STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must verify account lockouts persist until reset by an administrator.

DISA Rule

SV-237713r667171_rule

Vulnerability Number

V-237713

Group Title

SRG-APP-000516-DB-000363

Rule Version

O121-C2-004900

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the DBMS settings to specify indefinite lockout duration:
ALTER PROFILE ORA_STIG_PROFILE LIMIT PASSWORD_LOCK_TIME UNLIMITED;

Check Contents

The account lockout duration is defined in the profile assigned to a user.

To see what profile is assigned to a user, enter the query:

SQL>SELECT profile FROM dba_users WHERE username = '<username>'

This will return the profile name assigned to that user.

The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle 12.1.0.2) to satisfy the STIG requirements pertaining to the profile parameters. Oracle recommends that this profile be customized with any site-specific requirements and assigned to all users where applicable. Note: It remains necessary to create a customized replacement for the password validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this technique to verify password complexity.

Now check the values assigned to the profile returned from the query above:

column profile format a20
column limit format a20
SQL>SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE = 'ORA_STIG_PROFILE';

Check the settings for password_lock_time - this specifies how long to lock the account after the number of consecutive failed logon attempts reaches the limit. If the value is not UNLIMITED, this is a finding.

Vulnerability Number

V-237713

Documentable

False

Rule Version

O121-C2-004900

Severity Override Guidance

The account lockout duration is defined in the profile assigned to a user.

To see what profile is assigned to a user, enter the query:

SQL>SELECT profile FROM dba_users WHERE username = '<username>'

This will return the profile name assigned to that user.

The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle 12.1.0.2) to satisfy the STIG requirements pertaining to the profile parameters. Oracle recommends that this profile be customized with any site-specific requirements and assigned to all users where applicable. Note: It remains necessary to create a customized replacement for the password validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this technique to verify password complexity.

Now check the values assigned to the profile returned from the query above:

column profile format a20
column limit format a20
SQL>SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE = 'ORA_STIG_PROFILE';

Check the settings for password_lock_time - this specifies how long to lock the account after the number of consecutive failed logon attempts reaches the limit. If the value is not UNLIMITED, this is a finding.

Check Content Reference

M

Target Key

4059

Comments