Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15639 | DG0133-ORACLE11 | SV-24426r2_rule | ECLO-1 ECLO-2 | Medium |
Description |
---|
When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database. |
STIG | Date |
---|---|
Oracle Database 11g Instance STIG | 2015-03-26 |
Check Text ( C-29365r2_chk ) |
---|
From SQL*Plus: select profile, limit from dba_profiles where resource_name = 'PASSWORD_LOCK_TIME' and limit not in ('UNLIMITED', 'DEFAULT'); If any profiles are listed, this is a Finding. A value of UNLIMITED means that the account is locked until it is manually unlocked. |
Fix Text (F-26390r1_fix) |
---|
Set the password_lock_time on all defined profiles to unlimited. This will require the DBA manually to re-enable every locked account after the failed login limit has been reached. From SQL*Plus: alter profile default limit password_lock_time unlimited; alter profile [profile name] limit password_lock_time default; Replace [profile name] with an existing, non-default profile name. |