SV-237700r667132_rule
V-237700
SRG-APP-000142-DB-000094
O121-C2-001700
CAT II
10
Disable any network protocol listed as nonsecure in the PPSM documentation.
To disable the protocol deemed not secure, stop the listener by issuing the following command as the Oracle Software owner, typically Oracle.
$ lsnrctl stop
This will stop the listener. Edit the LISTENER.ORA file and remove the protocols deemed not secure and restart the listener.
For example, if TCP was deemed as not secure, the listener.ora would need to be changed and the tcp entry would need to be removed. That would only allow the listener to listen for an IPC connection.
LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521)) - remove this line and properly balance the parentheses -
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(GLOBAL_DBNAME=sales.us.example.com)
(ORACLE_HOME=/oracle12c)
(SID_NAME=sales))
(SID_DESC=
(SID_NAME=plsextproc)
(ORACLE_HOME=/oracle12c)
(PROGRAM=extproc)))
Revise the client side TNSNAMES.ORA to align the PROTOCOL value in the PROTOCOL portion of the connect string. For example, if TCP was deemed as not secure and the listener.ora was changed to listen for an IPC connection the code below would be required:
net_service_name=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=sales1-svr)(PORT=1521))
(ADDRESS=(PROTOCOL=tcp)(HOST=sales2-svr)(PORT=1521))
(CONNECT_DATA=
(SERVICE_NAME=sales.us.example.com)))
Review the PPSM Technical Assurance List to acquire an up-to-date list of network protocols deemed nonsecure.
(For definitive information on Ports, Protocols and Services Management (PPSM), refer to http://www.disa.mil/Services/Network-Services/Enterprise-Connections/PPSM)
Review DBMS settings to determine if the database is utilizing any network protocols deemed nonsecure. If the DBMS is not using any network protocols deemed nonsecure, this is not a finding.
If the database is utilizing protocols specified as nonsecure in the PPSM, verify the protocols are explicitly identified in the System Security Plan and that they are in support of specific operational requirements. If they are not identified in the SSP or are not supporting specific operational requirements, this is a finding.
If nonsecure network protocols are not being used but are not disabled in the DBMS's configuration, this is a finding.
After determining the site-specific operational requirements and which protocols are explicitly defined in the System Security Plan, check the $TNS_ADMIN setting for the location of the Oracle listener.ora file. The listener.ora file is a configuration file for Oracle Net Listener that identifies the following:
A unique name for the listener, typically LISTENER
A protocol address that it is accepting connection requests on, and
A service it is listening for.
If the listener.ora file shows a PROTOCOL= statement and the PROTOCOL is deemed nonsecure, that is a finding.
LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521))
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(GLOBAL_DBNAME=sales.us.example.com)
(ORACLE_HOME=/oracle12c)
(SID_NAME=sales))
(SID_DESC=
(SID_NAME=plsextproc)
(ORACLE_HOME=/oracle12c)
(PROGRAM=extproc)))
Protocol Parameters
The Oracle Listener and the Oracle Connection Manager are identified by protocol addresses. The information below contains the "Protocol-Specific Parameters" used by the Oracle protocol support.
Protocol-Specific Parameters
Protocol: IPC Parameter: PROTOCOL Notes: Specify ipc as the value.
Protocol: IPC Parameter: KEY Notes: Specify a unique name for the service. Oracle recommends using the service name or SID of the service.
Example: (PROTOCOL=ipc)(KEY=sales)
Protocol: Named Pipes Parameter: PROTOCOL Notes: Specify nmp as the value.
Protocol: Named Pipes Parameter: SERVER Notes: Specify the name of the Oracle server.
Protocol: Named Pipes Parameter: PIPE Notes: Specify the pipe name used to connect to the database server.
This is the same PIPE keyword specified on the server with Named Pipes. This name can be any name.
Example: (Protocol=nmp) (SERVER=USDOD) (PIPE=dbpipe01)
Protocol: SDP Parameter: PROTOCOL Notes: Specify sdp as the value.
Protocol: SDP Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: SDP Parameter: PORT Notes: Specify the listening port number.
Example: (PROTOCOL=sdp)(HOST=sales-server)(PORT=1521)
(PROTOCOL=sdp)(HOST=192.168.2.204)(PORT=1521)
Protocol: TCP/IP Parameter: PROTOCOL Notes: Specify TCP as the value.
