Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-52439 | O112-C2-005400 | SV-66655r2_rule | Medium |
Description |
---|
To establish acceptance of system usage policy, a click-through banner at application logon is required. The banner shall prevent further activity on the application unless and until the user executes a positive action to manifest agreement. The text of this banner should be customizable in the event of future user agreement changes. If the user does not have to take positive action to manifest agreement to the banner, the user could deny having seen or agreed to the contents of the banner. |
STIG | Date |
---|---|
Oracle Database 11.2g Security Technical Implementation Guide | 2015-12-21 |
Check Text ( C-54467r2_chk ) |
---|
If all applications using the database (and having an interactive user interface) display a logon banner with the prescribed wording, and the operating system hosting the database displays a logon banner with the prescribed wording, and the banner is displayed until the user explicitly acknowledges it, this is not a finding. Otherwise, this is a finding. (See also the closely related requirement, SRG-APP-000068-DB-000027.) |
Fix Text (F-57257r3_fix) |
---|
Create a text file containing the prescribed wording. Ensure the file is accessible by the database owner. (Be aware that there is a 512-byte limitation for the number of characters used for the banner text. This means that the abbreviated form of the wording must be used.) Open the SQLNET.ORA file in a text editor. If the SEC_USER_UNAUTHORIZED_ACCESS_BANNER parameter is not present, create it. If the SEC_USER_AUDIT_ACTION_BANNER parameter is not present, create it. Set both parameter values equal to the complete path of the banner file. Example: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt Configure all applications that use the database and have an interactive user interface to display the banner upon logon and keep it visible until the user explicitly acknowledges it. |