Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15747 | DO0233-ORACLE11 | SV-24869r2_rule | Medium |
Description |
---|
<DIAGNOSTIC_DEST>/diag indicates the directory where trace, alert, core and incident directories and files are located. The files may contain sensitive data or information that could prove useful to potential attackers. |
STIG | Date |
---|---|
Oracle Database 11g Instance STIG | 2017-06-29 |
Check Text ( C-26535r2_chk ) |
---|
From SQL*Plus: select value from v$parameter where name='diagnostic_dest'; On UNIX Systems: ls -ld [pathname]/diag Substitute [pathname] with the directory path listed from the above SQL command, and append "/diag" to it, as shown. If permissions are granted for world access, this is a finding. If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a finding. On Windows Systems (From Windows Explorer): Browse to the \diag directory under the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a finding. If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a finding. |
Fix Text (F-22818r2_fix) |
---|
Alter host system permissions to the Authorize and document user access requirements to the directory outside of the Oracle, DBA and SA account list. |