STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Users should be alerted upon login of previous successful connections or unsuccessful attempts to access their account.

DISA Rule

SV-24429r1_rule

Vulnerability Number

V-15641

Group Title

DBMS connection alert

Rule Version

DG0135-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Develop, document and implement an automated method to display at interactive logon the time and date of the last successful login and the number of failed login attempts since the last successful login for users that access the database interactively.

This may require a custom-developed logon trigger or procedure to accomplish.

NOTE: This may cause interaction/functionality problems with COTS applications not designed for this kind of interaction.

Check Contents

If the database does not store or process classified data, or user accounts are prohibited from accessing the database interactively, this check is Not a Finding.

NOTE: Per the STIG, The definition of an Interactive Database User can be considered an end-user who accesses the database interactively using tools like SQL*Plus, TOAD, etc. and not through a mid-tier application. Your DAA has the option to consider administration accounts (SYSDBA, SYSOPER, SCHEMA accounts and accounts assigned DBA privileges) as Interactive Database User accounts for the purposes of this check. The definition of an Interactive Database User should be documented in the System Security Plan.

Have the DBA perform an interactive logon test (via SQL*Plus) using a non-privileged account (and a privileged account if privileged accounts meet this requirement) to verify display of user access and account usage.

If the last successful and number of unsuccessful attempts since the last successful attempt are not reported, this is a Finding.

Vulnerability Number

V-15641

Documentable

False

Rule Version

DG0135-ORACLE11

Severity Override Guidance

If the database does not store or process classified data, or user accounts are prohibited from accessing the database interactively, this check is Not a Finding.

NOTE: Per the STIG, The definition of an Interactive Database User can be considered an end-user who accesses the database interactively using tools like SQL*Plus, TOAD, etc. and not through a mid-tier application. Your DAA has the option to consider administration accounts (SYSDBA, SYSOPER, SCHEMA accounts and accounts assigned DBA privileges) as Interactive Database User accounts for the purposes of this check. The definition of an Interactive Database User should be documented in the System Security Plan.

Have the DBA perform an interactive logon test (via SQL*Plus) using a non-privileged account (and a privileged account if privileged accounts meet this requirement) to verify display of user access and account usage.

If the last successful and number of unsuccessful attempts since the last successful attempt are not reported, this is a Finding.

Check Content Reference

I

Responsibility

Database Administrator

Target Key

1367

Comments