Password reuse should be prevented where supported by the DBMS.

From Oracle Database 11g Instance STIG

Part of DBMS account password reuse

SV-24787r2_rule Password reuse should be prevented where supported by the DBMS.

Vulnerability discussion

Password reuse restrictions protect against bypass of password expiration requirements and help protect accounts from password guessing attempts. The DoDI 8500.2 specifies preventing password reuse to the extent system capabilities permit.The PASSWORD_REUSE_MAX value specifies the number of password changes before a password can be reused. The PASSWORD_REUSE_TIME value specifies the length of time before a password can be reused.

Check content

If no DBMS accounts authenticate using passwords, this check is Not a Finding. Review DBMS account password reuse restrictions: From SQL*Plus: select p1.profile profile, p1.limit REUSE_MAX, p2.limit REUSE_TIME from dba_profiles p1, dba_profiles p2 where p1.profile = p2.profile and p1.resource_name = 'PASSWORD_REUSE_MAX' and p2.resource_name = 'PASSWORD_REUSE_TIME' order by p1.profile; If limits for REUSE_MAX and REUSE_TIME are set to UNLIMITED, this is a Finding. If limits for REUSE_MAX and REUSE_TIME are not set to values, this is a Finding. NOTE: If limits for REUSE_MAX or REUSE_TIME are set to DEFAULT refer to the corresponding limits set for the DEFAULT profile. If the DBMS uses Host Authentication, confirm that the host is configured to prevent password reuse. If it is not, this is a Finding.

Fix text

Configure the DBMS to prevent password reuse by modifying Oracle profiles: From SQL*Plus: alter profile default limit password_reuse_max 10 password_reuse_time UNLIMITED; alter profile [profile name] limit password_reuse_max default password_reuse_time default; Replace [profile name] with any existing, non-default profile names. Where Host Authentication is used, configure the OS to prevent password reuse. Consider configuring the DBMS to use alternate authentication methods other than password authentication where supported by the DBMS.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer