A minimum of three Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. In addition, each Oracle redo log group must have a minimum of two Oracle redo log members (files).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-276000 | O19C-00-020600 | SV-276000r1112495_rule | Medium |
| Description |
| The Oracle Database Redo Log files store detailed transactional information on changes made to the database using SQL Data Manipulation Language (DML), Data Definition Language (DDL), and Data Control Language (DCL), which is required for undo, backup, restoration, and recovery. A minimum of three Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID (mirrored) device. In addition, each Oracle redo log group must have a minimum to two Oracle redo log members (files). Each side of the Redo Log Mirror (group 1, member 1) is identical to its mirror image (group 1, member 2), making it possible to continue operations if one file or even one complete mirror is lost due to corruption or accidental deletion. Writing each mirror to a physically and logically separate storage device is an important part of minimizing single points of failure. Oracle redo logs, which are crucial for database recovery, are managed at the CDB level, not at the PDB level. |
| STIG | Date |
| Oracle Database 19c Security Technical Implementation Guide | 2025-06-24 |
Details
| Check Text (C-80138r1112493_chk) |
| From SQL*Plus: -- Check to see how many Oracle redo log groups there are: select group#, bytes, members, status, archived from v$log; -- Check to see how many Oracle redo log members there are: select * from v$logfile; This is a finding if there are less than three Oracle redo log groups a RAID storage device, or equivalent storage system, is not being used. If one or more groups (group#) has only a single member this is a finding. If one or more groups (group#) have more than a single member but one or more of those members are located on the same physical or logical device this is a finding. select count(*) from V$LOG; If the value of the count returned is less than 3, this is a finding. From SQL*Plus: select count(*) from V$LOG where members > 1; If the value of the count returned is less than 3 and a RAID storage device is not being used, this is a finding. |
| Fix Text (F-80043r1112494_fix) |
| To define additional redo log file groups: From SQL*Plus (Example): alter database add logfile group 2 ('diska:log2.log' , 'diskb:log2.log') size 50K; To add additional redo log file [members] to an existing redo log file group: From SQL*Plus (Example): alter database add logfile member 'diskc:log2.log' to group 2; Replace diska, diskb, diskc with valid, different disk drive specifications. Replace log#.log file with valid or custom names for the log files. |