STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Oracle Database 19c Security Technical Implementation Guide

V-270512

CAT II (Medium)

Oracle Database must support enforcement of logical access restrictions associated with changes to the database management system (DBMS) configuration and to the database itself.

Rule ID

SV-270512r1065305_rule

STIG

Oracle Database 19c Security Technical Implementation Guide

Version

V1R5

CCIs

CCI-001813

Discussion

Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.

Check Content

Review access restrictions associated with changes to the configuration of the DBMS or database(s).

On Unix Systems:
ls -ld [pathname]

Replace [pathname] with the directory path where the Oracle Database software is installed (e.g., /u01/app/oracle/product/19.0.0/dbhome_1).

If permissions are granted for world access, this is a finding.

If any groups that include members other than the software owner account, database administrators (DBAs), or any accounts not listed as authorized, this is a finding.

For Windows Systems:
Review the permissions that control access to the Oracle installation software directories (e.g., \Program Files\Oracle\).

If access is given to members other than the software owner account, DBAs, or any accounts not listed as authorized, this is a finding.

Compare the access control employed with that documented in the system documentation.

If access does not match the documented requirement, this is a finding.

Fix Text

For Unix Systems:
Set the umask of the Oracle software owner account to 022. Determine the shell being used for the Oracle software owner account:

  env | grep -i shell

Startup files for each shell are as follows (located in users $HOME directory):

  C-Shell (CSH) = .cshrc
  Bourne Shell (SH) = .profile
  Korn Shell (KSH) = .kshrc
  TC Shell (TCS) = .tcshrc
  BASH Shell = .bash_profile or .bashrc

Edit the shell startup file for the account and add or modify the line:

  umask 022

Log off and log on, then enter the umask command to confirm the setting.

Note: To effect this change for all Oracle processes, a reboot of the DBMS server may be required.

For Windows Systems:
Restrict access to the DBMS software libraries to the fewest accounts that clearly require access based on job function.

Document authorized access controls and justify any access grants that do not fall under DBA, DBMS process, ownership, or system administrator (SA) accounts.