The DBMS must retain the notification message or banner on the screen until users take explicit actions to log on to the database.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-52439	O112-C2-005400	SV-66655r1_rule		Medium

Description
To establish acceptance of system usage policy, a click-through banner at application login is required. The banner shall prevent further activity on the application unless and until the user executes a positive action to manifest agreement. The text of this banner should be customizable in the event of future user agreement changes. If the user does not have to take positive action to manifest agreement to the banner, the user could deny having seen or agreed to the contents of the banner.

Description

To establish acceptance of system usage policy, a click-through banner at application login is required. The banner shall prevent further activity on the application unless and until the user executes a positive action to manifest agreement. The text of this banner should be customizable in the event of future user agreement changes. If the user does not have to take positive action to manifest agreement to the banner, the user could deny having seen or agreed to the contents of the banner.

STIG	Date
Oracle Database 11.2g Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-54467r1_chk )
If all applications using the database (and having an interactive user interface) display a login banner with the prescribed wording, and the operating system hosting the database displays a login banner with the prescribed wording, and the banner is displayed until the user explicitly acknowledges it, this is not a finding. Otherwise, this is a finding. (See also the closely related requirement, SRG-APP-000068-DB-000027.)

Check Text ( C-54467r1_chk )

If all applications using the database (and having an interactive user interface) display a login banner with the prescribed wording, and the operating system hosting the database displays a login banner with the prescribed wording, and the banner is displayed until the user explicitly acknowledges it, this is not a finding.

Otherwise, this is a finding.

(See also the closely related requirement, SRG-APP-000068-DB-000027.)

Fix Text (F-57257r1_fix)
If necessary, take the following steps: Create a text file containing the prescribed wording. Ensure the file is accessible by the database owner. Open the SQLNET.ORA file in a text editor. If the SEC_USER_UNAUTHORIZED_ACCESS_BANNER parameter is not present, create it. If the SEC_USER_AUDIT_ACTION_BANNER parameter is not present, create it. Set both parameter values equal to the complete path of the banner file. Example: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt Configure all applications that use the database and have an interactive user interface to display the banner upon login and keep it visible until the user explicitly acknowledges it.

Fix Text (F-57257r1_fix)

If necessary, take the following steps:

Create a text file containing the prescribed wording. Ensure the file is accessible by the database owner.

Open the SQLNET.ORA file in a text editor. If the SEC_USER_UNAUTHORIZED_ACCESS_BANNER parameter is not present, create it. If the SEC_USER_AUDIT_ACTION_BANNER parameter is not present, create it. Set both parameter values equal to the complete path of the banner file.

Example: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt

Configure all applications that use the database and have an interactive user interface to display the banner upon login and keep it visible until the user explicitly acknowledges it.