To get to this page: Select Authentication Records from the left menu. Go to New > Oracle Record (or click edit for the Oracle record you want to change.)
Oracle records are used for authenticated scanning of Oracle instances. During scanning the service will authenticate to one or more Oracle instances on a single host using all the Oracle records in your account. For compliance scans, you can allow the service to authenticate to multiple Oracle instances on a single host and port combination. You can also allow the scanning engine to gather compliance data at the operating system level.
See Oracle Authentication Setup for information on Oracle account requirements for authenticated scanning.
See Oracle Use Cases for information on how to configure Oracle records.
When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager.
Title. Enter a unique, descriptive title for this record. The record title will be referenced in scan results when authentication fails so you can go back and verify the authentication credentials. The title may contain a maximum of 255 characters.
Specify a user name, password, SID and port for authentication.
User Name. The user name for the Oracle database.
Password. The password corresponding to the user account. Note that as you type the password or when you edit this record, your password will be replaced with asterisks (***) for security reasons.
Confirm Password. Enter the password again to confirm it was entered correctly.
Identifier Type / Identifier. There can be more than one Oracle database instance on a single machine. Use SID (Oracle System ID) or Service Name to identify the Oracle instance you want to authenticate to. Select the type of identifier you want to use and then enter the identifier value in the field provided. You may enter a maximum of 30 characters.
Ports. Specify a port that the database instance is running on or select the "All Ports" option.
• All Ports. The scanning engine uses the credentials in this record to attempt authentication to the database when a port-specific record does not exist. The scanning engine will authenticate to the database on each port the Oracle service is detected on. Note: You may only have one record per host with the "All Ports" option specified.
• Port <number>. Enter a port number in the field provided. The scanning engine uses the credentials in this record to attempt authentication to the database on the port entered in this field. Note: The same port number cannot be entered in multiple Oracle records for the same host, unless you select the option "Allow scanning multiple instances (SIDs) on IPs/ports also used in other records".
Ports Setting and Record Processing at Scan Time: When the scanning engine detects an Oracle instance on a host, it first checks to see if you have an authentication record with the port specified. If you have a port-specific record, then it uses the credentials in that record to attempt authentication. If a port-specific record does not exist (or if authentication fails), then the scanning engine checks to see if you have an authentication record set to "All Ports" for the host and uses the credentials in that record to attempt authentication.
Allow scanning multiple instances (SIDs) on IPs/ports also used in other records
Note: This option is not available if the "Perform OPatch check" option is selected on the Unix tab in this record.
Select this option to perform compliance scans on multiple instances (SIDs) running on host and port combinations in this record. This option must be selected if this Oracle record has some host and port combination, which is already defined in another record. (You do not need to select this option if you want to scan multiple instances running on different ports on the same host.) When selected, this record will be used for compliance scans only (not vulnerability scans).
Sample Use Case: Let's say you want to run compliance scans on 3 SIDs (SID A, B, C) which are on the host 10.10.10.1 and the port 1527. At least 2 records must have the "Allow scanning multiple instances (SIDs)..." option selected in order for the service to authenticate to and scan the 3 SIDs. The record for SID A will be used for vulnerability scans and compliance scans, so this record must be created first with the "Allow scanning multiple instances (SIDs)..." option not selected. Then Records 2 and 3 can be created with the "Allow scanning multiple instances (SIDs)..." option selected. (It's also possible to select the option "Allow scanning multiple instances (SIDs)..." in the records for all 3 SIDs, in which case all records will be used for compliance scans only).
Select all target hosts that the scanning engine should log into with the specified credentials.
The service allows you to include the same IP in multiple Oracle records as long as different ports are specified. When the compliance module is enabled, you may select the option "Allow scanning multiple instances (SIDs) on IPs/ports also used in other records" for greater flexibility in defining records.
Each IP may be included in one Oracle record with the "All Ports" setting.
Available IPs. A list of IPs in your account. From this list, select the IPs you want to include, and click Add. Click Add All to add all available IPs to this record.
Assigned IPs. This is a list of IP addresses and ranges added to this record. To remove an IP from the record, select it and click Remove. To remove all IPs from the record, click Remove All.
Expand. Select an IP range and click the Expand button to view a complete list of all IPs within the range. This allows you to select individual IPs from inside a range (instead of selecting the entire range).
