DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '$ORACLE_HOME/rdbms/admin/externaljob.ora run_group = nobody'

Information

The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally from the database under operating system controls. The external procedure process is the subject of frequent and successful attacks as it allows unauthenticated use of the Oracle process account on the operating system. As of Oracle version 11.1, the external procedure agent may be run directly from the database and not require use of the Oracle listener. This reduces the risk of unauthorized access to the procedure from outside of the database process.

Solution

If the use of external procedure agent is required, then authorize and document the requirement in the System Security Plan.

If the external procedure agent must be accessible to the Oracle listener, then specify this and authorize it in the System Security Plan.

If use of the Oracle External Procedure agent is not required:

- Stop the Oracle Listener process
- Remove all references to extproc in the listener.ora and tnsnames.ora files
- Alter the permissions on the executable files:
UNIX - Remove read/write/execute permissions from owner, group and world
Windows - Remove Groups/Users from the executable (except groups SYSTEM and ADMINISTRATORS) and allow READ [only] for SYSTEM and ADMINISTRATORS groups

If required:

- Restrict extproc execution to only authorized applications.
- Specify EXTPROC_DLLS=ONLY: [list of authorized DLLS] in the extproc.ora and the listener.ora files
- Create a separate, dedicated listener for use by the external procedure agent

Please see the Oracle Net Services Administrators Guides, External Procedures section for detailed configuration information.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(2), CAT|II, Rule-ID|SV-24698r1_rule, STIG-ID|DG0099-ORACLE11, Vuln-ID|V-15618

Plugin: Unix

Control ID: 4ebfb671daf55f75f92acf29aeb5e3fa892eebf09dfebc91c6205bdf980edc3b