Re: Has Anyone implemented the ISACA-Recommended privileges on $ORACLE_HOME (revoke world-read)

From: Mladen Gogala <>
Date: Wed, 16 Mar 2011 23:13:17 +0000 (UTC)
Message-ID: <>

On Wed, 16 Mar 2011 11:12:30 -0700, byrocat wrote:

> Our database security standard specifies the privileges that are
> supposed to be in place (750 or less on all files and subdirectories
> under $ORACLE_HOME except for $ORACLE_HOME/bin and sub-directories and
> files which has 755 or less).
> Turns out that no one installed a new copy or Oracle until just recently
> and then found that the tools installed (SQLPlus) don't work).
> I've found an ISACA book called "Oracle Database Security, Audit and
> Control Features" which recommended that the world-read privilege be
> revoked for everything under $ORACLE_HOME). Char 7.2 lays out the files
> and directories and the specific privileges for each. This chart is used
> in a lot of documents, here's one:
> Slide 25 is the one with the cahrt.
> Has anyone followed this recommendation and what has happened to your
> server and databases?

Those recommendations are pretty much default. There is nothing unusual there. Some recommendations are just plain silly, for instance the recommendation for $ORACLE_HOME/rdbms/log. As of the version 10g, the only real thing happening there is expdp/impdp. The DBA that would allow users to start export into the $ORACLE_HOME directory tree would deserve to be executed in public by being forced to watch movies with Nicholas Cage or the "Twilight Saga".

Received on Wed Mar 16 2011 - 18:13:17 CDT

Original text of this message