Protocol: TCP/IP Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: TCP/IP Parameter: PORT Notes: Specify the listening port number.
Example: (PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)
(PROTOCOL=tcp)(HOST=192.168.2.204)(PORT=1521)
Protocol: TCP/IP with TLS Parameter: PROTOCOL Notes: Specify tcps as the value.
Protocol: TCP/IP with TLS Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: TCP/IP with TLS Parameter: PORT Notes: Specify the listening port number.
Example:(PROTOCOL=tcps)(HOST=sales-server) (PORT=2484)
(PROTOCOL=tcps)(HOST=192.168.2.204)(PORT=2484)
V-237700
False
O121-C2-001700
Review the PPSM Technical Assurance List to acquire an up-to-date list of network protocols deemed nonsecure.
(For definitive information on Ports, Protocols and Services Management (PPSM), refer to http://www.disa.mil/Services/Network-Services/Enterprise-Connections/PPSM)
Review DBMS settings to determine if the database is utilizing any network protocols deemed nonsecure. If the DBMS is not using any network protocols deemed nonsecure, this is not a finding.
If the database is utilizing protocols specified as nonsecure in the PPSM, verify the protocols are explicitly identified in the System Security Plan and that they are in support of specific operational requirements. If they are not identified in the SSP or are not supporting specific operational requirements, this is a finding.
If nonsecure network protocols are not being used but are not disabled in the DBMS's configuration, this is a finding.
After determining the site-specific operational requirements and which protocols are explicitly defined in the System Security Plan, check the $TNS_ADMIN setting for the location of the Oracle listener.ora file. The listener.ora file is a configuration file for Oracle Net Listener that identifies the following:
A unique name for the listener, typically LISTENER
A protocol address that it is accepting connection requests on, and
A service it is listening for.
If the listener.ora file shows a PROTOCOL= statement and the PROTOCOL is deemed nonsecure, that is a finding.
LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521))
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(GLOBAL_DBNAME=sales.us.example.com)
(ORACLE_HOME=/oracle12c)
(SID_NAME=sales))
(SID_DESC=
(SID_NAME=plsextproc)
(ORACLE_HOME=/oracle12c)
(PROGRAM=extproc)))
Protocol Parameters
The Oracle Listener and the Oracle Connection Manager are identified by protocol addresses. The information below contains the "Protocol-Specific Parameters" used by the Oracle protocol support.
Protocol-Specific Parameters
Protocol: IPC Parameter: PROTOCOL Notes: Specify ipc as the value.
Protocol: IPC Parameter: KEY Notes: Specify a unique name for the service. Oracle recommends using the service name or SID of the service.
Example: (PROTOCOL=ipc)(KEY=sales)
Protocol: Named Pipes Parameter: PROTOCOL Notes: Specify nmp as the value.
Protocol: Named Pipes Parameter: SERVER Notes: Specify the name of the Oracle server.
Protocol: Named Pipes Parameter: PIPE Notes: Specify the pipe name used to connect to the database server.
This is the same PIPE keyword specified on the server with Named Pipes. This name can be any name.
Example: (Protocol=nmp) (SERVER=USDOD) (PIPE=dbpipe01)
Protocol: SDP Parameter: PROTOCOL Notes: Specify sdp as the value.
Protocol: SDP Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: SDP Parameter: PORT Notes: Specify the listening port number.
Example: (PROTOCOL=sdp)(HOST=sales-server)(PORT=1521)
(PROTOCOL=sdp)(HOST=192.168.2.204)(PORT=1521)
Protocol: TCP/IP Parameter: PROTOCOL Notes: Specify TCP as the value.
Protocol: TCP/IP Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: TCP/IP Parameter: PORT Notes: Specify the listening port number.
Example: (PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)
(PROTOCOL=tcp)(HOST=192.168.2.204)(PORT=1521)
Protocol: TCP/IP with TLS Parameter: PROTOCOL Notes: Specify tcps as the value.
Protocol: TCP/IP with TLS Parameter: HOST Notes: Specify the host name or IP address of the computer.
Protocol: TCP/IP with TLS Parameter: PORT Notes: Specify the listening port number.
Example:(PROTOCOL=tcps)(HOST=sales-server) (PORT=2484)
(PROTOCOL=tcps)(HOST=192.168.2.204)(PORT=2484)
M
4059