STIGQter STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Access to sensitive data should be restricted to authorized users identified by the Information Owner.

DISA Rule

SV-24764r1_rule

Vulnerability Number

V-15630

Group Title

Sensitive data access

Rule Version

DG0122-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Set UNIX permissions on critical files to 640 or more restrictive.

Check group membership of the group assigned access permissions to the database software to verify all members are authorized to have the assigned access.

Set Windows permissions to Full Control assigned to the Administrators, the Oracle service account and DBAs.

Remove any unauthorized account access.

Check Contents

Review file permissions defined for critical files.

Review the file permissions on the Binary initialization parameter file (the default name is spfile[SID].ora).

Binary initialization parameter files are by default located in the $ORACLE_HOME/dbs directory (UNIX) or %ORACLE_HOME%\database directory (Windows).

From SQL*Plus:
select value from v$parameter where name = 'spfile';
select member from v$logfile;
select name from v$datafile;
select name from v$controlfile;

Check directory and file permissions for the files returned by the SQL commands above, for the files located in the $ORACLE_HOME/network/admin directory (UNIX) or %ORACLE_HOME%\network\admin directory (Windows) and the directory specified by the TNS_ADMIN environment variable, if defined.

On UNIX systems:

ls –ld [pathname]

If permissions are granted for world access, this is a Finding.

If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified.

Select and right-click on the directory, select Properties, select the Security tab.

If permissions are granted to everyone, this is a Finding.

If any accounts other than the Oracle process and software owner accounts, Administrators, DBAs, System groups, auditors, or backup accounts are listed, this is a Finding.

Vulnerability Number

V-15630

Documentable

False

Rule Version

DG0122-ORACLE11

Severity Override Guidance

Review file permissions defined for critical files.

Review the file permissions on the Binary initialization parameter file (the default name is spfile[SID].ora).

Binary initialization parameter files are by default located in the $ORACLE_HOME/dbs directory (UNIX) or %ORACLE_HOME%\database directory (Windows).

From SQL*Plus:
select value from v$parameter where name = 'spfile';
select member from v$logfile;
select name from v$datafile;
select name from v$controlfile;

Check directory and file permissions for the files returned by the SQL commands above, for the files located in the $ORACLE_HOME/network/admin directory (UNIX) or %ORACLE_HOME%\network\admin directory (Windows) and the directory specified by the TNS_ADMIN environment variable, if defined.

On UNIX systems:

ls –ld [pathname]

If permissions are granted for world access, this is a Finding.

If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified.

Select and right-click on the directory, select Properties, select the Security tab.

If permissions are granted to everyone, this is a Finding.

If any accounts other than the Oracle process and software owner accounts, Administrators, DBAs, System groups, auditors, or backup accounts are listed, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments