Unlimited account lock times should be specified for locked accounts.

From Oracle Database 11g Instance STIG

Part of DBMS Account lock time

SV-24426r2_rule Unlimited account lock times should be specified for locked accounts.

Vulnerability discussion

When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database.

Check content

From SQL*Plus: select profile, limit from dba_profiles where resource_name = 'PASSWORD_LOCK_TIME' and limit not in ('UNLIMITED', 'DEFAULT'); If any profiles are listed, this is a Finding. A value of UNLIMITED means that the account is locked until it is manually unlocked.

Fix text

Set the password_lock_time on all defined profiles to unlimited. This will require the DBA manually to re-enable every locked account after the failed login limit has been reached. From SQL*Plus: alter profile default limit password_lock_time unlimited; alter profile [profile name] limit password_lock_time default; Replace [profile name] with an existing, non-default profile name.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer