In a recent Oracle connection Manager (cman) installation (Version 21.3) I tried to configure a minimal ruleset and test the cman instance, before I let database instances register their services.
So a simple list of rules at that stage should allow administration of the cmon service (that's the cman itself) from the local machine, but reject all other attempts regardless their source or destination.
Later on in between I plan to add all the dedicated services, their allowed source machines and so on.
(rule_list=
(rule=(src=<CMAN_HOST>)(dst=127.0.0.1)(srv=cmon)(act=accept))
(rule=(src=*)(dst=*)(srv=*)(act=deny))
)
CMCTL> administer cman
Current instance cman is not yet started
Connections refer to (DESCRIPTION=(address=(protocol=tcp)(host=<CMAN_HOST>)(port=1521))).
The command completed successfully.
CMCTL:cman> startup
TNS-04012: Unable to start Oracle Connection Manager instance.
CMCTL:cman>
A short glimpse into the logfile showed one matching line
(LOG_RECORD=(TIMESTAMP=06-JAN-2023 18:40:01)(EVENT=CMAN.ORA contains no rule for local CMCTL connection)(Add (rule=(src=<CMAN_HOST>)(dst=127.0.0.1)(srv=cmon)(act=accept)) in rule_list)
This is suspicious, as exactly that line already exists in the rule list. Even when I add this rule several times, or with any other patterns like ::1 for localhost, it didn't help. Only changing the last line to act=accept let me start the cman - which is fine to make some progress, but not acceptable from a later required security perspective.
I was so desperate fixing the rule for accepting the cmon service, I failed to solve this problem myself - so I asked for help:
the solution is as simple as I was blind: deny is not a valid keyword for any rules action, the correct keywords are accept, reject or drop!
So the simple solution is to change the configuration to
(rule_list=
(rule=(src=<CMAN_HOST>)(dst=127.0.0.1)(srv=cmon)(act=accept))
(rule=(src=*)(dst=*)(srv=*)(act=drop))
)
The Problem obviously existed between my keyboard and chair.
I just have wished the error-message would have been a little bit more helpful.
I just have wished the error-message would have been a little bit more helpful.
Maybe in a future release the logfile could show
rule (rule=(src=*)(dst=*)(srv=*)(act=deny)) can not be parsed at keyword deny
Let's hope for the best.
Keine Kommentare:
Kommentar veröffentlichen