The DBMS must retain the notification message or banner on the screen until users take explicit actions to log on to the database.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-61609	O121-C2-005400	SV-76099r1_rule		Medium

Description
To establish acceptance of system usage policy, a click-through banner at application logon is required. The banner shall prevent further activity on the application unless and until the user executes a positive action to manifest agreement. The text of this banner should be customizable in the event of future user agreement changes. If the user does not have to take positive action to manifest agreement to the banner, the user could deny having seen or agreed to the contents of the banner.

Description

To establish acceptance of system usage policy, a click-through banner at application logon is required. The banner shall prevent further activity on the application unless and until the user executes a positive action to manifest agreement. The text of this banner should be customizable in the event of future user agreement changes. If the user does not have to take positive action to manifest agreement to the banner, the user could deny having seen or agreed to the contents of the banner.

STIG	Date
Oracle Database 12c Security Technical Implementation Guide	2015-12-21

Details

Check Text ( C-62481r1_chk )
If all applications using the database (and having an interactive user interface) display a logon banner with the prescribed wording, and the operating system hosting the database displays a logon banner with the prescribed wording, and the banner is displayed until the user explicitly acknowledges it, this is not a finding. Otherwise, this is a finding. (See also the closely related requirement, SRG-APP-000068-DB-000027.)

Check Text ( C-62481r1_chk )

If all applications using the database (and having an interactive user interface) display a logon banner with the prescribed wording, and the operating system hosting the database displays a logon banner with the prescribed wording, and the banner is displayed until the user explicitly acknowledges it, this is not a finding.

Otherwise, this is a finding.

(See also the closely related requirement, SRG-APP-000068-DB-000027.)

Fix Text (F-67525r1_fix)
Create a text file containing the prescribed wording. Ensure the file is accessible by the database owner. (Be aware that there is a 512-byte limitation for the number of characters used for the banner text. This means that the abbreviated form of the wording must be used.) Open the SQLNET.ORA file in a text editor. If the SEC_USER_UNAUTHORIZED_ACCESS_BANNER parameter is not present, create it. If the SEC_USER_AUDIT_ACTION_BANNER parameter is not present, create it. Set both parameter values equal to the complete path of the banner file. Example: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt Configure all applications that use the database and have an interactive user interface to display the banner upon logon and keep it visible until the user explicitly acknowledges it.

Fix Text (F-67525r1_fix)

Create a text file containing the prescribed wording. Ensure the file is accessible by the database owner. (Be aware that there is a 512-byte limitation for the number of characters used for the banner text. This means that the abbreviated form of the wording must be used.)

Open the SQLNET.ORA file in a text editor. If the SEC_USER_UNAUTHORIZED_ACCESS_BANNER parameter is not present, create it. If the SEC_USER_AUDIT_ACTION_BANNER parameter is not present, create it. Set both parameter values equal to the complete path of the banner file.

Example: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt

Configure all applications that use the database and have an interactive user interface to display the banner upon logon and keep it visible until the user explicitly acknowledges it.