O121-C2-001700 - The DBMS must support the disabling of network protocols deemed by the organization to be nonsecure.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This requirement is related to remote access, but more specifically to the networking protocols allowing systems to communicate. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.

Some networking protocols allowing remote access may not meet security requirements to protect data and components. Bluetooth and peer-to-peer networking are examples of less than secure networking protocols.

The DoD Ports, Protocols, and Services Management (PPSM) program provides implementation guidance on the use of IP protocols and application and data services traversing the DoD Networks in a manner supporting net-centric operations.

Applications implementing or utilizing remote access network protocols need to ensure the application is developed and implemented in accordance with the PPSM requirements. In situations where it has been determined that specific operational requirements outweigh the risks of enabling an insecure network protocol, the organization may pursue a risk acceptance.

Using protocols deemed nonsecure would compromise the ability of the DBMS to operate in a secure fashion. The database must be able to disable network protocols deemed nonsecure.

Solution

Disable any network protocol listed as nonsecure in the PPSM documentation.

To disable the protocol deemed not secure, stop the listener by issuing the following command as the Oracle Software owner, typically Oracle.
$ lsnrctl stop
This will stop the listener. Edit the LISTENER.ORA file and remove the protocols deemed not secure and restart the listener.

For example, if TCP was deemed as not secure, the listener.ora would need to be changed and the tcp entry would need to be removed. That would only allow the listener to listen for an IPC connection.

LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521)) - remove this line and properly balance the parentheses -
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))
SID_LIST_LISTENER=
(SID_LIST=
(SID_DESC=
(GLOBAL_DBNAME=sales.us.example.com)
(ORACLE_HOME=/oracle12c)
(SID_NAME=sales))
(SID_DESC=
(SID_NAME=plsextproc)
(ORACLE_HOME=/oracle12c)
(PROGRAM=extproc)))

Revise the client side TNSNAMES.ORA to align the PROTOCOL value in the PROTOCOL portion of the connect string. For example, if TCP was deemed as not secure and the listener.ora was changed to listen for an IPC connection the code below would be required:

net_service_name=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=sales1-svr)(PORT=1521))
(ADDRESS=(PROTOCOL=tcp)(HOST=sales2-svr)(PORT=1521))
(CONNECT_DATA=
(SERVICE_NAME=sales.us.example.com)))

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V2R3_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CAT|II, CCI|CCI-000382, CSCv6|9.1, Rule-ID|SV-237700r667132_rule, STIG-ID|O121-C2-001700, STIG-Legacy|SV-76045, STIG-Legacy|V-61555, Vuln-ID|V-237700

Plugin: Unix

Control ID: 5cd90e2b947758bd1d39b667f68aa09e7234532735c87f28873615a8b7f30b78