OS-Level pre-defined policies
The FortiDB OS-Level pre-defined policies gather and evaluate information about the target database's operating system (OS). They use SSH and a client-side script that contains OS commands.
To assess Oracle target computers using OS-Level pre-defined policies, see Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page 1.
(consider moving this information in with the other preconfigurations, or else x-ref to this section from that section)
The OS-Level pre-defined policies require the following permissions:
Guarded Item Description (proposed change) | Purpose | Required Permissions |
OSVA ORCL 01.01 Oracle Critical Patches (opatch) |
Returns:
|
Oracle 9i, 10g, 11g, 12c:
Oracle 10g, 11g, 12c:
|
SVA ORCL 01.02 Oracle Owner-Login Check | Alerts if Oracle owner, which is specified on the FortiDB Database Connection GUI, is not in /etc/passwd. | The SSH user needs read permission on /etc/passwd with cat and grep commands |
OSVA ORCL 01.03 Oracle DBA-Group Check | Alerts if dba is not in /etc/group file | The SSH user needs read permission on /etc/group with cat and grep command |
OSVA ORCL 01.04 Oracle DBA-Group-Member List | Returns a list of members of the dba group from /etc/passwd and /etc/group | The SSH user needs read permission on /etc/passwd and /etc/group with cat and grep command |
OSVA ORCL 01.05 Oracle Process-Owner Check | Alerts if Oracle process is being run by a non-Oracle user such as root, or bin. | The SSH user needs execute permission ps and grep command |
OSVA ORCL 01.06 Oracle Excessive Directory & File Permissions Check | Alerts if other permissions, on the Oracle Home directory (and its contents) specified on the Create/Modify Database Connection screen, include both read and write (and not execute) | The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see Using Minimally-Privileged User with an ACL. |
OSVA ORCL 01.07 Oracle Correct Directory/File Owner & Group Check |
Alerts if files and directories under the Oracle Home directory specified on the Create/Modify Database Connection screen, do not have correct owner and group permissions. Exempt from this check are:
|
The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see Using Minimally-Privileged User with an ACL. |
OSVA ORCL 01.08 Oracle setuid/setgid File Check |
Alerts if setuid or setgid permissions are assigned to files and directories under the Oracle Home directory specified on the Create/Modify Database Connection screen. Exempt from this check are:
|
The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see see Using Minimally-Privileged User with an ACL. |
OSVA ORCL 01.09 Oracle Database-Configuration-Change Check |
This policy checks if these database configuration files change between the previous and current assessments:
|
|
OSVA ORCL 01.10 Oracle Network-Configuration-Change Check |
This policy check if network configuration files changed between between the previous and current assessments
|
|
OSVA ORCL 01.11 Oracle Installed-Operating-System Info | Returns OS name and version |
|
OSVA ORCL 01.12 Oracle External-Procedure Processes Running Check | Alert if external-procedure process is running on target server. | The SSH user needs execute permission for ps and grep |
OSVA ORCL 01.13 Oracle EXTPROC |
Alerts if any EXTPROC settings are listed in listener.ora. For example: (SID_NAME = PLSExtProc) |
|
OSVA ORCL 01.14 Oracle Missing-Listener-Password Check | Alerts if a PASSWORD setting is missing in listener.ora. |
|
OSVA ORCL 01.15 Oracle Missing-Listener- ADMIN_RESTRICTIONS Check | Alerts if a ADMIN_RESTRICTIONS setting is missing in listener.ora. |
|
OSVA ORCL 01.16 Oracle Default-Listener Check | Alerts if default LISTENER is set in listener.ora. |
|
OSVA ORCL 01.17 Oracle Default-Port (1521) Check | Alerts if default PORT is set in listener.ora. |
|
OSVA ORCL 01.18 Oracle Advanced-Listener-Security Settings Check |
Alerts if any Oracle Advanced Security settings are missing in sqlnet.ora. For example, the presence of the following would not cause an alert: SQLNET.ENCRYPTION_SERVER = Requested |
|
OSVA ORCL 01.19 Oracle Configured Listener List | Display all listener names |
|
OSVA ORCL 01.20 Oracle Unencrypted Listener Password Check |
Alerts if password in listener.ora is unencrypted. Encrypted passwords should be 16 characters long and consist only of upper-case letters from A to F or numbers. For example, the following is an acceptably encrypted password and would not generate an alert: PASSWORDS_LISTENER = F56401ADBA6810DS |
|
Use your known_hosts file to give access to certain hosts only. |