UCF STIG Viewer Logo

The DBMS must display the system use information when appropriate, before granting further access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-61611 O121-C2-005500 SV-76101r1_rule Medium
Description
For publicly accessible systems: Applications are required to display the following information: - displays the system use information when appropriate, before granting further access; - displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and - includes in the notice given to public users of the information system, a description of the authorized uses of the system. System use notification messages can be implemented in the form of warning banners displayed when individuals log on to the information system. System use notification is intended only for information system access that includes an interactive logon interface with a human user and is not intended to require notification when an interactive interface does not exist.
STIG Date
Oracle Database 12c Security Technical Implementation Guide 2016-06-24

Details

Check Text ( C-62483r1_chk )
Determine whether the system is publicly accessible. If the system is not publicly accessible, this is NA.

Banner requirements are applicable only to interactive accounts.

If all applications using the database (and having an interactive user interface) display a logon banner with the appropriate wording, this is not a finding. (See the Discussion for what constitutes appropriate wording.)

Review banner displayed by DBMS to verify it displays the system use information when appropriate, before granting further access.

Review banner displayed by DBMS to verify it displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.

Review banner displayed by DBMS to verify it includes in the notice given to public users of the information system a description of the authorized uses of the system.
Fix Text (F-67527r1_fix)
If necessary, take the following steps:

Create a text file containing the appropriate wording. (See the Discussion for what constitutes appropriate wording.) Ensure the file is accessible by the database owner.
Be aware that there is a 512-byte limitation for the number of characters used for the banner text.

Open the SQLNET.ORA file in a text editor. If the SEC_USER_UNAUTHORIZED_ACCESS_BANNER parameter is not present, create it. If the SEC_USER_AUDIT_ACTION_BANNER parameter is not present, create it. Set both parameter values equal to the complete path of the banner file.

Example: SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt

Configure all applications that use the database and have an interactive user interface to display the banner upon logon.