UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-54073 O112-BP-026400 SV-68313r1_rule Medium
Description
The DIAGNOSTIC_DEST is used to indicate the directory where trace, alert, core and incident directories and files are located. The files may contain sensitive data or information that could prove useful to potential attackers.
STIG Date
Oracle Database 11.2g Security Technical Implementation Guide 2015-03-26

Details

Check Text ( C-54857r1_chk )
From SQL*Plus:

select value from v$parameter where name='diagnostic_dest';

On UNIX Systems:

ls -ld [pathname]

Substitute [pathname] with the directory path listed from the above SQL command.

If permissions are granted for world access, this is a Finding.

If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified.

Select and right-click on the directory, select Properties, select the Security tab.

If permissions are granted to everyone, this is a Finding.

If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a Finding.
Fix Text (F-58915r1_fix)
Alter host system permissions to the DIAGNOSTIC_DEST directory to the Oracle process and software owner accounts, DBAs, SAs (if required) and developers or other users that may specifically require access for debugging or other purposes.

Authorize and document user access requirements to the directory outside of the Oracle, DBA and SA account list.