DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32473	SRG-APP-000174-DB-000079	SV-42810r1_rule		Medium

Description
Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it. Passwords need to be changed at specific policy based intervals as per policy. Any password no matter how complex can eventually be cracked. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. The storage of passwords in application source or batch job code that is compiled, encoded, or encrypted prevents compliance with password expiration and other management requirements, as well as provides another means for potential discovery.

Description

Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it. Passwords need to be changed at specific policy based intervals as per policy. Any password no matter how complex can eventually be cracked. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. The storage of passwords in application source or batch job code that is compiled, encoded, or encrypted prevents compliance with password expiration and other management requirements, as well as provides another means for potential discovery.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40911r2_chk )
Review application source code required to be encoded or encrypted for database accounts used by applications or batch jobs to access the database. Review source batch job code prior to compiling, encoding, or encrypting for database accounts used by applications or the batch jobs themselves to access the database. Determine if the compiled, encoded, or encrypted application source code or batch jobs contain passwords used for authentication to the database. If any of the identified compiled, encoded, or encrypted application source code or batch job code do contain passwords used for authentication to the database, this is a finding.

Check Text ( C-40911r2_chk )

Review application source code required to be encoded or encrypted for database accounts used by applications or batch jobs to access the database.

Review source batch job code prior to compiling, encoding, or encrypting for database accounts used by applications or the batch jobs themselves to access the database.

Determine if the compiled, encoded, or encrypted application source code or batch jobs contain passwords used for authentication to the database.

If any of the identified compiled, encoded, or encrypted application source code or batch job code do contain passwords used for authentication to the database, this is a finding.

Fix Text (F-36388r1_fix)
Design DBMS application code and batch job code that is compiled, encoded, or encrypted to NOT contain passwords.