STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.

DISA Rule

SV-238436r667482_rule

Vulnerability Number

V-238436

Group Title

SRG-APP-000516-DB-000363

Rule Version

O112-C2-001900

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Use a profile with a distinctive name (for example, TEMPORARY_USERS), so that temporary users can be easily identified. Whenever a temporary user account is created, assign it to this profile.

Set values in the profile as needed for temporary users - see below for further information. The values here are examples; set them to values appropriate to the situation:

CREATE PROFILE TEMPORARY_USERS
LIMIT
SESSIONS_PER_USER <limit>
CPU_PER_SESSION <limit>
CPU_PER_CALL <limit>
CONNECT_TIME <limit>
LOGICAL_READS_PER_SESSION <limit>
LOGICAL_READS_PER_CALL <limit>
PRIVATE_SGA <limit>
COMPOSITE_LIMIT <limit>
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LIFE_TIME 7
PASSWORD_REUSE_TIME 60
PASSWORD_REUSE_MAX 5
PASSWORD_VERIFY_FUNCTION <verify_function>
PASSWORD_LOCK_TIME UNLIMITED
PASSWORD_GRACE_TIME 3;
CREATE USER TEMP001 IDENTIFIED BY PassWord#TEMP01 PROFILE TEMPORARY_USERS;

Resource Parameters:

SESSIONS_PER_USER - Specify the number of concurrent sessions to which you want to limit the user.

CPU_PER_SESSION - Specify the CPU time limit for a session, expressed in hundredths of seconds.

CPU_PER_CALL - Specify the CPU time limit for a call (a parse, execute, or fetch), expressed in hundredths of seconds.

CONNECT_TIME - Specify the total elapsed time limit for a session, expressed in minutes.

IDLE_TIME - Specify the permitted periods of continuous inactive time during a session, expressed in minutes. Long-running queries and other operations are not subject to this limit.

LOGICAL_READS_PER_SESSION - Specify the permitted number of data blocks read in a session, including blocks read from memory and disk.

LOGICAL_READS_PER_CALL - Specify the permitted number of data blocks read for a call to process a SQL statement (a parse, execute, or fetch).

PRIVATE_SGA - Specify the amount of private space a session can allocate in the shared pool of the system global area (SGA). Refer to size_clause for information on that clause.

COMPOSITE_LIMIT - See Oracle documentation for more details.

Password Parameters:

Use the following clauses to set password parameters. Parameters that set lengths of time are interpreted in number of days. For testing purposes you can specify minutes (n/1440) or even seconds (n/86400).

FAILED_LOGIN_ATTEMPTS - Specify the number of failed attempts to log in to the user account before the account is locked.

PASSWORD_LIFE_TIME - Specify the number of days the same password can be used for authentication. If you also set a value for PASSWORD_GRACE_TIME, then the password expires if it is not changed within the grace period, and further connections are rejected. If you omit this clause, then the default is 180 days.

PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX - These two parameters must be set in conjunction with each other. PASSWORD_REUSE_TIME specifies the number of days before which a password cannot be reused. PASSWORD_REUSE_MAX specifies the number of password changes required before the current password can be reused. For these parameters to have any effect, you must specify an integer for both of them.

If you specify an integer for both of these parameters, then the user cannot reuse a password until the password has been changed the number of times specified for PASSWORD_REUSE_MAX during the number of days specified for PASSWORD_REUSE_TIME.

For example, if you specify PASSWORD_REUSE_TIME to 30 and PASSWORD_REUSE_MAX to 10, then the user can reuse the password after 30 days if the password has already been changed 10 times.

If you specify an integer for either of these parameters and specify UNLIMITED for the other, then the user can never reuse a password.

If you specify DEFAULT for either parameter, then Oracle Database uses the value defined in the DEFAULT profile. By default, all parameters are set to UNLIMITED in the DEFAULT profile. If you have not changed the default setting of UNLIMITED in the DEFAULT profile, then the database treats the value for that parameter as UNLIMITED.

If you set both of these parameters to UNLIMITED, then the database ignores both of them. This is the default if you omit both parameters.

PASSWORD_LOCK_TIME - Specify the number of days an account will be locked after the specified number of consecutive failed logon attempts. If you omit this clause, then the default is 1 day.

PASSWORD_GRACE_TIME - Specify the number of days after the grace period begins during which a warning is issued and logon is allowed. If you omit this clause, then the default is 7 days.

PASSWORD_VERIFY_FUNCTION - lets a PL/SQL password complexity verification script be passed as an argument to the CREATE PROFILE statement. Oracle Database provides a default script, but you can create your own routine or use third-party software instead.

Check Contents

If the organization has a policy, consistently enforced, forbidding the creation of emergency or temporary accounts, this is not a finding.

If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.

If using database mechanisms to satisfy this requirement, look for a profile for use with temporary accounts.

To obtain a list of profiles:

SELECT PROFILE#, NAME FROM SYS.PROFNAME$;

To obtain a list of users assigned a given profile (TEMPORARY_USERS, in this example):

SELECT USERNAME, PROFILE FROM SYS.DBA_USERS
WHERE PROFILE = 'TEMPORARY_USERS'
ORDER BY USERNAME;

To obtain a list of users that have NOT been assigned the DEFAULT (the resulting list of profiles can be quickly scanned for any profile like TEMPORARY, in this example):

SELECT USERNAME, PROFILE FROM SYS.DBA_USERS
WHERE PROFILE <> 'DEFAULT'
ORDER BY PROFILE;

If no profile for temporary accounts can be identified, this is not a finding.

Vulnerability Number

V-238436

Documentable

False

Rule Version

O112-C2-001900

Severity Override Guidance

If the organization has a policy, consistently enforced, forbidding the creation of emergency or temporary accounts, this is not a finding.

If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding.

If using database mechanisms to satisfy this requirement, look for a profile for use with temporary accounts.

To obtain a list of profiles:

SELECT PROFILE#, NAME FROM SYS.PROFNAME$;

To obtain a list of users assigned a given profile (TEMPORARY_USERS, in this example):

SELECT USERNAME, PROFILE FROM SYS.DBA_USERS
WHERE PROFILE = 'TEMPORARY_USERS'
ORDER BY USERNAME;

To obtain a list of users that have NOT been assigned the DEFAULT (the resulting list of profiles can be quickly scanned for any profile like TEMPORARY, in this example):

SELECT USERNAME, PROFILE FROM SYS.DBA_USERS
WHERE PROFILE <> 'DEFAULT'
ORDER BY PROFILE;

If no profile for temporary accounts can be identified, this is not a finding.

Check Content Reference

M

Target Key

4057

Comments