STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must disable user accounts after 35 days of inactivity.

DISA Rule

SV-238460r667554_rule

Vulnerability Number

V-238460

Group Title

SRG-APP-000516-DB-000363

Rule Version

O112-C2-013800

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

For accounts managed by Oracle, create a script or store procedure that runs once a day.

Write a SQL statement to determine accounts that have not logged in within 35 days:

Example:
select username from dba_audit_trail where action_name = 'LOGON'
group by username having max(timestamp) < sysdate - 36

And then disable all accounts that have not logged in within 35 days.

Check Contents

If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.

For accounts managed by Oracle, check DBMS settings to determine if accounts can be automatically disabled by the system after 35 days of inactivity. Also, ask the DBA if an alternative method, such as a stored procedure run daily, to disable Oracle-managed accounts inactive for more than 35 days, has been deployed.

If the ability to disable accounts after 35 days of inactivity, by either of these means, does not exist, this is a finding.

Vulnerability Number

V-238460

Documentable

False

Rule Version

O112-C2-013800

Severity Override Guidance

If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.

For accounts managed by Oracle, check DBMS settings to determine if accounts can be automatically disabled by the system after 35 days of inactivity. Also, ask the DBA if an alternative method, such as a stored procedure run daily, to disable Oracle-managed accounts inactive for more than 35 days, has been deployed.

If the ability to disable accounts after 35 days of inactivity, by either of these means, does not exist, this is a finding.

Check Content Reference

M

Target Key

4057

Comments