Password reuse should be prevented where supported by the DBMS.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15633	DG0126-ORACLE11	SV-24787r2_rule		Medium

Description
Password reuse restrictions protect against bypass of password expiration requirements and help protect accounts from password guessing attempts. The DoDI 8500.2 specifies preventing password reuse to the extent system capabilities permit. The PASSWORD_REUSE_MAX value specifies the number of password changes before a password can be reused. The PASSWORD_REUSE_TIME value specifies the length of time before a password can be reused.

Description

Password reuse restrictions protect against bypass of password expiration requirements and help protect accounts from password guessing attempts. The DoDI 8500.2 specifies preventing password reuse to the extent system capabilities permit. The PASSWORD_REUSE_MAX value specifies the number of password changes before a password can be reused. The PASSWORD_REUSE_TIME value specifies the length of time before a password can be reused.

STIG	Date
Oracle Database 11g Instance STIG	2017-06-29

Details

Check Text ( C-29358r4_chk )
If no DBMS accounts authenticate using passwords, this check is Not a Finding. Review DBMS account password reuse restrictions: From SQL*Plus: select p1.profile profile, p1.limit REUSE_MAX, p2.limit REUSE_TIME from dba_profiles p1, dba_profiles p2 where p1.profile = p2.profile and p1.resource_name = 'PASSWORD_REUSE_MAX' and p2.resource_name = 'PASSWORD_REUSE_TIME' order by p1.profile; If limits for REUSE_MAX and REUSE_TIME are set to UNLIMITED, this is a Finding. If limits for REUSE_MAX and REUSE_TIME are not set to values, this is a Finding. NOTE: If limits for REUSE_MAX or REUSE_TIME are set to DEFAULT refer to the corresponding limits set for the DEFAULT profile. If the DBMS uses Host Authentication, confirm that the host is configured to prevent password reuse. If it is not, this is a Finding.

Check Text ( C-29358r4_chk )

If no DBMS accounts authenticate using passwords, this check is Not a Finding.

Review DBMS account password reuse restrictions:

From SQL*Plus:
select p1.profile profile, p1.limit REUSE_MAX, p2.limit REUSE_TIME
from dba_profiles p1, dba_profiles p2
where p1.profile = p2.profile
and p1.resource_name = 'PASSWORD_REUSE_MAX'
and p2.resource_name = 'PASSWORD_REUSE_TIME'
order by p1.profile;

If limits for REUSE_MAX and REUSE_TIME are set to UNLIMITED, this is a Finding.

If limits for REUSE_MAX and REUSE_TIME are not set to values, this is a Finding.

NOTE: If limits for REUSE_MAX or REUSE_TIME are set to DEFAULT refer to the corresponding limits set for the DEFAULT profile.

If the DBMS uses Host Authentication, confirm that the host is configured to prevent password reuse. If it is not, this is a Finding.

Fix Text (F-26384r1_fix)
Configure the DBMS to prevent password reuse by modifying Oracle profiles: From SQL*Plus: alter profile default limit password_reuse_max 10 password_reuse_time UNLIMITED; alter profile [profile name] limit password_reuse_max default password_reuse_time default; Replace [profile name] with any existing, non-default profile names. Where Host Authentication is used, configure the OS to prevent password reuse. Consider configuring the DBMS to use alternate authentication methods other than password authentication where supported by the DBMS.

Fix Text (F-26384r1_fix)

Configure the DBMS to prevent password reuse by modifying Oracle profiles:

From SQL*Plus:

alter profile default limit
password_reuse_max 10
password_reuse_time UNLIMITED;

alter profile [profile name] limit
password_reuse_max default
password_reuse_time default;

Replace [profile name] with any existing, non-default profile names.

Where Host Authentication is used, configure the OS to prevent password reuse.

Consider configuring the DBMS to use alternate authentication methods other than password authentication where supported by the DBMS.