Skip Headers
Oracle® Enterprise Manager Policy Reference Manual
10g Release 2 (10.2)

Part Number B16231-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Feedback

Go to previous page
Previous
Go to next page
Next
View PDF

6 Host Policies

This chapter provides the following information for each of the Host policies:

The Host policies are categorized as follows:

6.1 Configuration Policies

The configuration policies for the Host target are:

6.1.1 Critical Patch Advisories for Oracle Homes

This policy evaluates and informs the Enterprise Manager administrators of patch advisories that are applicable to various Oracle Homes in the enterprise.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Configuration Host Any version of Oracle products in the Oracle Homes could be affected by the patch advisories. The underlying metric is critcal_patch_advisories_metric. Whenever the RefreshFromMetalink job is run or any HostConfigurationCollection happens, the metric is evaluated. The RefreshFromMetalink job is scheduled to run once every 24 hours but the user can run the job anytime. Yes To help ensure a secure and reliable configuration, all relevant and current critical patches should be applied. Vulnerabilities have been identified for the following critical patch advisories.

Footnote 1 The policy rule is evaluated each time its underlying metric is collected.

Defaults

Parameters and Their Default Values

None

Objects Excluded by Default

None

Impact of Violation

Vulnerabilities have been identified for the current critical patch advisories.

Action

The user is advised to apply the critical patches and resolve the vulnerabilities.

6.2 Security Policies

The security policies for the Host target are:

6.2.1 Execute Stack

This policy ensures that the Operating System configuration parameter, which enables execution of code on the user stack, is not enabled.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Warning Security Host All UNIX-Based Operating Systems The underlying metric is executeStackRep which has a collection frequency of once every 24 hours. Yes The host is in an insecure state. Executable code on the user stack is enabled.

Footnote 1 The policy rule is evaluated each time its underlying metric is collected.

Defaults

Parameters and Their Default Values

None

Objects Excluded by Default

Not Applicable

Impact of Violation

Enabling code execution on the user stack may allow a malicious user to exploit stack buffer overflows. Overflows can cause portions of a system to fail, or even execute arbitrary code.

Action

Disable code execution on the user stack.

6.2.2 Insecure Services

This policy ensures that there are no insecure services (for example, telnet and FTP) running on the server. When installed, most operating systems run services that are not always necessary, for example Simple Mail Transfer Protocol (SMTP) and File Transfer Protocol (FTP). These services might pose security risks. This policy ensures that such services are shut down.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Warning Security Host All Systems The underlying metric is insecureServicesRep which has a collection frequency of once every 24 hours. Yes The host is in an insecure state. The insecure service %service% is running on the host.

Footnote 1 The policy rule is evaluated each time its underlying metric is collected.

Defaults

Parameters and Their Default Values

None

Objects Excluded by Default

Not Applicable

Impact of Violation

Insecure services may allow a malicious user to take over the host.

Action

Do not run insecure services.

6.2.3 NTFS File System

This policy ensures that the file system on a Windows operating system uses is NT File System (NTFS).

NTFS is far more secure than File Allocation Table (FAT) because it is tightly integrated with the operating system security. NTFS also allows users to set file-level security and permissions on folders. Local or domain accounts can be used to provide different levels of access to files and folders. Windows 2000 also supports encryption on NTFS partitions, making the partitions more secure.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Security Host Windows Operating Systems The underlying metric is fileSystemTypeRep which has a collection frequency of once every 24 hours. Yes The host is in an insecure state. NTFS is not configured on the Windows operating system.

Footnote 1 The policy rule is evaluated each time its underlying metric is collected.

Defaults

Parameters and Their Default Values

None

Objects Excluded by Default

Not Applicable

Impact of Violation

Other than NTFS, file systems on Windows platforms may have serious security risks.

Action

On Windows operating systems, it is strongly recommended to use NTFS as the file system.

6.2.4 Open Ports

This policy ensures that no unintended ports are left open.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Security Host All Operating Systems The underlying metric is openPortsRep which has a collection frequency of once every 24 hours. Yes The host is in an insecure state. Port %port% is open.

Footnote 1 The policy rule is evaluated each time its underlying metric is collected.

Defaults

Parameters and Their Default Values

Parameter name: DFLT_PORT

Default value: 32767

Objects Excluded by Default

Not Applicable

Impact of Violation

Open ports may allow a malicious user to take over the host.

Action

Do not open insecure ports. Be sure to close both the User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) ports to ensure security.