-
Notifications
You must be signed in to change notification settings - Fork 6
/
V-61685.rb
222 lines (175 loc) · 8.12 KB
/
V-61685.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
control 'V-61685' do
title 'Access to external executables must be disabled or restricted.'
desc "The Oracle external procedure capability provides use of the Oracle
process account outside the operation of the DBMS process. You can use it to
submit and execute applications stored externally from the database under
operating system controls. The external procedure process is the subject of
frequent and successful attacks as it allows unauthenticated use of the Oracle
process account on the operating system. As of Oracle version 11.1, the
external procedure agent may be run directly from the database and not require
use of the Oracle listener. This reduces the risk of unauthorized access to the
procedure from outside of the database process."
impact 0.5
tag "gtitle": 'SRG-APP-000141-DB-000093'
tag "gid": 'V-61685'
tag "rid": 'SV-76175r2_rule'
tag "stig_id": 'O121-C2-011810'
tag "fix_id": 'F-67599r1_fix'
tag "cci": ['CCI-000381']
tag "nist": ['CM-7 a', 'Rev_4']
tag "false_negatives": nil
tag "false_positives": nil
tag "documentable": false
tag "mitigations": nil
tag "severity_override_guidance": false
tag "potential_impacts": nil
tag "third_party_tools": nil
tag "mitigation_controls": nil
tag "responsibility": nil
tag "ia_controls": nil
tag "check": "Review the System Security Plan to determine if the use of the
external procedure agent is authorized.
Review the ORACLE_HOME/bin directory or search the ORACLE_BASE path for the
executable extproc (UNIX) or extproc.exe (Windows).
If external procedure agent is not authorized for use in the System Security
Plan and the executable file does not exist or is restricted, this is not a
finding.
If external procedure agent is not authorized for use in the System Security
Plan and the executable file exists and is not restricted, this is a finding.
If use of the external procedure agent is authorized, ensure extproc is
restricted to execution of authorized applications.
External jobs are run using the account nobody by default.
Review the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the
lines run_user= and run_group=.
If the user assigned to these parameters is not \"nobody\", this is a finding.
For versions 11.1 and later, the external procedure agent (extproc executable)
is available directly from the database and does not require definition in the
listener.ora file for use.
Review the contents of the file ORACLE_HOME/hs/admin/extproc.ora.
If the file does not exist, this is a finding.
If the following entry does not appear in the file, this is a finding:
EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:..
[dll full file name] represents a full path and file name.
This list of file names is separated by \":\".
Note: If \"ONLY\" is specified, then the list is restricted to allow execution
of only the DLLs specified in the list and is not a finding. If \"ANY\" is
specified, then there are no restrictions for execution except what is
controlled by operating system permissions and is a finding. If no
specification is made, any files located in the %ORACLE_HOME%\\bin directory on
Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed
(the default) and is a finding.
Ensure that EXTPROC is not accessible from the listener.
Review the listener.ora file. If any entries reference \"extproc\", this is a
finding.
Determine if the external procedure agent is in use per Oracle 10.x conventions.
Review the listener.ora file.
If any entries reference \"extproc\", then the agent is in use.
If external procedure agent is not authorized for use in the System Security
Plan and references to \"extproc\" exist, this is a finding.
Sample listener.ora entries with extproc included:
LISTENER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))
)
EXTLSNR =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
)
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = ORCL)
(ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)
(SID_NAME = ORCL)
)
)
SID_LIST_EXTLSNR =
(SID_LIST =
(SID_DESC =
(PROGRAM = extproc)
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)
(ENVS=\"EXTPROC_DLLS=ONLY:/home/app1/app1lib.so:/home/app2/app2lib.so,
LD_LIBRARY_PATH=/private/app2/lib:/private/app1,
MYPATH=/usr/fso:/usr/local/packages\")
)
)
Sample tnsnames.ora entries with extproc included:
ORCL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
)
EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = extproc))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = PLSExtProc)
)
)
If EXTPROC is in use, confirm that a listener is dedicated to serving the
external procedure agent (as shown above).
View the protocols configured for the listener.
For the listener to be dedicated, the only entries will be to specify extproc.
If there is not a dedicated listener in use for the external procedure agent,
this is a finding.
If the PROTOCOL= specified is other than IPC, this is a finding.
Verify and ensure extproc is restricted executing authorized external
applications only and extproc is restricted to execution of authorized
applications.
Review the listener.ora file.
If the following entry does not exist, this is a finding:
EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:...
Note: [dll full file name] represents a full path and file name. This list of
file names is separated by \":\".
Note: If \"ONLY\" is specified, then the list is restricted to allow execution
of only the DLLs specified in the list and is not a finding. If \"ANY\" is
specified, then there are no restrictions for execution except what is
controlled by operating system permissions and is a finding. If no
specification is made, any files located in the %ORACLE_HOME%\\bin directory on
Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed
(the default) and is a finding.
View the listener.ora file (usually in ORACLE_HOME/network/admin or directory
specified by the TNS_ADMIN environment variable).
If multiple listener processes are running, then the listener.ora file for each
must be viewed.
For each process, determine the directory specified in the ORACLE_HOME or
TNS_ADMIN environment variable defined for the process account to locate the
listener.ora file."
tag "fix": "If use of the external procedure agent is required, then
authorize and document the requirement in the System Security Plan.
If the external procedure agent must be accessible to the Oracle listener, then
specify this and authorize it in the System Security Plan.
If use of the Oracle External Procedure agent is not required:
- Stop the Oracle Listener process
- Remove all references to extproc in the listener.ora and tnsnames.ora files
- Alter the permissions on the executable files:
UNIX - Remove read/write/execute permissions from owner, group and
world
Windows - Remove Groups/Users from the executable (except groups
SYSTEM and ADMINISTRATORS) and allow READ [only] for SYSTEM and ADMINISTRATORS
groups
If required:
- Restrict extproc execution to only authorized applications.
- Specify EXTPROC_DLLS=ONLY: [list of authorized DLLS] in the extproc.ora and
the listener.ora files
- Create a separate, dedicated listener for use by the external procedure agent
See the Oracle Net Services Administrators Guides, External Procedures section
for detailed configuration information."
oracle_home = command('echo $ORACLE_HOME').stdout.strip
describe file "#{oracle_home}/rdbms/admin/externaljob.ora" do
its('content') { should_not include 'run_user = nobody' }
its('content') { should_not include 'run_group = nobody' }
end
describe file "#{oracle_home}/hs/admin/extproc.ora" do
it { should exist }
its('content') { should match /^EXTPROC_DLLS=ONLY:\s*\w*/ }
end
end