The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.
For UNIX Systems:
Set the umask of the Oracle software owner account to 022. Determine the shell being used for the Oracle software owner account:
env | grep -i shell
Startup files for each shell are as follows (located in users $HOME directory):
C-Shell (CSH) = .cshrc
Bourne Shell (SH) = .profile
Korn Shell (KSH) = .kshrc
TC Shell (TCS) = .tcshrc
BASH Shell = .bash_profile or .bashrc
Edit the shell startup file for the account and add or modify the line:
Log off and login, then enter the umask command to confirm the setting.
NOTE: To effect this change for all Oracle processes, a reboot of the DBMS server may be required.
For Windows Systems:
Product-specific fix is pending development. Use Generic Fix listed below:
Restrict access to the DBMS software libraries to the fewest accounts that clearly require access based on job function.
Document authorized access control and justify any access grants that do not fall under DBA, DBMS process, ownership, or SA accounts.
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.