STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must terminate the network connection associated with a communications session at the end of the session or 15 minutes of inactivity.

DISA Rule

SV-237738r667246_rule

Vulnerability Number

V-237738

Group Title

SRG-APP-000295-DB-000305

Rule Version

O121-C2-016500

Severity

CAT II

CCI(s)

• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Configure DBMS and/or OS settings to disconnect network sessions when database communication sessions have ended or after the DoD-defined period of inactivity.

To configure this in Oracle, modify each relevant profile. The resource name is IDLE_TIME, which is expressed in minutes. Using PPPPPP as an example of a profile, set the timeout to 15 minutes with:
ALTER PROFILE PPPPPP LIMIT IDLE_TIME 15;

Check Contents

Review DBMS settings, OS settings, and vendor documentation to verify network connections are terminated when a database communications session is ended or after 15 minutes of inactivity.

If the network connection is not terminated, this is a finding.

The defined duration for these timeouts 15 minutes, except to fulfill documented and validated mission requirements.

Vulnerability Number

V-237738

Documentable

False

Rule Version

O121-C2-016500

Severity Override Guidance

Review DBMS settings, OS settings, and vendor documentation to verify network connections are terminated when a database communications session is ended or after 15 minutes of inactivity.

If the network connection is not terminated, this is a finding.

The defined duration for these timeouts 15 minutes, except to fulfill documented and validated mission requirements.

Check Content Reference

M

Target Key

4059

Comments