UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Unlimited account lock times should be specified for locked accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15639 DG0133-ORACLE11 SV-24426r2_rule ECLO-1 ECLO-2 Medium
Description
When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database.
STIG Date
Oracle Database 11g Instance STIG 2015-03-26

Details

Check Text ( C-29365r2_chk )
From SQL*Plus:

select profile, limit from dba_profiles
where resource_name = 'PASSWORD_LOCK_TIME'
and limit not in ('UNLIMITED', 'DEFAULT');

If any profiles are listed, this is a Finding.

A value of UNLIMITED means that the account is locked until it is manually unlocked.
Fix Text (F-26390r1_fix)
Set the password_lock_time on all defined profiles to unlimited.

This will require the DBA manually to re-enable every locked account after the failed login limit has been reached.

From SQL*Plus:

alter profile default limit password_lock_time unlimited;
alter profile [profile name] limit password_lock_time default;

Replace [profile name] with an existing, non-default profile name.