From Database Security Requirements Guide
Part of SRG-APP-000001-DB-000031
Associated with: CCI-000054
Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks.
Determine whether the system documentation specifies limits on the number of concurrent DBMS sessions per account by type of user. If it does not, assume a limit of 10 for database administrators and 2 for all other users. Review the concurrent-sessions settings in the DBMS and/or the applications using it, and/or the system software supporting it. If the DBMS is capable of enforcing this restriction but is not configured to do so, this is a finding. This holds even if the restriction is enforced by applications or supporting software. If it is not technically feasible for the DBMS to enforce this restriction, but the application(s) or supporting software are configured to do so, this is not a finding. If it is not technically feasible for the DBMS to enforce this restriction, and applications and supporting software are not so configured, this is a finding. If the value for any type of user account is not set, this is a finding. If a value is set but is not equal to the value specified in the documentation (or the default value defined in this check) for the type of user, this is a finding.
If the DBMS is capable of enforcing this restriction, but is not configured to do so, configure it to do so. (This may involve the development of one or more triggers.) If it is not technically feasible for the DBMS to enforce this restriction, and the application(s) and supporting software are not configured to do so, configure them to do so. If the value for any type of user account is not set, determine the correct value and set it. If a value is set but is not equal to the value specified for the type of user, determine the correct value, set it, and update the documentation, as appropriate.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer