SV-24513r1_rule
V-3854
Oracle LOG_ARCHIVE_DEST parameter
DO0238-ORACLE11
CAT II
10
Specify a valid and protected directory for archive log files.
Restrict access to the Oracle process and software owner accounts, DBAs, and backup operator accounts.
From SQL*Plus:
select log_mode from v$database;
select value from v$parameter where name = 'log_archive_dest';
select value from v$parameter where name = 'log_archive_duplex_dest';
select name, value from v$parameter where name LIKE 'log_archive_dest_%';
If the value returned for LOG_MODE is NOARCHIVELOG, this check is Not a Finding.
If a value is not returned for LOG_ARCHIVE_DEST and no values are returned for any of the LOG_ARCHIVE_DEST_[1-10] parameters, this is a Finding.
NOTE: LOG_ARCHIVE_DEST and LOG_ARCHIVE_DUPLEX_DEST are incompatible with the LOG_ARCHIVE_DEST_n parameters, and must be defined as the null string (' ') when any LOG_ARCHIVE_DEST_n parameter has a value other than a null string.
On UNIX Systems:
ls -ld [pathname]
Substitute [pathname] with the directory paths listed from the above SQL statements for log_archive_dest and log_archive_duplex_dest.
If permissions are granted for world access, this is a Finding.
On Windows Systems (From Windows Explorer):
Browse to the directory specified.
Select and right-click on the directory, select Properties, select the Security tab.
If permissions are granted to everyone, this is a Finding.
If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a Finding.
V-3854
False
DO0238-ORACLE11
From SQL*Plus:
select log_mode from v$database;
select value from v$parameter where name = 'log_archive_dest';
select value from v$parameter where name = 'log_archive_duplex_dest';
select name, value from v$parameter where name LIKE 'log_archive_dest_%';
If the value returned for LOG_MODE is NOARCHIVELOG, this check is Not a Finding.
If a value is not returned for LOG_ARCHIVE_DEST and no values are returned for any of the LOG_ARCHIVE_DEST_[1-10] parameters, this is a Finding.
NOTE: LOG_ARCHIVE_DEST and LOG_ARCHIVE_DUPLEX_DEST are incompatible with the LOG_ARCHIVE_DEST_n parameters, and must be defined as the null string (' ') when any LOG_ARCHIVE_DEST_n parameter has a value other than a null string.
On UNIX Systems:
ls -ld [pathname]
Substitute [pathname] with the directory paths listed from the above SQL statements for log_archive_dest and log_archive_duplex_dest.
If permissions are granted for world access, this is a Finding.
On Windows Systems (From Windows Explorer):
Browse to the directory specified.
Select and right-click on the directory, select Properties, select the Security tab.
If permissions are granted to everyone, this is a Finding.
If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a Finding.
M
Database Administrator
1367