Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15635 | DG0128-ORACLE10 | SV-24795r1_rule | IAIA-1 IAIA-2 | High |
Description |
---|
Oracle databases have several well-known default username/password combinations. Default passwords may provide unauthorized access to the server. Default accounts should be locked and expired when they are not required for daily operations. This finding is a Category I severity because the fully privileged Database Administrator accounts SYS and SYSTEM have well known default passwords and these accounts provide full access to the database. |
STIG | Date |
---|---|
Oracle 10 Database Instance STIG | 2014-01-14 |
Check Text ( None ) |
---|
None |
Fix Text (F-26387r1_fix) |
---|
Change passwords from the default. Ensure passwords meet complexity standards outlined in STIG Requirement DG0079. From SQL*Plus: alter user [username] identified by [password]; Lock and expire any accounts not required for interactive access. From SQL*Plus: alter user [username] account lock; alter user [username] password expire; NOTE: Follow Oracle documentation for changing any default passwords. Some accounts require coordinated actions in order to maintain operational status. |