Unlimited account lock times should be specified for locked accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15639 | DG0133-ORACLE10 | SV-24424r2_rule | ECLO-1 ECLO-2 | Medium |
| Description |
|---|
| When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database. |
| STIG | Date |
|---|---|
| Oracle Database 10g Instance STIG | 2014-04-02 |
Details
| Check Text ( C-29364r2_chk ) |
|---|
| From SQL*Plus: select profile, limit from dba_profiles where resource_name = 'PASSWORD_LOCK_TIME' and limit not in ('UNLIMITED', 'DEFAULT'); If any profiles are listed, this is a Finding. A value of UNLIMITED means that the account is locked until it is manually unlocked. |
| Fix Text (F-26389r1_fix) |
|---|
| Set the password_lock_time on all defined profiles to unlimited. This will require the DBA manually to re-enable every locked account after the failed login limit has been reached. From SQL*Plus: alter profile default limit password_lock_time unlimited; alter profile [profile name] limit password_lock_time default; Replace [profile name] with an existing, non-default profile name. |