DBMS account passwords should be set to expire every 60 days or more frequently.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15153	DG0125-ORACLE10	SV-24779r2_rule	IAIA-1 IAIA-2	Medium

Description
The PASSWORD_LIFE_TIME value specifies the length of time the same password may be used to authenticate to a database account. After the time period specified has passed for the assigned password, the user is required to change their password or else forfeit access to the database. Frequent password changes help to decrease the likelihood or duration of a password compromise that would result in unauthorized access.

Description

The PASSWORD_LIFE_TIME value specifies the length of time the same password may be used to authenticate to a database account. After the time period specified has passed for the assigned password, the user is required to change their password or else forfeit access to the database. Frequent password changes help to decrease the likelihood or duration of a password compromise that would result in unauthorized access.

STIG	Date
Oracle Database 10g Instance STIG	2014-04-02

Details

Check Text ( C-29355r2_chk )
NOTE: Use of authentication via certificate or CAC for Oracle accounts makes the accounts non-interactive for the purposes of this check. The DEFAULT profile is required to have a password lifetime set not to exceed 60 days, which is the current password lifetime limit per DoD policy. Custom profiles for non-interactive accounts (accounts used by applications or other systems) may have PASSWORD_LIFE_TIME set to a time greater than 60 days, but must still have a limit assigned. Limits of one year or less for non-interactive accounts require IAO authorization and should be set to a lifetime as low as administration and operation of the application will support. From SQL*Plus: select profile, limit from dba_profiles, (select limit as def_pwd_life_tm from dba_profiles where profile = 'DEFAULT' and resource_name = 'PASSWORD_LIFE_TIME') where resource_name = 'PASSWORD_LIFE_TIME' and ((replace(limit, 'DEFAULT', def_pwd_life_tm) in ('UNLIMITED', NULL)) or (lpad(replace(limit, 'DEFAULT', def_pwd_life_tm),40,'0') > lpad('60',40,'0'))); If the DEFAULT profile has a value greater than 60 days, this is a Finding. If any non-default profiles have password lifetimes greater than 60 days and are assigned to interactive accounts, this is a Finding. If any non-default profiles have password lifetimes greater than 365 days (1 year) and are assigned to any accounts, this is a Finding. If any profiles have PASSWORD_LIFE_TIME set to UNLIMITED, NULL or no value, this is a Finding. Verify in the System Security Plan that all accounts assigned to profiles with a password lifetime greater than 60 days belong to non-interactive accounts.

Check Text ( C-29355r2_chk )

NOTE: Use of authentication via certificate or CAC for Oracle accounts makes the accounts non-interactive for the purposes of this check. The DEFAULT profile is required to have a password lifetime set not to exceed 60 days, which is the current password lifetime limit per DoD policy. Custom profiles for non-interactive accounts (accounts used by applications or other systems) may have PASSWORD_LIFE_TIME set to a time greater than 60 days, but must still have a limit assigned. Limits of one year or less for non-interactive accounts require IAO authorization and should be set to a lifetime as low as administration and operation of the application will support. From SQL*Plus: select profile, limit from dba_profiles, (select limit as def_pwd_life_tm from dba_profiles where profile = 'DEFAULT' and resource_name = 'PASSWORD_LIFE_TIME') where resource_name = 'PASSWORD_LIFE_TIME' and ((replace(limit, 'DEFAULT', def_pwd_life_tm) in ('UNLIMITED', NULL)) or (lpad(replace(limit, 'DEFAULT', def_pwd_life_tm),40,'0') > lpad('60',40,'0'))); If the DEFAULT profile has a value greater than 60 days, this is a Finding. If any non-default profiles have password lifetimes greater than 60 days and are assigned to interactive accounts, this is a Finding. If any non-default profiles have password lifetimes greater than 365 days (1 year) and are assigned to any accounts, this is a Finding. If any profiles have PASSWORD_LIFE_TIME set to UNLIMITED, NULL or no value, this is a Finding. Verify in the System Security Plan that all accounts assigned to profiles with a password lifetime greater than 60 days belong to non-interactive accounts.

Fix Text (F-26381r1_fix)
Assign a password lifetime of 60 days or less to the default database profile. Assign a password lifetime of 60 days or less to non-default profiles assigned to interactive database accounts. Assign as password lifetime of 365 days or less to non-default profiles assigned to non-interactive database accounts that do not support frequent password changes. Include a list of all database accounts and their profile assignments in the System Security Plan. Modify profiles to assign a password lifetime. From SQL*Plus: alter profile default limit password_life_time 60; alter profile [profile name] limit password_life_time [60 to 365]; Replace [profile name] with any existing, non-default profile name and [60 to 365] with a value between 60 and 365 (days) inclusive.

Fix Text (F-26381r1_fix)

Assign a password lifetime of 60 days or less to the default database profile. Assign a password lifetime of 60 days or less to non-default profiles assigned to interactive database accounts. Assign as password lifetime of 365 days or less to non-default profiles assigned to non-interactive database accounts that do not support frequent password changes. Include a list of all database accounts and their profile assignments in the System Security Plan. Modify profiles to assign a password lifetime. From SQL*Plus: alter profile default limit password_life_time 60; alter profile [profile name] limit password_life_time [60 to 365]; Replace [profile name] with any existing, non-default profile name and [60 to 365] with a value between 60 and 365 (days) inclusive.