| If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. |
For each profile that can be applied to accounts where authentication is under Oracle's control, determine the password reuse rule, if any, that is in effect:
SELECT * FROM SYS.DBA_PROFILES
WHERE RESOURCE_NAME IN ('PASSWORD_REUSE_MAX', 'PASSWORD_REUSE_TIME')
[AND PROFILE NOT IN (
ORDER BY PROFILE, RESOURCE_NAME;
Bearing in mind that a profile can inherit from another profile, and the root profile is called DEFAULT, determine the value of the PASSWORD_REUSE_MAX effective for each profile.
If, for any profile, the PASSWORD_REUSE_MAX value does not enforce the DoD-defined minimum number of password changes before a password may be repeated (five or greater), this is a finding.
PASSWORD_REUSE_MAX is effective if and only if PASSWORD_REUSE_TIME is specified, so if both are UNLIMITED, this is a finding.