STIGQter STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.

DISA Rule

SV-219862r401224_rule

Vulnerability Number

V-219862

Group Title

SRG-APP-000516-DB-000363

Rule Version

O121-BP-025101

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

For file-based auditing, establish an audit file directory separate from the Oracle Home.

Alter host system permissions to the AUDIT_FILE_DEST directory to the Oracle process and software owner accounts, DBAs, backup accounts, SAs (if required), and auditors.

Authorize and document user access requirements to the directory outside of the Oracle, DBA, and SA account list in the System Security Plan.

Check Contents

If Standard Auditing is used:

From SQL*Plus:

select value from v$parameter where name = 'audit_trail';
select value from v$parameter where name = 'audit_file_dest';

If audit_trail is NOT set to OS, XML or XML EXTENDED, this is not applicable (NA).

If audit_trail is set to OS, but the audit records are routed directly to a separate log server without writing to the local file system, this is not a finding.

On UNIX Systems:

ls -ld [pathname]

Replace [pathname] with the directory path listed from the above SQL command for audit_file_dest.

If permissions are granted for world access, this is a finding.

If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a finding.

Compare path to $ORACLE_HOME. If audit_file_dest is a subdirectory of $ORACLE_HOME, this is a finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. On Windows hosts, records are also written to the Windows application event log. The location of the application event log is listed under Properties for the log under the Windows console. The default location is C:\WINDOWS\system32\config\EventLogs\AppEvent.Evt.

If permissions are granted to everyone, this is a finding. If any accounts other than the Administrators, DBAs, System group, auditors or backup operators are listed, this is a finding.

Compare path to %ORACLE_HOME%. If audit_file_dest is a subdirectory of %ORACLE_HOME%, this is a finding.

If Unified Auditing is used:
AUDIT_FILE_DEST parameter is not used in Unified Auditing

Vulnerability Number

V-219862

Documentable

False

Rule Version

O121-BP-025101

Severity Override Guidance

If Standard Auditing is used:

From SQL*Plus:

select value from v$parameter where name = 'audit_trail';
select value from v$parameter where name = 'audit_file_dest';

If audit_trail is NOT set to OS, XML or XML EXTENDED, this is not applicable (NA).

If audit_trail is set to OS, but the audit records are routed directly to a separate log server without writing to the local file system, this is not a finding.

On UNIX Systems:

ls -ld [pathname]

Replace [pathname] with the directory path listed from the above SQL command for audit_file_dest.

If permissions are granted for world access, this is a finding.

If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a finding.

Compare path to $ORACLE_HOME. If audit_file_dest is a subdirectory of $ORACLE_HOME, this is a finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. On Windows hosts, records are also written to the Windows application event log. The location of the application event log is listed under Properties for the log under the Windows console. The default location is C:\WINDOWS\system32\config\EventLogs\AppEvent.Evt.

If permissions are granted to everyone, this is a finding. If any accounts other than the Administrators, DBAs, System group, auditors or backup operators are listed, this is a finding.

Compare path to %ORACLE_HOME%. If audit_file_dest is a subdirectory of %ORACLE_HOME%, this is a finding.

If Unified Auditing is used:
AUDIT_FILE_DEST parameter is not used in Unified Auditing

Check Content Reference

M

Target Key

4059

Comments