From Oracle Database 12c Security Technical Implementation Guide
Part of SRG-APP-000248-DB-000135
Associated with: CCI-002394
Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. This control does not apply to components in the information system for which there is only a single user/role. The application must limit the use of resources by priority.
Review DBMS settings and documentation to determine if the DBMS restricts resource usage by priority. If the DBMS does not restrict resource usage by priority, this is a finding. - - - - - This capability is available in Oracle at both the user and database level. At the user level, we create resource profiles for users of the database. Resource Parameters SESSIONS_PER_USER - Specify the number of concurrent sessions to which to limit the user. CPU_PER_SESSION - Specify the CPU time limit for a session, expressed in hundredths of seconds. CPU_PER_CALL - Specify the CPU time limit for a call (a parse, execute, or fetch), expressed in hundredths of seconds. CONNECT_TIME - Specify the total elapsed time limit for a session, expressed in minutes. IDLE_TIME - Specify the permitted periods of continuous inactive time during a session, expressed in minutes. Long-running queries and other operations are not subject to this limit. LOGICAL_READS_PER_SESSION - Specify the permitted number of data blocks read in a session, including blocks read from memory and disk. LOGICAL_READS_PER_CALL - Specify the permitted number of data blocks read for a call to process a SQL statement (a parse, execute, or fetch). PRIVATE_SGA - Specify the amount of private space a session can allocate in the shared pool of the system global area (SGA). COMPOSITE_LIMIT - Specify the total resource cost for a session, expressed in service units. To check the resource controls assigned to a user, query the DBA_PROFILES and DBA_USERS tables in the following manner. set linesize 121 col username format a20 col profile format a20 col resource_name format a25 col resource_type format a14 col limit format a10 select a.username, a.profile, b.resource_name, b.limit from dba_users a, dba_profiles b where b.resource_type is not null and a.profile = b.profile order by username; The output should look like the output below and display the users and the contents of their profiles. USERNAME PROFILE RESOURCE NAME LIMIT -------- ------- ------------- ----- SCOTT DEFAULT SESSIONS_PER_USER UNLIMITED SCOTT DEFAULT CPU_PER_SESSION UNLIMITED
Implement measures to restrict the usage of resources by priority. - - - - - To implement security at the user level, assign users a profile that limits their resources: The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle 12.1.0.2) to satisfy the STIG requirements pertaining to the profile parameters. Oracle recommends that this profile be customized with any site-specific requirements and assigned to all users where applicable. Note: It remains necessary to create a customized replacement for the password validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this technique to verify password complexity. Example $ sqlplus connect as sysdba ALTER PROFILE ORA_STIG_PROFILE LIMIT SESSIONS_PER_USER 1 IDLE_TIME 30 CPU_PER_SESSION 100 CPU_PER_CALL 100 CONNECT_TIME 600;
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer