O121-BP-025400 - Access to DBMS software files and directories must not be granted to unauthorized users - /etc/profile umask < 022

Details

The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.


Solution

For UNIX Systems:

Set the umask of the Oracle software owner account to 022. Determine the shell being used for the Oracle software owner account:

env | grep -i shell

Startup files for each shell are as follows (located in users $HOME directory):

C-Shell (CSH) = .cshrc
Bourne Shell (SH) = .profile
Korn Shell (KSH) = .kshrc
TC Shell (TCS) = .tcshrc
BASH Shell = .bash_profile or .bashrc

Edit the shell startup file for the account and add or modify the line:

umask 022

Log off and logon, then enter the umask command to confirm the setting.

Note: To effect this change for all Oracle processes, a reboot of the DBMS server may be required.

For Windows Systems:
Restrict access to the DBMS software libraries to the fewest accounts that clearly require access based on job function.

Document authorized access controls and justify any access grants that do not fall under DBA, DBMS process, ownership, or SA accounts.


Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.


References


Source