The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.

From Oracle Database 12c Security Technical Implementation Guide

Part of SRG-APP-000516-DB-999900

Associated with: CCI-000366

SV-75955r1_rule The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.

Vulnerability discussion

The _TRACE_FILES_PUBLIC parameter is used to make trace files used for debugging database applications and events available to all database users. Use of this capability precludes the discrete assignment of privileges based on job function. Additionally, its use may provide access to external files and data to unauthorized users.

Check content

From SQL*Plus: select value from v$parameter where name = '_trace_files_public'; If the value returned is TRUE, this is a finding. If the parameter does not exist or is set to FALSE, this is not a finding.

Fix text

From SQL*Plus (shutdown database instance): shutdown immediate From SQL*Plus (create a pfile from spfile): create pfile='[PATH]init[SID].ora' from spfile; Edit the init[SID].ora file and remove the following line: *._trace_files_public=TRUE From SQL*Plus (update the spfile using the pfile): create spfile from pfile='[PATH]init[SID].ora'; From SQL*Plus (start the database instance): startup Note: [PATH] depends on the platform (Windows or UNIX). Ensure the file is directed to a writable location. [SID] is equal to the oracle SID or database instance ID.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer