UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DBMS must retain the notification message or banner on the screen until users take explicit actions to log on to the database.


Overview

Finding ID Version Rule ID IA Controls Severity
V-61609 O121-C2-005400 SV-76099r1_rule Medium
Description
To establish acceptance of system usage policy, a click-through banner at application logon is required. The banner shall prevent further activity on the application unless and until the user executes a positive action to manifest agreement. The text of this banner should be customizable in the event of future user agreement changes. If the user does not have to take positive action to manifest agreement to the banner, the user could deny having seen or agreed to the contents of the banner.
STIG Date
Oracle Database 12c Security Technical Implementation Guide 2016-06-24

Details

Check Text ( C-62481r1_chk )
If all applications using the database (and having an interactive user interface) display a logon banner with the prescribed wording, and the operating system hosting the database displays a logon banner with the prescribed wording, and the banner is displayed until the user explicitly acknowledges it, this is not a finding.

Otherwise, this is a finding.

(See also the closely related requirement, SRG-APP-000068-DB-000027.)
Fix Text (F-67525r1_fix)
Create a text file containing the prescribed wording. Ensure the file is accessible by the database owner. (Be aware that there is a 512-byte limitation for the number of characters used for the banner text. This means that the abbreviated form of the wording must be used.)

Open the SQLNET.ORA file in a text editor. If the SEC_USER_UNAUTHORIZED_ACCESS_BANNER parameter is not present, create it. If the SEC_USER_AUDIT_ACTION_BANNER parameter is not present, create it. Set both parameter values equal to the complete path of the banner file.

Example: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt

Configure all applications that use the database and have an interactive user interface to display the banner upon logon and keep it visible until the user explicitly acknowledges it.