DBMS backup and restoration files must be protected from unauthorized access.

From Oracle Database 12c Security Technical Implementation Guide

Part of SRG-APP-000145-DB-000098

Associated with: CCI-000535

SV-76189r1_rule DBMS backup and restoration files must be protected from unauthorized access.

Vulnerability discussion

Information system backup is a critical step in maintaining data assurance and availability.User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user-generated data is backed up at a defined frequency. This includes data stored on file systems, within databases or within any other storage media.Applications performing backups must be capable of backing up user-level information per the DoD-defined frequency.Lost or compromised DBMS backup and restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. Backup files need the same protections against unauthorized access when stored on backup media as when online and actively in use by the database system. In addition, the backup media needs to be protected against physical loss. Most DBMS's maintain online copies of critical control files to provide transparent or easy recovery from hard disk loss or other interruptions to database operation.

Check content

Review file protections assigned to online backup and restoration files. Review access protections and procedures for off-line backup and restoration files. If backup or restoration files are subject to unauthorized access, this is a finding. It may be necessary to review backup and restoration procedures to determine ownership and access during all phases of backup and recovery.

Fix text

Implement protection for backup and restoration files. Document personnel and the level of access authorized for each to the backup and restoration files in the system documentation.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer