STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must have the capability to limit the number of failed login attempts based upon an organization-defined number of consecutive invalid attempts occurring within an organization-defined time period.

DISA Rule

SV-238449r667521_rule

Vulnerability Number

V-238449

Group Title

SRG-APP-000516-DB-000363

Rule Version

O112-C2-005000

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

(This addresses both O112-C2-005000 and O112-C2-005200.)

Configure the DBMS settings to specify the maximum number of consecutive failed login attempts to 3 (or less):
ALTER PROFILE '&PROFILE_NAME' LIMIT FAILED_LOGON_ATTEMPTS 3;

Check Contents

(This addresses both O112-C2-005000 and O112-C2-005200.)

The limit on the number of consecutive failed logon attempts is defined in the profile assigned to a user.

To see what profile is assigned to a user, enter the following query:
SQL>SELECT profile FROM dba_users WHERE username = '&USERNAME'
This will return the profile name assigned to that user.

Now check the values assigned to the profile returned from the query above:
SQL>SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE LIKE '&PROFILE_NAME'

Check the settings for failed_login_attempts - this is the number of consecutive failed login attempts before locking the Oracle user account. If the value is greater than 3, this is a finding.

The DBMS must have the capability to limit the number of failed login attempts based upon an organization-defined number of consecutive invalid attempts occurring within an organization-defined time period.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments