STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.

DISA Rule

SV-219705r401224_rule

Vulnerability Number

V-219705

Group Title

SRG-APP-000516-DB-000363

Rule Version

O112-BP-022200

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Disable use of the remote_login_passwordfile where remote administration is not authorized by specifying a value of NONE.

If authorized, restrict use of a password file to exclusive use by each database by specifying a value of EXCLUSIVE.

From SQL*Plus:

alter system set remote_login_passwordfile = 'EXCLUSIVE' scope = spfile;

OR

alter system set remote_login_passwordfile = 'NONE' scope = spfile;

The above SQL*Plus command will set the parameter to take effect at next system startup.

Restrict ownership and permissions on the Oracle password file to exclude world (Unix) or everyone (Windows).

More information regarding the ORAPWD file and the REMOTE_LOGIN_PASSWORDFILE parameter, can be found here:
https://docs.oracle.com/cd/E11882_01/server.112/e25494/dba.htm#ADMIN10241

Check Contents

From SQL*Plus:

select value from v$parameter where upper(name) = 'REMOTE_LOGIN_PASSWORDFILE';

If the value returned does not equal 'EXCLUSIVE' or 'NONE', this is a Finding.

On UNIX Systems:

ls -ld $ORACLE_HOME/dbs/orapw${ORACLE_SID}

Substitute ${ORACLE_SID} with the name of the ORACLE_SID for the database.

If permissions are granted for world access, this is a finding.

On Windows Systems (From Windows Explorer):

Browse to the %ORACLE_HOME\database\directory.

Select and right-click on the PWD%ORACLE_SID%.ora file, select Properties, select the Security tab.
Substitute %ORACLE_SID% with the name of the ORACLE_SID for the database.

If permissions are granted to everyone, this is a finding.
If any account other than the DBMS software installation account is listed, this is a finding.

Vulnerability Number

V-219705

Documentable

False

Rule Version

O112-BP-022200

Severity Override Guidance

From SQL*Plus:

select value from v$parameter where upper(name) = 'REMOTE_LOGIN_PASSWORDFILE';

If the value returned does not equal 'EXCLUSIVE' or 'NONE', this is a Finding.

On UNIX Systems:

ls -ld $ORACLE_HOME/dbs/orapw${ORACLE_SID}

Substitute ${ORACLE_SID} with the name of the ORACLE_SID for the database.

If permissions are granted for world access, this is a finding.

On Windows Systems (From Windows Explorer):

Browse to the %ORACLE_HOME\database\directory.

Select and right-click on the PWD%ORACLE_SID%.ora file, select Properties, select the Security tab.
Substitute %ORACLE_SID% with the name of the ORACLE_SID for the database.

If permissions are granted to everyone, this is a finding.
If any account other than the DBMS software installation account is listed, this is a finding.

Check Content Reference

M

Target Key

4057

Comments