Rule ID
SV-270539r1064895_rule
Version
V1R5
CCIs
Restricting remote access to specific, trusted systems helps prevent access by unauthorized and potentially malicious users.
IP address restriction may be defined for the database listener, by use of the Oracle Connection Manager or by an external network device.
Identify the method used to enforce address restriction (interview database administrator [DBA]) or review system documentation).
If enforced by the database listener, then review the SQLNET.ORA file located in the ORACLE_HOME/network/admin directory (this assumes that a single sqlnet.ora file, in the default location, is in use; SQLNET.ORA could also be the directory indicated by the TNS_ADMIN environment variable or registry setting).
If the following entries do not exist, then restriction by IP address is not configured and is a finding.
tcp.validnode_checking=YES
tcp.invited_nodes=(IP1, IP2, IP3)
If enforced by an Oracle Connection Manager, then review the CMAN.ORA file for the Connection Manager (located in the TNS_ADMIN or ORACLE_HOME/network/admin directory for the connection manager).
If a RULE entry allows all addresses ("/32") or does not match the address range specified in the system documentation, this is a finding.
(rule=(src=[IP]/27)(dst=[IP])(srv=*)(act=accept))
Note: An IP address with a "/" indicates acceptance by subnet mask where the number after the "/" is the left most number of bits in the address that must match for the rule to apply.Configure the database listener to restrict access by IP address or set up an external device to restrict network access to the DBMS. More information can be found at https://docs.oracle.com/en/database/oracle/oracle-database/19/netrf/parameters-for-the-sqlnet.ora.html#GUID-5C3AB641-7541-4CE9-BC9E-BA5DD30616A8.