STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Password reuse should be prevented where supported by the DBMS.

DISA Rule

SV-24787r2_rule

Vulnerability Number

V-15633

Group Title

DBMS account password reuse

Rule Version

DG0126-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the DBMS to prevent password reuse by modifying Oracle profiles:

From SQL*Plus:

alter profile default limit
password_reuse_max 10
password_reuse_time UNLIMITED;

alter profile [profile name] limit
password_reuse_max default
password_reuse_time default;

Replace [profile name] with any existing, non-default profile names.

Where Host Authentication is used, configure the OS to prevent password reuse.

Consider configuring the DBMS to use alternate authentication methods other than password authentication where supported by the DBMS.

Check Contents

If no DBMS accounts authenticate using passwords, this check is Not a Finding.

Review DBMS account password reuse restrictions:

From SQL*Plus:
select p1.profile profile, p1.limit REUSE_MAX, p2.limit REUSE_TIME
from dba_profiles p1, dba_profiles p2
where p1.profile = p2.profile
and p1.resource_name = 'PASSWORD_REUSE_MAX'
and p2.resource_name = 'PASSWORD_REUSE_TIME'
order by p1.profile;

If limits for REUSE_MAX and REUSE_TIME are set to UNLIMITED, this is a Finding.

If limits for REUSE_MAX and REUSE_TIME are not set to values, this is a Finding.

NOTE: If limits for REUSE_MAX or REUSE_TIME are set to DEFAULT refer to the corresponding limits set for the DEFAULT profile.

If the DBMS uses Host Authentication, confirm that the host is configured to prevent password reuse. If it is not, this is a Finding.

Vulnerability Number

V-15633

Documentable

False

Rule Version

DG0126-ORACLE11

Severity Override Guidance

If no DBMS accounts authenticate using passwords, this check is Not a Finding.

Review DBMS account password reuse restrictions:

From SQL*Plus:
select p1.profile profile, p1.limit REUSE_MAX, p2.limit REUSE_TIME
from dba_profiles p1, dba_profiles p2
where p1.profile = p2.profile
and p1.resource_name = 'PASSWORD_REUSE_MAX'
and p2.resource_name = 'PASSWORD_REUSE_TIME'
order by p1.profile;

If limits for REUSE_MAX and REUSE_TIME are set to UNLIMITED, this is a Finding.

If limits for REUSE_MAX and REUSE_TIME are not set to values, this is a Finding.

NOTE: If limits for REUSE_MAX or REUSE_TIME are set to DEFAULT refer to the corresponding limits set for the DEFAULT profile.

If the DBMS uses Host Authentication, confirm that the host is configured to prevent password reuse. If it is not, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments