STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Procedures for establishing temporary passwords that meet DoD password requirements for new accounts must be defined, documented, and implemented.

DISA Rule

SV-238468r667578_rule

Vulnerability Number

V-238468

Group Title

SRG-APP-000164-DB-000401

Rule Version

O112-C2-014900

Severity

CAT II

CCI(s)

• CCI-000192 - The information system enforces password complexity by the minimum number of upper case characters used.

Weight

10

Fix Recommendation

Implement procedures for assigning temporary passwords to user accounts.

Procedures should include instructions to meet current DoD password length and complexity requirements and provide a secure method to relay the temporary password to the user.

Check Contents

If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, stop here: this is not a finding against the DBMS.

Where accounts are authenticated using passwords, review procedures and implementation evidence for creation of temporary passwords. If the procedures or evidence do not exist or do not enforce passwords to meet DoD password requirements, this is a finding.

Vulnerability Number

V-238468

Documentable

False

Rule Version

O112-C2-014900

Severity Override Guidance

If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, stop here: this is not a finding against the DBMS.

Where accounts are authenticated using passwords, review procedures and implementation evidence for creation of temporary passwords. If the procedures or evidence do not exist or do not enforce passwords to meet DoD password requirements, this is a finding.

Check Content Reference

M

Target Key

4057

Comments