Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Unlimited account lock times should be specified for locked accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15639 | DG0133-ORACLE11 | SV-24426r2_rule | Medium |
| Description |
|---|
| When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database. |
| STIG | Date |
|---|---|
| Oracle Database 11g Instance STIG | 2016-12-14 |
Details
| Check Text ( C-29365r2_chk ) |
|---|
| From SQL*Plus: select profile, limit from dba_profiles where resource_name = 'PASSWORD_LOCK_TIME' and limit not in ('UNLIMITED', 'DEFAULT'); If any profiles are listed, this is a Finding. A value of UNLIMITED means that the account is locked until it is manually unlocked. |
| Fix Text (F-26390r1_fix) |
|---|
| Set the password_lock_time on all defined profiles to unlimited. This will require the DBA manually to re-enable every locked account after the failed login limit has been reached. From SQL*Plus: alter profile default limit password_lock_time unlimited; alter profile [profile name] limit password_lock_time default; Replace [profile name] with an existing, non-default profile name. |