To demonstrate how the COST parameter "SECURE_REGISTER_listener_name =" is used to restrict instance registration with database listeners. With this COST restriction in place only local instances will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only local instances.
About COST
The class of secure transports (COST) parameters specify a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COST will not affect client connections utilizing other protocols. For more details and for information about other available COST parameters please see the 11.2 Network Administrators Guide and Network Reference.
1.实施
在PSU10.2.0.4.4基础上,安装PSU 10.2.0.4.12
$ unzip p12879933_1020412_AIX5L.zip $ opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir ./12879933 $ cd 12879933 $ opatch apply |
冲突性检查,安装patch:12880299
$ opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir ./12880299 $ cd 12880299 $ opatch apply |
检查是否安装成功
$ opatch lsinventory | grep 12880299 |
Ø 使用TCP协议设置COST限制注册本地实例
1. 在listener.ora增加"SECURE_REGISTER_listener_name = (TCP)"
(DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551)) ) )
SECURE_REGISTER_LISTENER_PROD = (TCP) |
2. 重启监听
$ lsnrctl stop $ lsnrctl start |
Ø 使用IPC协议设置COST限制注册本地实例
1. 停止监听
$ lsnrctl stop |
2. 在listener.ora增加"SECURE_REGISTER_listener_name = (IPC)"
LISTENER_PROD = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER)) (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551)) ) )
SECURE_REGISTER_LISTENER_PROD = (IPC) |
3. 启动监听
$ lsnrctl start |
4. 修改local_listener参数
SQL> show parameter local_listener NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ local_listener string (ADDRESS = (PROTOCOL = TCP)(HO ST = netfl-bde)(PORT = 1551))
SQL> alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both; System altered.
SQL> show parameter local_listener NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ local_listener string (DESCRIPTION=(ADDRESS=(PROTOCO L=IPC)(KEY=REGISTER))) |
2.验证方法
1. 注释相关设置,重启listener
LISTENER_PROD = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551)) ) )
# SECURE_REGISTER_LISTENER_PROD = (TCP) |
2. 修改系统参数remote_listener
$ sqlplus "/ as sysdba"
SQL*Plus: Release 10.2.0.5.0 - Production on Fri May 4 10:11:27 2012 Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> show parameter remote_listener;
NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ remote_listener string
SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=netfl-bde)(PORT=1551))' scope=memory;
System altered. |
3. 查看listener的service中有“REMOTE SERVER”
LSNRCTL> services listener_prod Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC2))) Services Summary... Service "N102.us.oracle.com" has 1 instance(s). Instance "N102", status READY, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:0 refused:0 state:ready REMOTE SERVER (ADDRESS=(PROTOCOL=TCP)(HOST=mes2)(PORT=1521)) The command completed successfully |
4. 删除listener.ora的注释,重启listener
LISTENER_PROD = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551)) ) )
SECURE_REGISTER_LISTENER_PROD = (TCP) |
5. 强制注册remote listener
SQL> alter system register;
System altered. |
6. 先重启listener,再检查listener的service中是否有“REMOTE SERVER”
[oracle@bde]$ lsnrctl |
7. 查看listener日志,会出现TNS-01194拒绝注册的信息
$ tail /u01/app/oracle/product/11.2.0.2/network/log/listener.log
04-MAY-2012 10:43:03 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=netfl-bde)(USER=oracle)) (COMMAND=services)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647040)) * services * 0
04-MAY-2012 10:43:05 * service_register_NSGR * 1194 TNS-01194: The listener command did not arrive in a secure transport
04-MAY-2012 10:44:05 * service_register_NSGR * 1194 TNS-01194: The listener command did not arrive in a secure transport |
8. 验证完成,清除系统参数remote_listener设置
SQL> alter system set remote_listener='' scope=memory;
System altered. |
3.回退
若出现异常,请回退。
1. 恢复listener.ora,注释SECURE_REGISTER_listener_name
LISTENER_PROD = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551)) ) )
# SECURE_REGISTER_LISTENER_PROD = (TCP) |
2. Rollback patch 12880299
$ $ORACLE_HOME/OPatch/opatch rollback -id 12880299
参考文档:
Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1]
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/17997/viewspace-763695/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/17997/viewspace-763695/