STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Unlimited account lock times should be specified for locked accounts.

DISA Rule

SV-24426r2_rule

Vulnerability Number

V-15639

Group Title

DBMS Account lock time

Rule Version

DG0133-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Set the password_lock_time on all defined profiles to unlimited.

This will require the DBA manually to re-enable every locked account after the failed login limit has been reached.

From SQL*Plus:

alter profile default limit password_lock_time unlimited;
alter profile [profile name] limit password_lock_time default;

Replace [profile name] with an existing, non-default profile name.

Check Contents

From SQL*Plus:

select profile, limit from dba_profiles
where resource_name = 'PASSWORD_LOCK_TIME'
and limit not in ('UNLIMITED', 'DEFAULT');

If any profiles are listed, this is a Finding.

A value of UNLIMITED means that the account is locked until it is manually unlocked.

Vulnerability Number

V-15639

Documentable

False

Rule Version

DG0133-ORACLE11

Severity Override Guidance

From SQL*Plus:

select profile, limit from dba_profiles
where resource_name = 'PASSWORD_LOCK_TIME'
and limit not in ('UNLIMITED', 'DEFAULT');

If any profiles are listed, this is a Finding.

A value of UNLIMITED means that the account is locked until it is manually unlocked.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments