Database accounts should not specify account lock times less than the site-approved minimum.

From Oracle Database 11g Instance STIG

Part of DBMS failed login account lock

SV-24650r2_rule Database accounts should not specify account lock times less than the site-approved minimum.

Vulnerability discussion

The FAILED_LOGIN_ATTEMPTS value limits the number of failed login attempts allowed before an account is locked. Setting this value limits the ability of unauthorized users to guess passwords and alerts the DBA when password guessing has occurred (accounts display as locked). For non-interactive accounts, the number of failed logins should be set to an IAO-approved value.

Check content

From SQL*Plus: select profile||': '||limit from dba_profiles, (select limit as def_login_attempts from dba_profiles where profile = 'DEFAULT' and resource_name = 'FAILED_LOGIN_ATTEMPTS') where resource_name = 'FAILED_LOGIN_ATTEMPTS' and replace(limit, 'DEFAULT', def_login_attempts) IN ('UNLIMITED', NULL) or resource_name = 'FAILED_LOGIN_ATTEMPTS' and to_number(decode(limit, 'UNLIMITED', 10, 'DEFAULT', 10, limit)) > 3; If the DEFAULT profile is returned with a limit not less than or equal to 3, this is a Finding. If any non-DEFAULT profiles are returned with limits not documented and approved by the IAO, this is a Finding. NOTE: If the limit 'DEFAULT' is returned for any non-DEFAULT profiles, the profile limit is set to the corresponding value in the DEFAULT profile. If the DEFAULT profile is a Finding, so is the profile that references it.

Fix text

Modify profiles to meet the failed login attempt requirement limit. From SQL*Plus: alter profile default limit failed_login_attempts 3; alter profile [profile name] limit failed_login_attempts [IAO-approved value]; Replace [profile name] with any existing, non-default profile names. Document in the System Security Plan all profiles and settings.

Pro Tips

Powered by sagemincer