DO6740-ORACLE11 - The Oracle Listener ADMIN_RESTRICTIONS parameter if present should be set to ON - '$ORACLE_HOME/network/admin/listener.ora ADMIN_RESTRICTIONS_{listener} = on'

Information

The Oracle listener process can be dynamically configured. By connecting to the listener process directly, usually through the Oracle LSNRCTL utility, a user may change any of the parameters available through the set command. This vulnerability has been used to overwrite the listener log and trace files. The ADMIN_RESTRICTIONS parameter, set in the listener.ora file, prohibits dynamic listener configuration changes and protects the configuration using host operating system security controls.

Solution

Edit the listener.ora file and add the following line for each listener in use on the system:

ADMIN_RESTRICTIONS_[listener-name] = ON

Restart the listener to activate the setting.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, Rule-ID|SV-24949r1_rule, STIG-ID|DO6740-ORACLE11, Vuln-ID|V-3497

Plugin: Unix

Control ID: c25873aab4d58bb9833ab585d8b5531c6eb09a729f1999cf1385598a5ca4b68b