STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 1 Release: 17 Benchmark Date: 24 Jan 2020: The DBMS must provide a logout functionality to allow the user to manually terminate the session.

DISA Rule

SV-66353r2_rule

Vulnerability Number

V-52137

Group Title

SRG-APP-000221-DB-000150

Rule Version

O112-C2-017700

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Code applications to close database sessions when the user logs out or closes the application.

Check Contents

If any application using the database can be closed, or logged out of, by the user, yet does not close the user's session in the DBMS, this is a finding.
- - - - - -
This is default behavior for the Oracle database. To test this functionality, create a user named testuser1 as SYSDBA and grant connect to testuser1. The V$SESSION is the place where all of the sessions that are established with the database are tracked, so we can count the number of active sessions by counting the rows in that table.

Initiate session one

sqlplus connect sysdba

SQL>select count(*) from v$session
count (*)
---------
26

Then connect as a different user in a second terminal session and after successfully connecting, issue the select count(*) command again and the number should increase by one, then have user1 exit the session. If you have the SYSDBA do another select count(*) from v$session, you will see the session count will go down by 1. When a session no longer exists, the resources are de-allocated.

sqlplus connect as user1

SQL>exit

Vulnerability Number

V-52137

Documentable

False

Rule Version

O112-C2-017700

Severity Override Guidance

If any application using the database can be closed, or logged out of, by the user, yet does not close the user's session in the DBMS, this is a finding.
- - - - - -
This is default behavior for the Oracle database. To test this functionality, create a user named testuser1 as SYSDBA and grant connect to testuser1. The V$SESSION is the place where all of the sessions that are established with the database are tracked, so we can count the number of active sessions by counting the rows in that table.

Initiate session one

sqlplus connect sysdba

SQL>select count(*) from v$session
count (*)
---------
26

Then connect as a different user in a second terminal session and after successfully connecting, issue the select count(*) command again and the number should increase by one, then have user1 exit the session. If you have the SYSDBA do another select count(*) from v$session, you will see the session count will go down by 1. When a session no longer exists, the resources are de-allocated.

sqlplus connect as user1

SQL>exit

Check Content Reference

M

Target Key

2669

Comments