is it ok to tighten up extproc security?
Date: Fri, 14 Nov 2008 02:51:24 -0500
An application called appdetective has flagged one of my systems as having an extproc service which is a security violation in it's estimation. It recommend I either remove the lines from listener.ora to prevent the service from spawning or modify the protocol.ora to use validnode checking parameter to only accept requests from certain network addresses.
My first question is how can I determine whether there are any external
procs being used in the database in the first place. I would figure it
would require a library, but all the libraries I have in the database are
owned by sys and don't seem user generated even for Peoplesoft purposes. I
would imagine I could turn this off but someone must have modified the
listener at some point to allow extproc in the first place which makes me
think someone wanted
to do it but when and for what. It could have been set up 3 years ago.
Secondly, if the first question is not definitive, is simply putting the database server itself as the only node allowed to invoke extproc a solution that is likely to handle things? It is possible a Peoplesoft app or web server would want to invoke an extproc on a database server?
This is a 10.2.0.3 database on AIX 5.3 running Peoplesoft 9 (unsure of exact version)
Any other thoughts about how to handle a violation item like this would be appreciated.