Vulnerability assessment (VA) policies : Managing VA pre-defined policies : OS-Level pre-defined policies
 
OS-Level pre-defined policies
The FortiDB OS-Level pre-defined policies gather and evaluate information about the target database's operating system (OS). They use SSH and a client-side script that contains OS commands.
To assess Oracle target computers using OS-Level pre-defined policies, see “Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX”.
The OS-Level pre-defined policies require the following permissions:
Guarded Item Description (proposed change)
Purpose
Required Permissions
OSVA ORCL 01.01 Oracle Critical Patches (opatch)
Returns:
opatch version
applied critical patch numbers
Oracle 9i, 10g or 11g:
The SSH user needs execute permission on opatch
The SSH user's PATH variable should include the location of opatch
Oracle 10g and 11g:
The SSH user needs read, write, and execute permissions on opatch
The SSH user needs read, write, and execute permissions on $ORACLE_HOME/cfgtoollogs/opatch/lsinv
SVA ORCL 01.02 Oracle Owner-Login Check
Alerts if Oracle owner, which is specified on the FortiDB Database Connection GUI, is not in /etc/passwd.
The SSH user needs read permission on /etc/passwd with cat and grep commands
OSVA ORCL 01.03 Oracle DBA-Group Check
Alerts if dba is not in /etc/group file
The SSH user needs read permission on /etc/group with cat and grep command
OSVA ORCL 01.04 Oracle DBA-Group-Member List
Returns a list of members of the dba group from /etc/passwd and /etc/group
The SSH user needs read permission on /etc/passwd and /etc/group with cat and grep command
OSVA ORCL 01.05 Oracle Process-Owner Check
Alerts if Oracle process is being run by a non-Oracle user such as root, or bin.
The SSH user needs execute permission ps and grep command
OSVA ORCL 01.06 Oracle Excessive Directory & File Permissions Check
Alerts if other permissions, on the Oracle Home directory (and its contents) specified on the Create/Modify Database Connection screen, include both read and write (and not execute)
The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see Using Minimally-Privileged User with an ACL.
OSVA ORCL 01.07 Oracle Correct Directory/File Owner & Group Check
Alerts if files and directories under the Oracle Home directory specified on the Create/Modify Database Connection screen, do not have correct owner and group permissions. Exempt from this check are:
$ORACLE_HOME/bin/oracle
$ORACLE_HOME/bin/oradism
$ORACLE_HOME/bin/dbsnmp
The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see Using Minimally-Privileged User with an ACL.
OSVA ORCL 01.08 Oracle setuid/setgid File Check
Alerts if setuid or setgid permissions are assigned to files and directories under the Oracle Home directory specified on the Create/Modify Database Connection screen. Exempt from this check are:
$ORACLE_HOME/bin/oracle
$ORACLE_HOME/bin/oradism
$ORACLE_HOME/bin/dbsnmp
The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see see Using Minimally-Privileged User with an ACL.
OSVA ORCL 01.09 Oracle Database-Configuration-Change Check
This policy checks if these database configuration files change between the previous and current assessments:
init.ora
spfle.ora
The SSH user needs execute permission on ls for the $ORACLE_HOME/dbs/ directory
The SSH user needs read permission on the $ORACLE_HOME/dbs/ directory
OSVA ORCL 01.10 Oracle Network-Configuration-Change Check
This policy check if network configuration files changed between between the previous and current assessments
listener.ora
tnsnames.ora
sqlnet.ora
The SSH user needs execute permission for ls on the $ORACLE_HOME/network/admin/ directory
The SSH user needs read permission on the $ORACLE_HOME/network/admin/ directory
OSVA ORCL 01.11 Oracle Installed-Operating-System Info
Returns OS name and version
The SSH user needs execute permission for cat on the /etc/release file
The SSH user needs read permission on the /etc/release file
OSVA ORCL 01.12 Oracle External-Procedure Processes Running Check
Alert if external-procedure process is running on target server.
The SSH user needs execute permission for ps and grep
OSVA ORCL 01.13 Oracle EXTPROC
Alerts if any EXTPROC settings are listed in listener.ora.
For example:
(SID_NAME = PLSExtProc)
The SSH user needs execute permission for cat on the listener.ora file
The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.14 Oracle Missing-Listener-Password Check
Alerts if a PASSWORD setting is missing in listener.ora.
The SSH user needs execute permission for cat on the listener.ora file
The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.15 Oracle Missing-Listener- ADMIN_RESTRICTIONS Check
Alerts if a ADMIN_RESTRICTIONS setting is missing in listener.ora.
The SSH user needs execute permission for cat on the listener.ora file
The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.16 Oracle Default-Listener Check
Alerts if default LISTENER is set in listener.ora.
The SSH user needs execute permission for cat on the listener.ora file
The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.17 Oracle Default-Port (1521) Check
Alerts if default PORT is set in listener.ora.
The SSH user needs execute permission for cat on the listener.ora file
The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.18 Oracle Advanced-Listener-Security Settings Check
Alerts if any Oracle Advanced Security settings are missing in sqlnet.ora.
For example, the presence of the following would not cause an alert:
SQLNET.ENCRYPTION_SERVER = Requested
The SSH user needs execute permission for grep the sqlnet.ora file
The SSH user needs read permission on the sqlnet.ora file
OSVA ORCL 01.19 Oracle Configured Listener List
Display all listener names
The SSH user needs execute permission for cat on the listener.ora file
The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.20 Oracle Unencrypted Listener Password Check
Alerts if password in listener.ora is unencrypted. Encrypted passwords should be 16 characters long and consist only of upper-case letters from A to F or numbers.
For example, the following is an acceptably encrypted password and would not generate an alert:
PASSWORDS_LISTENER = F56401ADBA6810DS
The SSH user needs execute permission for cat on the listener.ora file
The SSH user needs read permission on the listener.ora file
 
Use your known_hosts file to give access to certain hosts only.
See also
Setting an access control list (ACL) for minimally-privileged users