Fortinet black logo

Handbook (HTML)

Home FortiDB 5.1.14 Handbook (HTML)
5.1.14
5.1.14
5.1.13
5.1.12
5.1.11
5.1.10
5.1.9
5.1.8
5.1.7
5.1.6
5.1.5
5.1.2
5.1.1
5.0.0

OS-Level pre-defined policies

OS-Level pre-defined policies

The FortiDB OS-Level pre-defined policies gather and evaluate information about the target database's operating system (OS). They use SSH and a client-side script that contains OS commands.

To assess Oracle target computers using OS-Level pre-defined policies, see Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page 1.

(consider moving this information in with the other preconfigurations, or else x-ref to this section from that section)

The OS-Level pre-defined policies require the following permissions:

Guarded Item Description (proposed change) Purpose Required Permissions
OSVA ORCL 01.01 Oracle Critical Patches (opatch)

Returns:

  • opatch version
  • applied critical patch numbers

Oracle 9i, 10g, 11g, 12c:

  • The SSH user needs execute permission on opatch
  • The SSH user's PATH variable should include the location of opatch

Oracle 10g, 11g, 12c:

  • The SSH user needs read, write, and execute permissions on opatch
  • The SSH user needs read, write, and execute permissions on $ORACLE_HOME/cfgtoollogs/opatch/lsinv
SVA ORCL 01.02 Oracle Owner-Login Check Alerts if Oracle owner, which is specified on the FortiDB Database Connection GUI, is not in /etc/passwd. The SSH user needs read permission on /etc/passwd with cat and grep commands
OSVA ORCL 01.03 Oracle DBA-Group Check Alerts if dba is not in /etc/group file The SSH user needs read permission on /etc/group with cat and grep command
OSVA ORCL 01.04 Oracle DBA-Group-Member List Returns a list of members of the dba group from /etc/passwd and /etc/group The SSH user needs read permission on /etc/passwd and /etc/group with cat and grep command
OSVA ORCL 01.05 Oracle Process-Owner Check Alerts if Oracle process is being run by a non-Oracle user such as root, or bin. The SSH user needs execute permission ps and grep command
OSVA ORCL 01.06 Oracle Excessive Directory & File Permissions Check Alerts if other permissions, on the Oracle Home directory (and its contents) specified on the Create/Modify Database Connection screen, include both read and write (and not execute) The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see Using Minimally-Privileged User with an ACL.
OSVA ORCL 01.07 Oracle Correct Directory/File Owner & Group Check

Alerts if files and directories under the Oracle Home directory specified on the Create/Modify Database Connection screen, do not have correct owner and group permissions. Exempt from this check are:

  • $ORACLE_HOME/bin/oracle
  • $ORACLE_HOME/bin/oradism
  • $ORACLE_HOME/bin/dbsnmp
 The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see Using Minimally-Privileged User with an ACL.
OSVA ORCL 01.08 Oracle setuid/setgid File Check

Alerts if setuid or setgid permissions are assigned to files and directories under the Oracle Home directory specified on the Create/Modify Database Connection screen. Exempt from this check are:

  • $ORACLE_HOME/bin/oracle
  • $ORACLE_HOME/bin/oradism
  • $ORACLE_HOME/bin/dbsnmp
 The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see see Using Minimally-Privileged User with an ACL.
OSVA ORCL 01.09 Oracle Database-Configuration-Change Check

This policy checks if these database configuration files change between the previous and current assessments:

  • init.ora
  • spfle.ora
  • The SSH user needs execute permission on ls for the $ORACLE_HOME/dbs/ directory
  • The SSH user needs read permission on the $ORACLE_HOME/dbs/ directory
OSVA ORCL 01.10 Oracle Network-Configuration-Change Check

This policy check if network configuration files changed between between the previous and current assessments

  • listener.ora
  • tnsnames.ora
  • sqlnet.ora
  • The SSH user needs execute permission for ls on the $ORACLE_HOME/network/admin/ directory
  • The SSH user needs read permission on the $ORACLE_HOME/network/admin/ directory
OSVA ORCL 01.11 Oracle Installed-Operating-System Info Returns OS name and version
  • The SSH user needs execute permission for cat on the /etc/release file
  • The SSH user needs read permission on the /etc/release file
OSVA ORCL 01.12 Oracle External-Procedure Processes Running Check Alert if external-procedure process is running on target server. The SSH user needs execute permission for ps and grep
OSVA ORCL 01.13 Oracle EXTPROC

Alerts if any EXTPROC settings are listed in listener.ora.

For example:

(SID_NAME = PLSExtProc)
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.14 Oracle Missing-Listener-Password Check Alerts if a PASSWORD setting is missing in listener.ora.
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.15 Oracle Missing-Listener- ADMIN_RESTRICTIONS Check Alerts if a ADMIN_RESTRICTIONS setting is missing in listener.ora.
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.16 Oracle Default-Listener Check Alerts if default LISTENER is set in listener.ora.
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.17 Oracle Default-Port (1521) Check Alerts if default PORT is set in listener.ora.
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.18 Oracle Advanced-Listener-Security Settings Check

Alerts if any Oracle Advanced Security settings are missing in sqlnet.ora.

For example, the presence of the following would not cause an alert:

SQLNET.ENCRYPTION_SERVER = Requested
  • The SSH user needs execute permission for grep the sqlnet.ora file
  • The SSH user needs read permission on the sqlnet.ora file
OSVA ORCL 01.19 Oracle Configured Listener List Display all listener names
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.20 Oracle Unencrypted Listener Password Check

Alerts if password in listener.ora is unencrypted. Encrypted passwords should be 16 characters long and consist only of upper-case letters from A to F or numbers.

