UCF STIG Viewer Logo

The DBMS must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.


Overview

Finding ID Version Rule ID IA Controls Severity
V-61819 O121-C3-019400 SV-76309r2_rule Low
Description
Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. This control does not apply to components in the information system for which there is only a single user/role. The application must limit the use of resources by priority. The DBMS is often running queries for multiple users. If lower-priority processes are utilizing a disproportionately high amount of database resources, this can severely impact higher-priority processes.
STIG Date
Oracle Database 12c Security Technical Implementation Guide 2018-01-03

Details

Check Text ( C-62699r2_chk )
Review DBMS settings and documentation to determine if the DBMS restricts resource usage by priority.

If the DBMS does not restrict resource usage by priority, this is a finding.

- - - - -
This capability is available in Oracle at both the user and database level.

At the user level, we create resource profiles for users of the database.

Resource Parameters
SESSIONS_PER_USER - Specify the number of concurrent sessions to which to limit the user.
CPU_PER_SESSION - Specify the CPU time limit for a session, expressed in hundredths of seconds.
CPU_PER_CALL - Specify the CPU time limit for a call (a parse, execute, or fetch), expressed in hundredths of seconds.
CONNECT_TIME - Specify the total elapsed time limit for a session, expressed in minutes.
IDLE_TIME - Specify the permitted periods of continuous inactive time during a session, expressed in minutes. Long-running queries and other operations are not subject to this limit.
LOGICAL_READS_PER_SESSION - Specify the permitted number of data blocks read in a session, including blocks read from memory and disk.
LOGICAL_READS_PER_CALL - Specify the permitted number of data blocks read for a call to process a SQL statement (a parse, execute, or fetch).
PRIVATE_SGA - Specify the amount of private space a session can allocate in the shared pool of the system global area (SGA).
COMPOSITE_LIMIT - Specify the total resource cost for a session, expressed in service units.

To check the resource controls assigned to a user, query the DBA_PROFILES and DBA_USERS tables in the following manner.

set linesize 121
col username format a20
col profile format a20
col resource_name format a25
col resource_type format a14
col limit format a10
select a.username,
a.profile,
b.resource_name,
b.limit
from dba_users a,
dba_profiles b
where b.resource_type is not null and
a.profile = b.profile order by username;

The output should look like the output below and display the users and the contents of their profiles.

USERNAME PROFILE RESOURCE NAME LIMIT
-------- ------- ------------- -----
SCOTT DEFAULT SESSIONS_PER_USER UNLIMITED
SCOTT DEFAULT CPU_PER_SESSION UNLIMITED
Fix Text (F-67735r5_fix)
Implement measures to restrict the usage of resources by priority.

- - - - -
To implement security at the user level, assign users a profile that limits their resources:

The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle 12.1.0.2) to satisfy the STIG requirements pertaining to the profile parameters. Oracle recommends that this profile be customized with any site-specific requirements and assigned to all users where applicable. Note: It remains necessary to create a customized replacement for the password validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this technique to verify password complexity.

Example

$ sqlplus connect as sysdba

ALTER PROFILE ORA_STIG_PROFILE LIMIT
SESSIONS_PER_USER 1
IDLE_TIME 30
CPU_PER_SESSION 100
CPU_PER_CALL 100
CONNECT_TIME 600;