STIGQter STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations.

DISA Rule

SV-237727r667213_rule

Vulnerability Number

V-237727

Group Title

SRG-APP-000164-DB-000401

Rule Version

O121-C2-014000

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, no fix to the DBMS is required.

If any user accounts are managed by Oracle: For each profile, set the PASSWORD_REUSE_MAX to enforce the DoD-defined minimum number of password changes before a password may be repeated (five or greater).

PASSWORD_REUSE_MAX is effective if and only if PASSWORD_REUSE_TIME is specified, so ensure also that it has a meaningful value. Since the minimum password lifetime is 1 day, the smallest meaningful value is the same as the PASSWORD_REUSE_MAX value.

Using PPPPPP as an example, the statement to do this is:
ALTER PROFILE PPPPPP LIMIT PASSWORD_REUSE_MAX 5 PASSWORD_REUSE_TIME 5;

Check Contents

If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.

For each profile that can be applied to accounts where authentication is under Oracle's control, determine the password reuse rule, if any, that is in effect:
SELECT * FROM SYS.DBA_PROFILES
WHERE RESOURCE_NAME IN ('PASSWORD_REUSE_MAX', 'PASSWORD_REUSE_TIME')
[AND PROFILE NOT IN (<list of non-applicable profiles>)]
ORDER BY PROFILE, RESOURCE_NAME;
Bearing in mind that a profile can inherit from another profile, and the root profile is called DEFAULT, determine the value of the PASSWORD_REUSE_MAX effective for each profile.

If, for any profile, the PASSWORD_REUSE_MAX value does not enforce the DoD-defined minimum number of password changes before a password may be repeated (five or greater), this is a finding.

PASSWORD_REUSE_MAX is effective if and only if PASSWORD_REUSE_TIME is specified, so if both are UNLIMITED, this is a finding.

Vulnerability Number

V-237727

Documentable

False

Rule Version

O121-C2-014000

Severity Override Guidance

If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.

For each profile that can be applied to accounts where authentication is under Oracle's control, determine the password reuse rule, if any, that is in effect:
SELECT * FROM SYS.DBA_PROFILES
WHERE RESOURCE_NAME IN ('PASSWORD_REUSE_MAX', 'PASSWORD_REUSE_TIME')
[AND PROFILE NOT IN (<list of non-applicable profiles>)]
ORDER BY PROFILE, RESOURCE_NAME;
Bearing in mind that a profile can inherit from another profile, and the root profile is called DEFAULT, determine the value of the PASSWORD_REUSE_MAX effective for each profile.

If, for any profile, the PASSWORD_REUSE_MAX value does not enforce the DoD-defined minimum number of password changes before a password may be repeated (five or greater), this is a finding.

PASSWORD_REUSE_MAX is effective if and only if PASSWORD_REUSE_TIME is specified, so if both are UNLIMITED, this is a finding.

Check Content Reference

M

Target Key

4059

Comments