Oracle authentication records are used for authenticated scanning of Oracle instances. During scanning the service will authenticate to one or more Oracle instances (SIDs) on a single host using all the Oracle records in your account. For compliance scans, you can allow the service to authenticate to multiple Oracle instances on a single host and port.
You create a separate authentication record for each Oracle instance to be scanned. In the authentication record, supply a user name and password, the Oracle System ID (SID) for the database you want to authenticate to and the port the SID is on.
You have two options for specifying the port in the authentication record: enter the port number or select "All Ports". If you know the port number that the SID is running on, then you should specify the port in the record. The scanning engine will attempt to authenticate to the SID on the specified port only. Optionally, you can select the "All Ports" option, which means that the scanning engine will attempt to authenticate to the SID on each port the Oracle service is detected on. This is useful if the SID is running on multiple ports. Note, however, that you may only have one record per host with the "All Ports" option specified.
The use cases below describe various configuration options for creating Oracle records.
Number of Records Needed: 1
When there is a single Oracle instance on a host, then you can either specify the port that the SID is running on or select the "All Ports" option.
Field |
value |
SID |
A |
Ports |
All Ports or Port 1521 |
Assigned IPs |
10.10.10.1 |
Number of Records Needed: 1
No Restricted Ports: If no ports are restricted, you can use the "All Ports" option. The scanning engine will attempt to authenticate to the SID on each port the Oracle service is detected on. You may only create one Oracle authentication record with the "All Ports" option per host.
Field |
value |
SID |
A |
Ports |
All Ports |
Assigned IPs |
10.10.10.1 |
With Restricted Ports: If a port is restricted, meaning that you don't want it to be scanned, then do not use the "All Ports" option and instead specify a port that is not restricted. This is the only way to ensure that the restricted port is not scanned. For example, if Port 1521 is restricted and you don't want it to be scanned, then specify a different port like Port 1527 in the authentication record. In this case, the scanning engine will only attempt to authenticate to the SID on Port 1527.
Field |
value |
SID |
A |
Ports |
Port 1527 |
Assigned IPs |
10.10.10.1 |
It's important to note that when you launch non-authenticated vulnerability scans (without Oracle authentication enabled), the scanning engine will attempt to connect to each port the Oracle instance is detected on in order to gather system information. In this case, there is no way to prevent restricted ports from being scanned. If Oracle is detected on Port 1521 and Port 1527, then the scanning engine will scan both ports.
Number of Records Needed: 2
When there are multiple Oracle instances on a host, then create a separate Oracle record for each instance. In each record, specify the port that the SID is running on.
Field |
Record 1 value |
record 2 value |
SID |
A |
B |
Ports |
Port 1521 |
Port 1527 |
Assigned IPs |
10.10.10.1 |
10.10.10.1 |
Number of Records Needed: 3
You may create multiple Oracle authentication records for the same host as long as different ports are specified in each record. In this particular use case, at least 1 record must be set to "All Ports" since you cannot have records on the same host with duplicate ports specified.
Field |
Record 1 value |
Record 2 value |
Record 3 value |
SID |
A |
B |
C |
Ports |
All Ports |
Port 1527 |
Port 1521 |
Assigned IPs |
10.10.10.1 |
10.10.10.1 |
10.10.10.1 |
Number of Records Needed: 3
For policy compliance scans, you may create multiple Oracle authentication records for host and port combination as long as this option is selected in the record: "Allow scanning multiple instances (SIDs) on IPs/ports also used in other records". When this option is selected, the record will be used for compliance scans only.
In this particular use case, at least 2 records must have the "Allow scanning multiple instances (SIDs)..." option selected in order for the service to authenticate to and scan the 3 SIDs. Record 1 for SID A will be used for vulnerability scans and compliance scans, so this record must be created first with the "Allow scanning multiple instances (SIDs)..." option not selected. Then Records 2 and 3 can be created with the "Allow scanning multiple instances (SIDs)..." option selected. (It's also possible to select the option "Allow scanning multiple instances (SIDs)..." in the records for all 3 SIDs, in which case all records will be used for compliance scans only).
Field |
Record 1 value |
Record 2 value |
Record 3 value |
SID |
A |
B |
C |
Ports |
Port 1527 |
Port 1527 |
Port 1527 |
Allow scanning multiple instances (SIDs) on IPs/ports also used in other records |
Not Selected |
Selected |
Selected |
Assigned IPs |
10.10.10.1 |
10.10.10.1 |
10.10.10.1 |