From Oracle Database 11g Instance STIG
Part of DBMS account password expiration
The PASSWORD_LIFE_TIME value specifies the length of time the same password may be used to authenticate to a database account. After the time period specified has passed for the assigned password, the user is required to change their password or else forfeit access to the database. Frequent password changes help to decrease the likelihood or duration of a password compromise that would result in unauthorized access.
NOTE: Use of authentication via certificate or CAC for Oracle accounts makes the accounts non-interactive for the purposes of this check. The DEFAULT profile is required to have a password lifetime set not to exceed 60 days, which is the current password lifetime limit per DoD policy. Custom profiles for non-interactive accounts (accounts used by applications or other systems) may have PASSWORD_LIFE_TIME set to a time greater than 60 days, but must still have a limit assigned. Limits of one year or less for non-interactive accounts require IAO authorization and should be set to a lifetime as low as administration and operation of the application will support. From SQL*Plus: select profile, limit from dba_profiles, (select limit as def_pwd_life_tm from dba_profiles where profile = 'DEFAULT' and resource_name = 'PASSWORD_LIFE_TIME') where resource_name = 'PASSWORD_LIFE_TIME' and ((replace(limit, 'DEFAULT', def_pwd_life_tm) in ('UNLIMITED', NULL)) or (lpad(replace(limit, 'DEFAULT', def_pwd_life_tm),40,'0') > lpad('60',40,'0'))); If the DEFAULT profile has a value greater than 60 days, this is a Finding. If any non-default profiles have password lifetimes greater than 60 days and are assigned to interactive accounts, this is a Finding. If any non-default profiles have password lifetimes greater than 365 days (1 year) and are assigned to any accounts, this is a Finding. If any profiles have PASSWORD_LIFE_TIME set to UNLIMITED, NULL or no value, this is a Finding. Verify in the System Security Plan that all accounts assigned to profiles with a password lifetime greater than 60 days belong to non-interactive accounts.
Assign a password lifetime of 60 days or less to the default database profile. Assign a password lifetime of 60 days or less to non-default profiles assigned to interactive database accounts. Assign as password lifetime of 365 days or less to non-default profiles assigned to non-interactive database accounts that do not support frequent password changes. Include a list of all database accounts and their profile assignments in the System Security Plan. Modify profiles to assign a password lifetime. From SQL*Plus: alter profile default limit password_life_time 60; alter profile [profile name] limit password_life_time [60 to 365]; Replace [profile name] with any existing, non-default profile name and [60 to 365] with a value between 60 and 365 (days) inclusive.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer