STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-219849r401224_rule
V-219849
SRG-APP-000516-DB-000363
O121-BP-023800
CAT II
10
Specify a valid and protected directory for archive log files.
Restrict access to the Oracle process and software owner accounts, DBAs, and backup operator accounts.
From SQL*Plus:
select log_mode from v$database;
select value from v$parameter where name = 'log_archive_dest';
select value from v$parameter where name = 'log_archive_duplex_dest';
select name, value from v$parameter where name LIKE 'log_archive_dest_%';
select value from v$parameter where name = 'db_recovery_file_dest';
If the value returned for LOG_MODE is NOARCHIVELOG, this check is not a finding.
If a value is not returned for LOG_ARCHIVE_DEST and no values are returned for any of the LOG_ARCHIVE_DEST_[1-10] parameters, and no value is returned for DB_RECOVERY_FILE_DEST, this is a finding.
Note: LOG_ARCHIVE_DEST and LOG_ARCHIVE_DUPLEX_DEST are incompatible with the LOG_ARCHIVE_DEST_n parameters, and must be defined as the null string (' ') when any LOG_ARCHIVE_DEST_n parameter has a value other than a null string.
On UNIX Systems:
ls -ld [pathname]
Substitute [pathname] with the directory paths listed from the above SQL statements for log_archive_dest and log_archive_duplex_dest.
If permissions are granted for world access, this is a finding.
On Windows Systems (From Windows Explorer):
Browse to the directory specified.
Select and right-click on the directory, select Properties, select the Security tab.
If permissions are granted to everyone, this is a finding.
If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a finding.
V-219849
False
O121-BP-023800
From SQL*Plus:
select log_mode from v$database;
select value from v$parameter where name = 'log_archive_dest';
select value from v$parameter where name = 'log_archive_duplex_dest';
select name, value from v$parameter where name LIKE 'log_archive_dest_%';
select value from v$parameter where name = 'db_recovery_file_dest';
If the value returned for LOG_MODE is NOARCHIVELOG, this check is not a finding.
If a value is not returned for LOG_ARCHIVE_DEST and no values are returned for any of the LOG_ARCHIVE_DEST_[1-10] parameters, and no value is returned for DB_RECOVERY_FILE_DEST, this is a finding.
Note: LOG_ARCHIVE_DEST and LOG_ARCHIVE_DUPLEX_DEST are incompatible with the LOG_ARCHIVE_DEST_n parameters, and must be defined as the null string (' ') when any LOG_ARCHIVE_DEST_n parameter has a value other than a null string.
On UNIX Systems:
ls -ld [pathname]
Substitute [pathname] with the directory paths listed from the above SQL statements for log_archive_dest and log_archive_duplex_dest.
If permissions are granted for world access, this is a finding.
On Windows Systems (From Windows Explorer):
Browse to the directory specified.
Select and right-click on the directory, select Properties, select the Security tab.
If permissions are granted to everyone, this is a finding.
If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a finding.
M
4059