For example, the following is an acceptably encrypted password and would not generate an alert:

PASSWORDS_LISTENER = F56401ADBA6810DS
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
Use your known_hosts file to give access to certain hosts only.
See also
Previous
Next

OS-Level pre-defined policies

The FortiDB OS-Level pre-defined policies gather and evaluate information about the target database's operating system (OS). They use SSH and a client-side script that contains OS commands.

To assess Oracle target computers using OS-Level pre-defined policies, see Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page 1.

(consider moving this information in with the other preconfigurations, or else x-ref to this section from that section)

The OS-Level pre-defined policies require the following permissions:

Guarded Item Description (proposed change) Purpose Required Permissions
OSVA ORCL 01.01 Oracle Critical Patches (opatch)

Returns:

  • opatch version
  • applied critical patch numbers

Oracle 9i, 10g, 11g, 12c:

  • The SSH user needs execute permission on opatch
  • The SSH user's PATH variable should include the location of opatch

Oracle 10g, 11g, 12c:

  • The SSH user needs read, write, and execute permissions on opatch
  • The SSH user needs read, write, and execute permissions on $ORACLE_HOME/cfgtoollogs/opatch/lsinv
SVA ORCL 01.02 Oracle Owner-Login Check Alerts if Oracle owner, which is specified on the FortiDB Database Connection GUI, is not in /etc/passwd. The SSH user needs read permission on /etc/passwd with cat and grep commands
OSVA ORCL 01.03 Oracle DBA-Group Check Alerts if dba is not in /etc/group file The SSH user needs read permission on /etc/group with cat and grep command
OSVA ORCL 01.04 Oracle DBA-Group-Member List Returns a list of members of the dba group from /etc/passwd and /etc/group The SSH user needs read permission on /etc/passwd and /etc/group with cat and grep command
OSVA ORCL 01.05 Oracle Process-Owner Check Alerts if Oracle process is being run by a non-Oracle user such as root, or bin. The SSH user needs execute permission ps and grep command
OSVA ORCL 01.06 Oracle Excessive Directory & File Permissions Check Alerts if other permissions, on the Oracle Home directory (and its contents) specified on the Create/Modify Database Connection screen, include both read and write (and not execute) The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see Using Minimally-Privileged User with an ACL.
OSVA ORCL 01.07 Oracle Correct Directory/File Owner & Group Check

Alerts if files and directories under the Oracle Home directory specified on the Create/Modify Database Connection screen, do not have correct owner and group permissions. Exempt from this check are:

  • $ORACLE_HOME/bin/oracle
  • $ORACLE_HOME/bin/oradism
  • $ORACLE_HOME/bin/dbsnmp
 The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see Using Minimally-Privileged User with an ACL.
OSVA ORCL 01.08 Oracle setuid/setgid File Check

Alerts if setuid or setgid permissions are assigned to files and directories under the Oracle Home directory specified on the Create/Modify Database Connection screen. Exempt from this check are:

  • $ORACLE_HOME/bin/oracle
  • $ORACLE_HOME/bin/oradism
  • $ORACLE_HOME/bin/dbsnmp
 The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see see Using Minimally-Privileged User with an ACL.
OSVA ORCL 01.09 Oracle Database-Configuration-Change Check

This policy checks if these database configuration files change between the previous and current assessments:

  • init.ora
  • spfle.ora
  • The SSH user needs execute permission on ls for the $ORACLE_HOME/dbs/ directory
  • The SSH user needs read permission on the $ORACLE_HOME/dbs/ directory
OSVA ORCL 01.10 Oracle Network-Configuration-Change Check

This policy check if network configuration files changed between between the previous and current assessments

  • listener.ora
  • tnsnames.ora
  • sqlnet.ora
  • The SSH user needs execute permission for ls on the $ORACLE_HOME/network/admin/ directory
  • The SSH user needs read permission on the $ORACLE_HOME/network/admin/ directory
OSVA ORCL 01.11 Oracle Installed-Operating-System Info Returns OS name and version
  • The SSH user needs execute permission for cat on the /etc/release file
  • The SSH user needs read permission on the /etc/release file
OSVA ORCL 01.12 Oracle External-Procedure Processes Running Check Alert if external-procedure process is running on target server. The SSH user needs execute permission for ps and grep
OSVA ORCL 01.13 Oracle EXTPROC

Alerts if any EXTPROC settings are listed in listener.ora.

For example:

(SID_NAME = PLSExtProc)
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.14 Oracle Missing-Listener-Password Check Alerts if a PASSWORD setting is missing in listener.ora.
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.15 Oracle Missing-Listener- ADMIN_RESTRICTIONS Check Alerts if a ADMIN_RESTRICTIONS setting is missing in listener.ora.
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.16 Oracle Default-Listener Check Alerts if default LISTENER is set in listener.ora.
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.17 Oracle Default-Port (1521) Check Alerts if default PORT is set in listener.ora.
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.18 Oracle Advanced-Listener-Security Settings Check

Alerts if any Oracle Advanced Security settings are missing in sqlnet.ora.

For example, the presence of the following would not cause an alert:

SQLNET.ENCRYPTION_SERVER = Requested
  • The SSH user needs execute permission for grep the sqlnet.ora file
  • The SSH user needs read permission on the sqlnet.ora file
OSVA ORCL 01.19 Oracle Configured Listener List Display all listener names
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.20 Oracle Unencrypted Listener Password Check

Alerts if password in listener.ora is unencrypted. Encrypted passwords should be 16 characters long and consist only of upper-case letters from A to F or numbers.

For example, the following is an acceptably encrypted password and would not generate an alert:

PASSWORDS_LISTENER = F56401ADBA6810DS
  • The SSH user needs execute permission for cat on the listener.ora file
  • The SSH user needs read permission on the listener.ora file
Use your known_hosts file to give access to certain hosts only.
See also
Previous
Next