UCF STIG Viewer Logo

Oracle SQLNet and listener log files should not be accessible to unauthorized users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2612 DO5037-ORACLE10 SV-24945r1_rule ECTP-1 Medium
Description
The SQLNet and Listener log files provide audit data useful to the discovery of suspicious behavior. The log files may contain usernames and passwords in clear text as well as other information that could aid a malicious user with unauthorized access attempts to the database. Generation and protection of these files helps support security monitoring efforts.
STIG Date
Oracle Database 10g Installation STIG 2014-04-02

Details

Check Text ( C-26571r1_chk )
Locate the Listener and SQLNet log files. View the contents of the sqlnet.ora and listener.ora configuration files located in the ORACLE_HOME/network/admin directory or the directory specified by the TNS_ADMIN environment variable (if set) for the listener process/service account:

If the sqlnet.ora parameter TRACE_LEVEL_SERVER is not defined or is set to OFF OR 0, SQLNet logging is not enabled and the check for these parameters below is Not a Finding, otherwise, verify the directories specified in the following parameters of the sqlnet.ora file exist:

LOG_FILE_SERVER = sqlnet [filename is sqlnet.log]
LOG_DIRECTORY_SERVER = [directory on a volume with enough free space]

Verify the directories and files specified in the following parameters of the listener.ora exist:

LOG_DIRECTORY_[listener name] = [directory on a volume with enough free space]
LOG_FILE_[listener name] = listener
TRACE_DIRECTORY_[listener name] = [directory on a volume with enough free space]

Default log file locations (by Oracle Version):

-- listener log directory and file: ORACLE_HOME/network/log/listener.log
-- listener trace directory and files: ORACLE_HOME/network/trace/listener.trc
-- sqlnet log file: ORACLE_HOME/network/log/sqlnet.log
-- sqlnet trace file: ORACLE_HOME/network/trace/sqlnet.trc
-- listener and sqlnet log files: ORACLE_HOME/network/log
-- sqlnet log file: ORACLE_HOME/network/log/sqlnet.log
-- sqlnet trace file: ORACLE_HOME/network/trace/*.trc

The listener log file location may also be determined using the lsnrctl utility, STATUS command, and viewing the value displayed for listener log file.

Review access permissions assigned to the files and directories:

- For UNIX, verify that the permissions on the directory and log files are restricted to the Oracle software owner and OS DBA and/or Listener process group.

- For Windows, verify that the file permissions on the listener.log and sqlnet.log files restrict access to the Oracle software owner and OS DBA and/or Listener process group.

If access to the files is not restricted as listed above, this is a Finding.
Fix Text (F-26554r1_fix)
Restrict access to the listener and sqlnet log files.

Restrict access to the tnslsnr service account to DBAs, SAs and auditors where they are required by assigned responsibilities.