Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-61531 | O121-BP-026400 | SV-76021r2_rule | Medium |
Description |
---|
<DIAGNOSTIC_DEST>/diag indicates the directory where trace, alert, core and incident directories and files are located. The files may contain sensitive data or information that could prove useful to potential attackers. |
STIG | Date |
---|---|
Oracle Database 12c Security Technical Implementation Guide | 2018-01-03 |
Check Text ( C-62403r2_chk ) |
---|
From SQL*Plus: select value from v$parameter where name='diagnostic_dest'; On UNIX Systems: ls -ld [pathname]/diag Substitute [pathname] with the directory path listed from the above SQL command, and append "/diag" to it, as shown. If permissions are granted for world access, this is a Finding. If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the \diag directory under the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a Finding. If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a Finding. |
Fix Text (F-67447r2_fix) |
---|
Alter host system permissions to the Authorize and document user access requirements to the directory outside of the Oracle, DBA and SA account list. |