DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3813 | DG0068-ORACLE10 | SV-24642r1_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice should be prohibited and disabled, if possible, by the application. If it cannot be disabled, then users should be strictly instructed not to use this feature. Typically, the application will prompt for this information and accept it without echoing it on the users computer screen. |
| STIG | Date |
|---|---|
| Oracle Database 10g Installation STIG | 2014-04-02 |
Details
| Check Text ( C-29166r1_chk ) |
|---|
| Review policy and instructions included or noted in the System Security Plan used to inform users and administrators not to enter database passwords at the command line. Review documented and implemented procedures used to monitor the DBMS system for such activity. If policy or instructions do not exist, proof of users and administrators being briefed does not exist or monitoring for compliance is not being performed to dissuade the practice of entering database passwords on the command line, this is a Finding. |
| Fix Text (F-26178r1_fix) |
|---|
| Develop, document and implement policy and instructions to train users not to enter database passwords on the command line. Develop, document and implement monitoring for compliance. Alter command-line utilities to prevent or report when a password has been entered on a command line or disable its use. |