STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Database accounts should not specify account lock times less than the site-approved minimum.

DISA Rule

SV-24650r2_rule

Vulnerability Number

V-3817

Group Title

DBMS failed login account lock

Rule Version

DG0073-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Modify profiles to meet the failed login attempt requirement limit.

From SQL*Plus:
alter profile default limit
failed_login_attempts 3;

alter profile [profile name] limit
failed_login_attempts [IAO-approved value];

Replace [profile name] with any existing, non-default profile names.

Document in the System Security Plan all profiles and settings.

Check Contents

From SQL*Plus:
select profile||': '||limit from dba_profiles,
(select limit as def_login_attempts from dba_profiles
where profile = 'DEFAULT'
and resource_name = 'FAILED_LOGIN_ATTEMPTS')
where resource_name = 'FAILED_LOGIN_ATTEMPTS'
and replace(limit, 'DEFAULT', def_login_attempts) IN
('UNLIMITED', NULL)
or resource_name = 'FAILED_LOGIN_ATTEMPTS'
and to_number(decode(limit, 'UNLIMITED', 10, 'DEFAULT', 10, limit)) > 3;

If the DEFAULT profile is returned with a limit not less than or equal to 3, this is a Finding.

If any non-DEFAULT profiles are returned with limits not documented and approved by the IAO, this is a Finding.

NOTE: If the limit 'DEFAULT' is returned for any non-DEFAULT profiles, the profile limit is set to the corresponding value in the DEFAULT profile. If the DEFAULT profile is a Finding, so is the profile that references it.

Vulnerability Number

V-3817

Documentable

True

Rule Version

DG0073-ORACLE11

Severity Override Guidance

From SQL*Plus:
select profile||': '||limit from dba_profiles,
(select limit as def_login_attempts from dba_profiles
where profile = 'DEFAULT'
and resource_name = 'FAILED_LOGIN_ATTEMPTS')
where resource_name = 'FAILED_LOGIN_ATTEMPTS'
and replace(limit, 'DEFAULT', def_login_attempts) IN
('UNLIMITED', NULL)
or resource_name = 'FAILED_LOGIN_ATTEMPTS'
and to_number(decode(limit, 'UNLIMITED', 10, 'DEFAULT', 10, limit)) > 3;

If the DEFAULT profile is returned with a limit not less than or equal to 3, this is a Finding.

If any non-DEFAULT profiles are returned with limits not documented and approved by the IAO, this is a Finding.

NOTE: If the limit 'DEFAULT' is returned for any non-DEFAULT profiles, the profile limit is set to the corresponding value in the DEFAULT profile. If the DEFAULT profile is a Finding, so is the profile that references it.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments