The DBMS must display the system use information when appropriate, before granting further access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-52443	O112-C2-005500	SV-66659r1_rule		Medium

Description
For publicly accessible systems: Applications are required to display the following information: (i) displays the system use information when appropriate, before granting further access; (ii) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (iii) includes in the notice given to public users of the information system, a description of the authorized uses of the system. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access that includes an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist.

Description

For publicly accessible systems: Applications are required to display the following information: (i) displays the system use information when appropriate, before granting further access; (ii) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (iii) includes in the notice given to public users of the information system, a description of the authorized uses of the system. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access that includes an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist.

STIG	Date
Oracle Database 11.2g Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-54471r1_chk )
Determine whether the system is publicly accessible. If the system is not publicly accessible, this is NA. Banner requirements are applicable only to interactive accounts. If all applications using the database (and having an interactive user interface) display a login banner with the appropriate wording, stop here: this is not a finding. (See the Discussion for what constitutes appropriate wording.) Review banner displayed by DBMS to verify it displays the system use information when appropriate, before granting further access. Review banner displayed by DBMS to verify it displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities. Review banner displayed by DBMS to verify it includes in the notice given to public users of the information system a description of the authorized uses of the system.

Check Text ( C-54471r1_chk )

Determine whether the system is publicly accessible. If the system is not publicly accessible, this is NA.

Banner requirements are applicable only to interactive accounts.

If all applications using the database (and having an interactive user interface) display a login banner with the appropriate wording, stop here: this is not a finding. (See the Discussion for what constitutes appropriate wording.)

Review banner displayed by DBMS to verify it displays the system use information when appropriate, before granting further access.

Review banner displayed by DBMS to verify it displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.

Review banner displayed by DBMS to verify it includes in the notice given to public users of the information system a description of the authorized uses of the system.

Fix Text (F-57261r1_fix)
If necessary, take the following steps: Create a text file containing the appropriate wording. (See the Discussion for what constitutes appropriate wording.) Ensure the file is accessible by the database owner. Open the SQLNET.ORA file in a text editor. If the SEC_USER_UNAUTHORIZED_ACCESS_BANNER parameter is not present, create it. If the SEC_USER_AUDIT_ACTION_BANNER parameter is not present, create it. Set both parameter values equal to the complete path of the banner file. Example: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt Configure all applications that use the database and have an interactive user interface to display the banner upon login.

Fix Text (F-57261r1_fix)

If necessary, take the following steps:

Create a text file containing the appropriate wording. (See the Discussion for what constitutes appropriate wording.) Ensure the file is accessible by the database owner.

Open the SQLNET.ORA file in a text editor. If the SEC_USER_UNAUTHORIZED_ACCESS_BANNER parameter is not present, create it. If the SEC_USER_AUDIT_ACTION_BANNER parameter is not present, create it. Set both parameter values equal to the complete path of the banner file.

Example: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt

Configure all applications that use the database and have an interactive user interface to display the banner upon login.