STIGQter STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.

DISA Rule

SV-24639r1_rule

Vulnerability Number

V-3811

Group Title

DBMS temporary password procedures

Rule Version

DG0066-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Develop, document and implement procedures for assigning, distributing and changing of temporary passwords for new database user accounts.

Procedures should include instruction that meet current DoD password length and complexity requirements and provide a secure method to relay the temporary password to the user.

Temporary passwords should also be short-lived and require immediate update by the user upon first use.

Consider using account authentication using certificates or other credentials in place of password authentication.

Check Contents

If all database accounts are configured to authenticate using certificates or other credentials besides passwords, this check is Not a Finding.

Review documented procedures and evidence of implementation for assignment of temporary passwords for password-authenticated accounts.

Confirm temporary passwords meet DoD password requirements.

Review documented procedures for distribution of temporary passwords to users.

Have the DBA demonstrate that the DBMS or applications accessing the database are configured to require a change of password by the user upon first use.

If documented procedures and evidence do not exist or are not complete, temporary passwords do not meet DoD password requirements, or the DBMS or applications accessing the database are not configured to require a change of password by the user upon first use, this is a Finding.

Vulnerability Number

V-3811

Documentable

False

Rule Version

DG0066-ORACLE11

Severity Override Guidance

If all database accounts are configured to authenticate using certificates or other credentials besides passwords, this check is Not a Finding.

Review documented procedures and evidence of implementation for assignment of temporary passwords for password-authenticated accounts.

Confirm temporary passwords meet DoD password requirements.

Review documented procedures for distribution of temporary passwords to users.

Have the DBA demonstrate that the DBMS or applications accessing the database are configured to require a change of password by the user upon first use.

If documented procedures and evidence do not exist or are not complete, temporary passwords do not meet DoD password requirements, or the DBMS or applications accessing the database are not configured to require a change of password by the user upon first use, this is a Finding.

Check Content Reference

I

Responsibility

Database Administrator

Target Key

1368

Comments