STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

New passwords must be required to differ from old passwords by more than four characters.

DISA Rule

SV-24387r3_rule

Vulnerability Number

V-3815

Group Title

DBMS password change variance

Rule Version

DG0071-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Define and apply a password_verify_function for all profiles where passwords are used to authenticate accounts.

See Fix information for DG0079 to create a password_verify_function that meets STIG requirements.

Check Contents

If no DBMS accounts authenticate using passwords, this check is Not a Finding.

Confirm that database profiles specify a password verify function.

From SQL*Plus:
select profile, limit from dba_profiles
where resource_name='PASSWORD_VERIFY_FUNCTION'
and limit not in ('NULL', 'DEFAULT')
order by profile;

If no rows are listed, this is a Finding.

Review the code for the password verify function or have the DBA demonstrate a password change to ensure that the function requires new passwords to differ from old passwords by more than 4 characters.

If reviewing code, logic similar to the following should be discovered:

-- Check if the password differs from the previous password
-- by more than 4 characters

if old_password is not null then
differ:=length(old_password) - length(password);

if abs(differ) <= 4 then
if length(password) < length(old_password) then
m:=length(password);
else
m:=length(old_password);
end if;

differ:=abs(differ);
for i in 1..m loop
if substr(password,i,1) != substr(old_password,i,1) then
differ:=differ + 1;
end if;
end loop;

if differ <= 4 then
raise_application_error(-20004, 'Password should differ by more than 4 characters');
end if;
end if;
end if;

If any password_verify_function routines do not check for a difference of more than 4 characters, this is a Finding.

Vulnerability Number

V-3815

Documentable

True

Rule Version

DG0071-ORACLE11

Severity Override Guidance

If no DBMS accounts authenticate using passwords, this check is Not a Finding.

Confirm that database profiles specify a password verify function.

From SQL*Plus:
select profile, limit from dba_profiles
where resource_name='PASSWORD_VERIFY_FUNCTION'
and limit not in ('NULL', 'DEFAULT')
order by profile;

If no rows are listed, this is a Finding.

Review the code for the password verify function or have the DBA demonstrate a password change to ensure that the function requires new passwords to differ from old passwords by more than 4 characters.

If reviewing code, logic similar to the following should be discovered:

-- Check if the password differs from the previous password
-- by more than 4 characters

if old_password is not null then
differ:=length(old_password) - length(password);

if abs(differ) <= 4 then
if length(password) < length(old_password) then
m:=length(password);
else
m:=length(old_password);
end if;

differ:=abs(differ);
for i in 1..m loop
if substr(password,i,1) != substr(old_password,i,1) then
differ:=differ + 1;
end if;
end loop;

if differ <= 4 then
raise_application_error(-20004, 'Password should differ by more than 4 characters');
end if;
end if;
end if;

If any password_verify_function routines do not check for a difference of more than 4 characters, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments