UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DBMS must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.


Overview

Finding ID Version Rule ID IA Controls Severity
V-61819 O121-C3-019400 SV-76309r1_rule Low
Description
Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. This control does not apply to components in the information system for which there is only a single user/role. The application must limit the use of resources by priority. The DBMS is often running queries for multiple users. If lower-priority processes are utilizing a disproportionately high amount of database resources, this can severely impact higher-priority processes.
STIG Date
Oracle Database 12c Security Technical Implementation Guide 2015-12-21

Details

Check Text ( C-62699r2_chk )
Review DBMS settings and documentation to determine if the DBMS restricts resource usage by priority.

If the DBMS does not restrict resource usage by priority, this is a finding.

- - - - -
This capability is available in Oracle at both the user and database level.

At the user level, we create resource profiles for users of the database.

Resource Parameters
SESSIONS_PER_USER - Specify the number of concurrent sessions to which to limit the user.
CPU_PER_SESSION - Specify the CPU time limit for a session, expressed in hundredths of seconds.
CPU_PER_CALL - Specify the CPU time limit for a call (a parse, execute, or fetch), expressed in hundredths of seconds.
CONNECT_TIME - Specify the total elapsed time limit for a session, expressed in minutes.
IDLE_TIME - Specify the permitted periods of continuous inactive time during a session, expressed in minutes. Long-running queries and other operations are not subject to this limit.
LOGICAL_READS_PER_SESSION - Specify the permitted number of data blocks read in a session, including blocks read from memory and disk.
LOGICAL_READS_PER_CALL - Specify the permitted number of data blocks read for a call to process a SQL statement (a parse, execute, or fetch).
PRIVATE_SGA - Specify the amount of private space a session can allocate in the shared pool of the system global area (SGA).
COMPOSITE_LIMIT - Specify the total resource cost for a session, expressed in service units.

To check the resource controls assigned to a user, query the DBA_PROFILES and DBA_USERS tables in the following manner.

set linesize 121
col username format a20
col profile format a20
col resource_name format a25
col resource_type format a14
col limit format a10
select a.username,
a.profile,
b.resource_name,
b.limit
from dba_users a,
dba_profiles b
where b.resource_type is not null and
a.profile = b.profile order by username;

The output should look like the output below and display the users and the contents of their profiles.

USERNAME PROFILE RESOURCE NAME LIMIT
-------- ------- ------------- -----
SCOTT DEFAULT SESSIONS_PER_USER UNLIMITED
SCOTT DEFAULT CPU_PER_SESSION UNLIMITED
Fix Text (F-67735r2_fix)
Implement measures to restrict the usage of resources by priority.

- - - - -
To implement security at the user level, assign users a profile that limits their resources:

The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle 12.1.0.2) to satisfy all of the STIG regulations pertaining to the profile parameters. Oracle recommends that this profile be customized with any site-specific requirements and assigned to all users where applicable.
Example

$ sqlplus connect as sysdba

ALTER PROFILE ORA_STIG_PROFILE LIMIT
SESSIONS_PER_USER 1
IDLE_TIME 30
CPU_PER_SESSION 100
CPU_PER_CALL 100
CONNECT_TIME 600;