O121-BP-022700 - The Oracle Listener must be configured to require administration authentication.

Information

Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lead to DoS exploits; loss of connection audit data, unauthorized reconfiguration or other unauthorized access. This is a Category I finding because privileged access to the listener is not restricted to authorized users. Unauthorized access can result in stopping of the listener (DoS) and overwriting of listener audit logs.

Solution

By default, Oracle Net Listener permits only local administration for security reasons. As a policy, the listener can be administered only by the user who started it. This is enforced through local operating system authentication. For example, if user1 starts the listener, then only user1 can administer it. Any other user trying to administer the listener gets an error. The super user is the only exception.

Remote administration of the listener must not be permitted. If listener administration from a remote system is required, granting secure remote access to the Oracle DBMS server and performing local administration is preferred. Authorize and document this requirement in the System Security Plan.

Note: In Oracle Database 12c Release 1 (12.1), the listener password feature is no longer supported. This does not cause a loss of security because authentication is enforced through local operating system authentication. Refer to Oracle Database Net Services Reference for additional information.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V2R8_STIG.zip

Item Details

References: CAT|I, CCI|CCI-000366, Rule-ID|SV-219838r879887_rule, STIG-ID|O121-BP-022700, STIG-Legacy|SV-75931, STIG-Legacy|V-61441, Vuln-ID|V-219838

Plugin: Unix

Control ID: 124d153f8ddd1c9d0ec543bd864c47506ae03d163063ba87b29a0457a2993ebc