STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-219749r395475_rule
V-219749
SRG-APP-000023-DB-000001
O112-C2-001800
CAT II
10
Utilize an Oracle feature/product, an OS feature, a third-party product, or custom code to automate some or all account maintenance functionality.
- - - - -
Roles and Profiles are two Oracle features that should be employed in account management. (Indeed, other requirements mandate the use of Roles.) Following are some notes from Oracle on the use of Profiles.
A profile is a named set of resource limits and password parameters that restrict database usage and instance resources for a user. You can assign a profile to each user, and a default profile to all others. Each user can have only one profile, and creating a new one supersedes any earlier one.
Profile resource limits are enforced only when you enable resource limitation for the associated database. Enabling such limitation can occur either before starting up the database (the RESOURCE_LIMIT initialization parameter) or while it is open (using an ALTER SYSTEM statement).
While password parameters reside in profiles, they are unaffected by RESOURCE_LIMIT or ALTER SYSTEM and password management is always enabled.
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
If an Oracle feature/product, an OS feature, a third-party product, or custom code is used to automate account management, this is not a finding.
Determine what the site-defined definition of an acceptably small level of manual account-management activity is. If the site has established the definition, documented it, and obtained ISSO-ISSM-AO approval, use that definition. If not, use the following rule of thumb as the definition: no more than 12 such accounts exist or are expected to exist; no more than 100 manual account-management actions (account creation, modification, locking, unlocking, removal and the like) are expected to occur in the course of a year.
If the amount of account management activity is small, as defined in the preceding paragraph, this is not a finding.
Otherwise, this is a finding.
V-219749
False
O112-C2-001800
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.
If an Oracle feature/product, an OS feature, a third-party product, or custom code is used to automate account management, this is not a finding.
Determine what the site-defined definition of an acceptably small level of manual account-management activity is. If the site has established the definition, documented it, and obtained ISSO-ISSM-AO approval, use that definition. If not, use the following rule of thumb as the definition: no more than 12 such accounts exist or are expected to exist; no more than 100 manual account-management actions (account creation, modification, locking, unlocking, removal and the like) are expected to occur in the course of a year.
If the amount of account management activity is small, as defined in the preceding paragraph, this is not a finding.
Otherwise, this is a finding.
M
4057