2.2.6 Ensure 'REMOTE_LISTENER' Is Empty

Information

The SQL92_SECURITY parameter setting TRUE requires that a user must also be granted the SELECT object privilege before being able to perform UPDATE or DELETE operations on tables that have WHERE or SET clauses. The setting should have a value of TRUE.

Rationale:

A user without SELECT privilege can still infer the value stored in a column by referring to that column in a DELETE or UPDATE statement. This setting prevents inadvertent information disclosure by ensuring that only users who already have SELECT privilege can execute the statements that would allow them to infer the stored values.

Solution

To remediate this setting, execute the following SQL statement.

ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;

References:

http://docs.oracle.com/database/121/REFRN/GUID-FEE2E8B5-CE02-4158-A6B4-030E59316756.htm#REFRN10183

Notes:

If set as remote_listener=true, the address/address list is taken from the TNSNAMES.ORA file.

See Also

https://workbench.cisecurity.org/files/2741

Item Details

Category: ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-3, 800-53|SI-4, CSCv6|9, CSCv6|18, CSCv7|9.2, CSCv7|14.6

Plugin: OracleDB

Control ID: 9990b7d20a1bbe18834cd679e06a6c32e04912411cc5447c6549b78b4461909e