STIGQter STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must set the maximum number of consecutive invalid logon attempts to three.

DISA Rule

SV-237714r667174_rule

Vulnerability Number

V-237714

Group Title

SRG-APP-000516-DB-000363

Rule Version

O121-C2-005000

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the DBMS setting to specify the maximum number of consecutive failed logon attempts to three (or less):
ALTER PROFILE {PROFILE_NAME} LIMIT FAILED_LOGIN_ATTEMPTS 3;

(ORA_STIG_PROFILE is available in DBA_PROFILES, starting with Oracle 12.1.0.2. Note: It remains necessary to create a customized replacement for the password validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this technique to verify password complexity.)

Check Contents

The limit on the number of consecutive failed logon attempts is defined in the profile assigned to a user.

Check the FAILED_LOGIN_ATTEMPTS value assigned to the profiles returned from this query:
SQL>SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES;

Check the setting for FAILED_LOGIN_ATTEMPTS - this is the number of consecutive failed logon attempts before locking the Oracle user account. If the value is greater than three on any of the profiles, this is a finding.

Vulnerability Number

V-237714

Documentable

False

Rule Version

O121-C2-005000

Severity Override Guidance

The limit on the number of consecutive failed logon attempts is defined in the profile assigned to a user.

Check the FAILED_LOGIN_ATTEMPTS value assigned to the profiles returned from this query:
SQL>SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES;

Check the setting for FAILED_LOGIN_ATTEMPTS - this is the number of consecutive failed logon attempts before locking the Oracle user account. If the value is greater than three on any of the profiles, this is a finding.

Check Content Reference

M

Target Key

4059

Comments