Manually. Select to manually add or remove IP addresses. A pop-up will appear where you can type or paste in a list of IPs. Then click Add to add the IPs to the record or click Remove to remove the IPs from the record.
Asset Group. Select to copy IPs from an asset group to this record. A pop-up will appear prompting you to select the asset group you want to copy IPs from. Select the asset group and click Add.
Note: The Windows tab is only visible when the Policy Compliance application is enabled for your subscription.
When enabled and properly configured, the scanning engine is able to scan for OS-dependent compliance checks for the Oracle technology. These Oracle checks are assigned to the control category "Database Settings" in the sub-category "DB OS-dependent Controls".
Select the option "Perform OS-dependent compliance checks" and provide details about your Oracle installation to allow the scanning engine to gather Oracle compliance data at the operating system level.
In the fields provided, enter the Oracle Home name, Oracle Home path, and path information for these Oracle configuration files: init(SID).ora, spfile(SID).ora, listener.ora, sqlnet.ora, and tnsnames.ora. Note that all fields are required and have a limit of 255 characters.
When specifying the path to configuration files, these special characters are not allowed:
; & | # % ? ! * ` ( ) [ ] ” ’ > < = ^ /
In addition to the Oracle authentication record, you must also have a Windows authentication record for scanning Windows hosts. The Windows record must include the same hosts (IP addresses) as the Oracle record. The service authenticates to the host using the Windows login credentials and authenticates to the Oracle instance on the host using the Oracle login credentials. Both types of authentication must be successful in order for the scanning engine to perform OS-dependent compliance checks. If either type of authentication fails or if authentication records are not available for the scanned host, then the scanning engine will not be able to gather data for the OS-dependent compliance checks.
Select from the following options to perform additional Oracle checks on Unix hosts.
Note: This option is only visible when the Policy Compliance application is enabled for your subscription.
Select the option "Perform OS-dependent compliance checks" and provide details about your Oracle installation to allow the scanning engine to gather Oracle compliance data at the operating system level. See below.
When enabled and properly configured, the scanning engine is able to scan for OS-dependent compliance checks for the Oracle technology. These Oracle checks are assigned to the control category "Database Settings" in the sub-category "DB OS-dependent Controls".
Note: This option is not available if the option "Allow scanning multiple instances (SIDs)..." is selected on the Login Credentials tab in this record.
Select the option "Perform OPatch check" and provide details about your Oracle installation in the fields provided.
When the OPatch option is enabled and properly configured, the scanning engine is able to get a list of all installed patches for that Oracle instance. The scanning engine first detects the OPatch binary and then runs the "opatch lsinventory" command. This command returns a list of installed products and interim patches, which are reported in QID 19614 "Oracle OPatch Inventory Report". All Oracle detections use the patch information returned from OPatch when this information is available.
When the OPatch option is NOT enabled, the scanning engine checks for patch information in the Oracle database. The database includes a table with all installed patches. Note, however, that a patch is listed in the database only if a post-install script was run in the database after the patch was installed. If a patch did not include post-install instructions or a post-install script was not run, then the scanning engine will not be able to detect that the patch is installed, and Oracle detections that rely on this information may not return accurate results.
When you select the option "Perform OS-dependent compliance checks" and/or "Perform OPatch check", you must provide details about your Oracle installation. The details you provide will apply to both types of checks.
In the fields provided, enter the Oracle Home path, and path information for these Oracle configuration files: init(SID).ora, spfile(SID).ora, listener.ora, sqlnet.ora, and tnsnames.ora. Note that all fields are required and have a limit of 255 characters.
When specifying the path to configuration files, these special characters are not allowed:
; & | # % ? ! * ` ( ) [ ] ” ’ > < = ^ \
In addition to the Oracle authentication record, you must also have a Unix authentication record for scanning Unix hosts. The Unix record must include the same hosts (IP addresses) as the Oracle record. The service authenticates to the host using the Unix login credentials and authenticates to the Oracle instance on the host using the Oracle login credentials. Both types of authentication must be successful in order for the scanning engine to perform OS-dependent compliance checks and OPatch checks. If either type of authentication fails or if authentication records are not available for the scanned host, then the scanning engine will not be able to gather data for these checks.
Note: The Unix authentication record user name must have complete access to the "opatch lsinventory" command which includes read /write access to the Oracle database.
Enter important notes about the authentication credentials or target hosts.
Save. Click to save the record and return to the authentication records list.
Cancel. Click to return to the authentication records list without saving your changes.