Details
File and directory ownership imparts full privileges to the owner. These privileges should be restricted to a single, dedicated account to preserve proper chains of ownership and privilege assignment management.
Solution
Assign DBMS file and directory ownership to a dedicated Oracle OS owner account.
Document the locations of Oracle DBMS files and directories in the System Security Plan.
On Windows systems:
The creation of a dedicated Oracle OS account and change of ownership of all files in the %ORACLE_HOME% directories and subdirectories should be performed prior to placing the DBMS system into production.
See checks DO0120 and DG0102 for details on establishing a dedicated OS account for Oracle services on Windows platforms.
Using the dedicated Oracle OS owner account to install and maintain the DBMS software libraries and configuration files will help maintain file and directory ownership.
On UNIX systems:
Assign DBMS file and directory ownership to a dedicated Oracle host OS software installation and maintenance account.
The owner and group ownership as well as file permissions for the following files (if present) should not be changed:
extjob
jssu
nmb
nmhs
nmo
oradism
externaljob.ora
coraenv
dbhome
oraenv
Using the dedicated Oracle host OS software installation and maintenance account to install and maintain the DBMS software libraries and configuration files will help maintain file and directory ownership.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.
References
- 800-53|CM-6b.
- CAT|III
- Rule-ID|SV-24363r1_rule
- STIG-ID|DG0019-ORACLE11
- Vuln-ID|V-3805