Re: is it ok to tighten up extproc security?

That is a standard Sox recommendation. I would go ahead and get rid of it, I most applications do not use the extproc.

On Fri, Nov 14, 2008 at 1:51 AM, Douglas Cowles <dcowles_at_us.ibm.com> wrote:

>
> An application called appdetective has flagged one of my systems as having
> an extproc service which is a security violation in it's estimation.
> It recommend I either remove the lines from listener.ora to prevent the
> service from spawning or modify the protocol.ora to use validnode checking
> parameter to only accept requests from certain network addresses.
>
> My first question is how can I determine whether there are any external
> procs being used in the database in the first place. I would figure it
> would require a library, but all the libraries I have in the database are
> owned by sys and don't seem user generated even for Peoplesoft purposes. I
> would imagine I could turn this off but someone must have modified the
> listener at some point to allow extproc in the first place which makes me
> think someone wanted
> to do it but when and for what. It could have been set up 3 years ago.
>
> Secondly, if the first question is not definitive, is simply putting the
> database server itself as the only node allowed to invoke extproc a solution
> that is likely to handle things? It is possible a Peoplesoft app or web
> server would want to invoke an extproc on a database server?
>
> This is a 10.2.0.3 database on AIX 5.3 running Peoplesoft 9 (unsure of
> exact version)
>
> Any other thoughts about how to handle a violation item like this would be
> appreciated.
>
>
> Thanks,
> Doug Cowles
>

-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

--
http://www.freelists.org/webpage/oracle-l