Oracle® Database Vault Installation Guide 10g Release 2 (10.2) for Microsoft Windows (64-Bit) on Intel Itanium Part Number B32486-02 |
|
|
View PDF |
This appendix lists the security recommendations for protecting the database listener.
The following configuration guidelines help enhance the security for your database listener:
The database listener configuration file, listener.ora
, and the supporting OracleNet configuration file, tnsnames.ora
, should have the ADMIN_RESTRICTIONS_LISTENER_
SID
=ON
protection enabled.
The database listener configuration file, listener.ora
, and the supporting OracleNet configuration file, tnsnames.ora
, should have the PLSExtProc
listener disabled.
The listener should be configured to listen on a non-standard port. This means that the default port (1521) should be changed.
The listener should be password protected or leverage operating system (OS) authentication based on the organizational security policy.
The listener should use a unique name, which should be different from the default name.
The listener.ora
file should have the following parameter set:
INBOUND_CONNECT_TIMEOUT_ListenerName = 10
The sqlnet.ora
file should have the following parameters set:
SQLNET.INBOUND_CONNECT_TIMEOUT = 12 SQLNET.EXPIRE_TIME = 10
The listener should have logging enabled as follows:
LOGGING_LISTENER = ON LOG_STATUS = ON LOG_DIRECTORY_ListenerName = Directory_owned_by_Administrator LOG_FILE_ListenerName = File_owned_by_Administrator
Note:
Only the Administrators group should have permissions over theLOG_DIRECTORY
.
Only the Administrators group should have read and write permissions over the LOG_FILE
.
The listener should have tracing enabled as follows:
TRACE_DIRECTORY_ListenerName = Directory_owned_by_Oracle_account TRACE_FILE_ListenerName = File_owned_by_Oracle_account TRACE_LEVEL = user TRACE_FILELEN_ListenerName = 512 TRACE_FILENO_ListenerName = 1000 TRACE_TIMESTAMP_ListenerName = dd-mon-yyyy hh:mi:ss:mil
Note:
Only the Administrators group should have read and write permissions over theTRACE_DIRECTORY
.
Only the Administrators group should have read and write permissions over the TRACE_FILE
.