STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization-defined time period.

DISA Rule

SV-238437r667485_rule

Vulnerability Number

V-238437

Group Title

SRG-APP-000516-DB-000363

Rule Version

O112-C2-002000

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, no fix to the DBMS is required.

If using database mechanisms to satisfy this requirement, use a profile with a distinctive name (for example, TEMPORARY_USERS), so that temporary users can be easily identified. Whenever a temporary user account is created, assign it to this profile.

Create a job to lock accounts under this profile that are more than n days old, where n is the organization-defined time period.

Check Contents

If the organization has a policy, consistently enforced, forbidding the creation of emergency or temporary accounts, this is not a finding.

If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.

Check DBMS settings, OS settings, and/or enterprise-level authentication/access mechanisms settings to determine if the site utilizes a mechanism whereby temporary or emergency accounts can be terminated after an organization-defined time period. If not, this is a finding.

Check the profiles to see what the password_life_time is set to in the table dba_profiles. The password_life_time is a value stored in the LIMIT column, and identified by the value PASSWORD_LIFE_TIME in the RESOURCE_NAME column.

SQL>select
profile,
resource_name,
resource_type,
limit
from dba_profiles
where upper(resource_name) like 'PASSWORD_LIFE_TIME';

Verify that the user in question is assigned to a profile with the PASSWORD_LIFE_TIME set to the amount of time the user is expected to be using the password. If not, this is a finding.

Vulnerability Number

V-238437

Documentable

False

Rule Version

O112-C2-002000

Severity Override Guidance

If the organization has a policy, consistently enforced, forbidding the creation of emergency or temporary accounts, this is not a finding.

If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.

Check DBMS settings, OS settings, and/or enterprise-level authentication/access mechanisms settings to determine if the site utilizes a mechanism whereby temporary or emergency accounts can be terminated after an organization-defined time period. If not, this is a finding.

Check the profiles to see what the password_life_time is set to in the table dba_profiles. The password_life_time is a value stored in the LIMIT column, and identified by the value PASSWORD_LIFE_TIME in the RESOURCE_NAME column.

SQL>select
profile,
resource_name,
resource_type,
limit
from dba_profiles
where upper(resource_name) like 'PASSWORD_LIFE_TIME';

Verify that the user in question is assigned to a profile with the PASSWORD_LIFE_TIME set to the amount of time the user is expected to be using the password. If not, this is a finding.

Check Content Reference

M

Target Key

4057

Comments