STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must terminate the network connection associated with a communications session at the end of the session or after 15 minutes of inactivity.

DISA Rule

SV-238473r667593_rule

Vulnerability Number

V-238473

Group Title

SRG-APP-000295-DB-000305

Rule Version

O112-C2-016500

Severity

CAT II

CCI(s)

• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Configure DBMS and/or OS settings to disconnect network sessions when database communication sessions have ended or after the DoD-defined period of inactivity.

To configure this in Oracle, modify each relevant profile. The resource name is IDLE_TIME, which is expressed in minutes. Using PPPPPP as an example of a profile, set the timeout to 15 minutes with:
ALTER PROFILE PPPPPP LIMIT IDLE_TIME 15;

Check Contents

Review DBMS settings, OS settings, and vendor documentation to verify network connections are terminated when a database communications session is ended or after a DoD-defined period of inactivity. If the network connection is not terminated, this is a finding.

The defined duration for these timeouts is 15 minutes, except to fulfill documented and validated mission requirements.

Vulnerability Number

V-238473

Documentable

False

Rule Version

O112-C2-016500

Severity Override Guidance

Review DBMS settings, OS settings, and vendor documentation to verify network connections are terminated when a database communications session is ended or after a DoD-defined period of inactivity. If the network connection is not terminated, this is a finding.

The defined duration for these timeouts is 15 minutes, except to fulfill documented and validated mission requirements.

Check Content Reference

M

Target Key

4057

Comments