Unlimited account lock times should be specified for locked accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15639 | DG0133-ORACLE11 | SV-24426r1_rule | ECLO-1 ECLO-2 | Medium |
| Description |
|---|
| When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database. |
| STIG | Date |
|---|---|
| Oracle 11 Database Instance STIG | 2014-01-14 |
Details
| Check Text ( None ) |
|---|
| None |
| Fix Text (F-26390r1_fix) |
|---|
| Set the password_lock_time on all defined profiles to unlimited. This will require the DBA manually to re-enable every locked account after the failed login limit has been reached. From SQL*Plus: alter profile default limit password_lock_time unlimited; alter profile [profile name] limit password_lock_time default; Replace [profile name] with an existing, non-default profile name. |