... Service "pdb1.pmdba.net" has 1 instance(s). Instance "cdb0", status READY, has 1 handler(s) for this service... The command completed successfully
The setting for “Security” should return “ON: Local OS Authentication”. Any other setting is a violation. The good news is that like the remote OS initialization parameters in the previous two items, appropriate listener security is enabled by default in Oracle 12c and up.