Re: is it ok to tighten up extproc security?

  • From: "Andrew Kerber" <andrew.kerber@xxxxxxxxx>
  • To: dcowles@xxxxxxxxxx
  • Date: Fri, 14 Nov 2008 08:18:49 -0600

That is a standard Sox recommendation. I would go ahead and get rid of it, I
most applications do not use the extproc.

On Fri, Nov 14, 2008 at 1:51 AM, Douglas Cowles <dcowles@xxxxxxxxxx> wrote:

>
> An application called appdetective has flagged one of my systems as having
> an extproc service which is a security violation in it's estimation.
> It recommend I either remove the lines from listener.ora to prevent the
> service from spawning or modify the protocol.ora to use validnode checking
> parameter to only accept requests from certain network addresses.
>
> My first question is how can I determine whether there are any external
> procs being used in the database in the first place.   I would figure it
> would require a library, but all the libraries I have in the database are
> owned by sys and don't seem user generated even for Peoplesoft purposes.   I
> would imagine I could turn this off but someone must have modified the
> listener at some point to allow extproc in the first place which makes me
> think someone wanted
> to do it but when and for what.  It could have been set up 3 years ago.
>
> Secondly, if the first question is not definitive, is simply putting the
> database server itself as the only node allowed to invoke extproc a solution
> that is likely to handle things?  It is possible a Peoplesoft app or web
> server would want to invoke an extproc on a database server?
>
> This is a 10.2.0.3 database on AIX 5.3 running Peoplesoft  9 (unsure of
> exact version)
>
> Any other thoughts about how to handle a violation item like this would be
> appreciated.
>
>
> Thanks,
> Doug Cowles
>



-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

Other related posts: