Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
DBMS default accounts should be assigned custom passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15635 | DG0128-ORACLE11 | SV-24796r1_rule | IAIA-1 IAIA-2 | High |
| Description |
|---|
| Oracle databases have several well-known default username/password combinations. Default passwords may provide unauthorized access to the server. Default accounts should be locked and expired when they are not required for daily operations. This finding is a Category I severity because the fully privileged Database Administrator accounts SYS and SYSTEM have well known default passwords and these accounts provide full access to the database. |
| STIG | Date |
|---|---|
| Oracle 11 Database Instance STIG | 2014-01-14 |
Details
| Check Text ( None ) |
|---|
| None |
| Fix Text (F-26388r1_fix) |
|---|
| Change passwords from the default. Ensure passwords meet complexity standards outlined in STIG Requirement DG0079. From SQL*Plus: alter user [username] identified by [password]; Lock and expire any accounts not required for interactive access. From SQL*Plus: alter user [username] account lock; alter user [username] password expire; NOTE: Follow Oracle documentation for changing any default passwords. Some accounts require coordinated actions in order to maintain operational status. |