Assuming UNIX variants... Accessing shared memory (where the Oracle SGA resides in UNIX) after database shutdown requires "root" privileges in order to read from "/dev/mem" (or the equivalent on your OS-variant), which is the only way to access regions of memory outside of the APIs provided via the systems calls for shared memory (i.e. shmctl, shmat, etc) or heap/data memory allocation within an image (i.e. brk, sbrk, etc). That's what an API is designed to do -- provide controlled access to privileged services outside of a privileged account. The upshot is that the "root" account must be compromised in order for the quote "Information in caches may be accessed outside of Oracle and beyond the control of the security parameters" to be true. And if that becomes true, then the accessing of memory caches potentially "left behind" by Oracle are the absolute least of your concerns... ;-) Perhaps the guideline is thinking of some other form of "caching", such as "temporary files" or caching performed into files, not necessarily by the RDBMS? Perhaps by the app-server? Web-server? Jason Heinrich wrote: I'm working on implementing the CIS guidelines for Oracle 10g in a database, and I'm a bit confused over one of them:-- //www.freelists.org/webpage/oracle-l |