The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3862	DO0286-ORACLE11	SV-24890r1_rule	ECLO-1	Medium

Description
The INBOUND_CONNECT_TIMEOUT_[listener-name] and SQLNET.INBOUND_CONNECT_TIMEOUT defines the limit the database listener and database server respectively will wait for a client connection to complete after a connection request is made. This limit protects the listener and database server from a Denial-of-Service attack where multiple connection requests are made that are not used or closed from a client. Server resources can be exhausted if unused connections are maintained.

Description

The INBOUND_CONNECT_TIMEOUT_[listener-name] and SQLNET.INBOUND_CONNECT_TIMEOUT defines the limit the database listener and database server respectively will wait for a client connection to complete after a connection request is made. This limit protects the listener and database server from a Denial-of-Service attack where multiple connection requests are made that are not used or closed from a client. Server resources can be exhausted if unused connections are maintained.

STIG	Date
Oracle Database 11g Installation STIG	2014-04-02

Details

Check Text ( C-29443r1_chk )
Review the listener.ora file and the sqlnet.ora file. If the INBOUND_CONNECT_TIMEOUT_[listener-name] parameter does not exist for each listener found in the listener.ora and contain a value greater than 0, this is a Finding. If the SQLNET.INBOUND_CONNECT_TIMEOUT parameter does not exist in the sqlnet.ora and contain a value greater than 0, this is a Finding. NOTE: although the default value may provide adequate protection, assuming the default could lead to unanticipated changes in future product updates. Specify a value to manage the setting.

Check Text ( C-29443r1_chk )

Review the listener.ora file and the sqlnet.ora file.

If the INBOUND_CONNECT_TIMEOUT_[listener-name] parameter does not exist for each listener found in the listener.ora and contain a value greater than 0, this is a Finding.

If the SQLNET.INBOUND_CONNECT_TIMEOUT parameter does not exist in the sqlnet.ora and contain a value greater than 0, this is a Finding.

NOTE: although the default value may provide adequate protection, assuming the default could lead to unanticipated changes in future product updates. Specify a value to manage the setting.

Fix Text (F-26505r1_fix)
Using a text editor or administrative tool, modify the listener.ora file to include a limit for connection request timeouts for the listener. Example entry (value unit is in seconds): INBOUND_CONNECT_TIMEOUT_LISTENER = 2 Modify the sqlnet.ora file to include a limit for connection request timeouts for the listener. Example entry (value unit is in seconds): SQLNET.INBOUND_CONNECT_TIMEOUT = 3 Review the Oracle Net Services Administrator's Guide for information about configuring these parameters.

Fix Text (F-26505r1_fix)

Using a text editor or administrative tool, modify the listener.ora file to include a limit for connection request timeouts for the listener.

Example entry (value unit is in seconds):

INBOUND_CONNECT_TIMEOUT_LISTENER = 2

Modify the sqlnet.ora file to include a limit for connection request timeouts for the listener.

Example entry (value unit is in seconds):

SQLNET.INBOUND_CONNECT_TIMEOUT = 3

Review the Oracle Net Services Administrator's Guide for information about configuring these parameters.