STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.

DISA Rule

SV-220264r395442_rule

Vulnerability Number

V-220264

Group Title

SRG-APP-000001-DB-000031

Rule Version

O121-C2-000100

Severity

CAT II

CCI(s)

• CCI-000054 - The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions.

Weight

10

Fix Recommendation

Limit concurrent connections for each system account to a number less than or equal to the organization-defined number of sessions using the following SQL. Create profiles that conform to the requirements. Assign users to the appropriate profile.

The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle 12.1.0.2) to satisfy the STIG requirements pertaining to the profile parameters. Oracle recommends that this profile be customized with any site-specific requirements and assigned to all users where applicable. Note: It remains necessary to create a customized replacement for the password validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this technique to verify password complexity.

The defaults for ORA_STIG_PROFILE are set as follows:
Resource Name Limit
------------- ------
COMPOSITE_LIMIT DEFAULT
SESSIONS_PER_USER DEFAULT
CPU_PER_SESSION DEFAULT
CPU_PER_CALL DEFAULT
LOGICAL_READS_PER_SESSION DEFAULT
LOGICAL_READS_PER_CALL DEFAULT
IDLE_TIME 15
CONNECT_TIME DEFAULT
PRIVATE_SGA DEFAULT
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 10
PASSWORD_VERIFY_FUNCTION ORA12C_STRONG_VERIFY_FUNCTION
PASSWORD_LOCK_TIME UNLIMITED
PASSWORD_GRACE_TIME 5

Change the value of SESSIONS_PER_USER (along with the other parameters, where relevant) from UNLIMITED to DoD-compliant, site-specific requirements and then assign users to the profile.
ALTER PROFILE ORA_STIG_PROFILE LIMIT SESSIONS_PER_USER <site-specific value>;

To assign the user to the profile do the following:
ALTER USER <username> PROFILE ORA_STIG_PROFILE;

Check Contents

Retrieve the settings for concurrent sessions for each profile with the query:
SELECT * FROM SYS.DBA_PROFILES WHERE RESOURCE_NAME = 'SESSIONS_PER_USER';

If the DBMS settings for concurrent sessions for each profile are greater than the site-specific maximum number of sessions, this is a finding.

Vulnerability Number

V-220264

Documentable

False

Rule Version

O121-C2-000100

Severity Override Guidance

Retrieve the settings for concurrent sessions for each profile with the query:
SELECT * FROM SYS.DBA_PROFILES WHERE RESOURCE_NAME = 'SESSIONS_PER_USER';

If the DBMS settings for concurrent sessions for each profile are greater than the site-specific maximum number of sessions, this is a finding.

Check Content Reference

M

Target Key

4059

Comments