UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Password reuse should be prevented where supported by the DBMS.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15633 DG0126-ORACLE11 SV-24787r2_rule IAIA-1 IAIA-2 Medium
Description
Password reuse restrictions protect against bypass of password expiration requirements and help protect accounts from password guessing attempts. The DoDI 8500.2 specifies preventing password reuse to the extent system capabilities permit. The PASSWORD_REUSE_MAX value specifies the number of password changes before a password can be reused. The PASSWORD_REUSE_TIME value specifies the length of time before a password can be reused.
STIG Date
Oracle Database 11g Instance STIG 2015-03-26

Details

Check Text ( C-29358r4_chk )
If no DBMS accounts authenticate using passwords, this check is Not a Finding.

Review DBMS account password reuse restrictions:

From SQL*Plus:
select p1.profile profile, p1.limit REUSE_MAX, p2.limit REUSE_TIME
from dba_profiles p1, dba_profiles p2
where p1.profile = p2.profile
and p1.resource_name = 'PASSWORD_REUSE_MAX'
and p2.resource_name = 'PASSWORD_REUSE_TIME'
order by p1.profile;

If limits for REUSE_MAX and REUSE_TIME are set to UNLIMITED, this is a Finding.

If limits for REUSE_MAX and REUSE_TIME are not set to values, this is a Finding.

NOTE: If limits for REUSE_MAX or REUSE_TIME are set to DEFAULT refer to the corresponding limits set for the DEFAULT profile.

If the DBMS uses Host Authentication, confirm that the host is configured to prevent password reuse. If it is not, this is a Finding.
Fix Text (F-26384r1_fix)
Configure the DBMS to prevent password reuse by modifying Oracle profiles:

From SQL*Plus:

alter profile default limit
password_reuse_max 10
password_reuse_time UNLIMITED;

alter profile [profile name] limit
password_reuse_max default
password_reuse_time default;

Replace [profile name] with any existing, non-default profile names.

Where Host Authentication is used, configure the OS to prevent password reuse.

Consider configuring the DBMS to use alternate authentication methods other than password authentication where supported by the DBMS.