UCF STIG Viewer Logo

DBMS default accounts should be assigned custom passwords.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15635 DG0128-ORACLE11 SV-24796r1_rule IAIA-1 IAIA-2 High
Description
Oracle databases have several well-known default username/password combinations. Default passwords may provide unauthorized access to the server. Default accounts should be locked and expired when they are not required for daily operations. This finding is a Category I severity because the fully privileged Database Administrator accounts SYS and SYSTEM have well known default passwords and these accounts provide full access to the database.
STIG Date
Oracle 11 Database Instance STIG 2014-01-14

Details

Check Text ( None )
None
Fix Text (F-26388r1_fix)
Change passwords from the default.

Ensure passwords meet complexity standards outlined in STIG Requirement DG0079.

From SQL*Plus:
alter user [username] identified by [password];

Lock and expire any accounts not required for interactive access.

From SQL*Plus:
alter user [username] account lock;
alter user [username] password expire;

NOTE: Follow Oracle documentation for changing any default passwords. Some accounts require coordinated actions in order to maintain operational status.