DO0238-ORACLE11 - The directories assigned to the LOG_ARCHIVE_DEST* parameters should be protected from unauthorized access - 'LOG_MODE = NOARCHIVELOG'

Information

The LOG_ARCHIVE_DEST parameter is used to specify the directory to which Oracle archive logs are written. Where the DBMS availability and recovery to a specific point in time is critical, the protection of archive log files is critical. Archive log files may also contain unencrypted sensitive data. If written to an inadequately protected or invalidated directory, the archive log files may be accessed by unauthorized persons or processes.

Solution

Specify a valid and protected directory for archive log files.

Restrict access to the Oracle process and software owner accounts, DBAs, and backup operator accounts.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CP-10(2), 800-53|SC-24, CAT|II, Rule-ID|SV-24513r1_rule, STIG-ID|DO0238-ORACLE11, Vuln-ID|V-3854

Plugin: OracleDB

Control ID: 32dd6b4d3c3646d862aac94764b96d33e1a1e61972877445607ba8c1197cd6e4