The DBMS must employ enterprise-level or OS-level authentication for all interactive accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-61861	O121-N3-005801	SV-76351r2_rule		Low

Description
Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the date and time of their last successful logon allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures). Unauthorized access to DBMS accounts may go undetected if account access is not monitored. Authorized users may serve as a reliable party to report unauthorized use of their account. This STIG requirement mandates the implementation of a method to mitigate Oracle's inability to display the data specified in the SRG. This assumes that the operating system is capable of displaying the specified data.

Description

Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the date and time of their last successful logon allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures). Unauthorized access to DBMS accounts may go undetected if account access is not monitored. Authorized users may serve as a reliable party to report unauthorized use of their account. This STIG requirement mandates the implementation of a method to mitigate Oracle's inability to display the data specified in the SRG. This assumes that the operating system is capable of displaying the specified data.

STIG	Date
Oracle Database 12c Security Technical Implementation Guide	2016-06-24

Details

Check Text ( C-62741r2_chk )
Run the query: SELECT * FROM DBA_USERS WHERE PASSWORD IS NULL OR PASSWORD NOT IN ('EXTERNAL', 'GLOBAL'); If the names of any interactive accounts (other than SYS, SYSBACKUP, SYSDG, and SYSKM) are returned, this is a finding.

Fix Text (F-67777r1_fix)
Use the Oracle option of integration with enterprise-level account management (such as Active Directory or LDAP), for all accounts, including administrative accounts.