3.9 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120'

Information

The 'INACTIVE_ACCOUNT_TIME' setting determines the maximum number of days of inactivity (no logins at all) after which the account will be locked. The suggested value for this is 120 or less.

Rationale:

Setting 'INACTIVE_ACCOUNT_TIME' can help with deactivation of 'inactive' or 'unused' accounts.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

Manually issue the following SQL statement for each USERNAME returned in the Audit Procedure:

Execute the following SQL script to assign a randomly generated password to each account using a default password:

begin
for r_user in (select username
from dba_users_with_defpwd
where username not like '%XS$NULL%')
loop
DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.');
execute immediate 'alter user ''||r_user.username||'' identified by ''||
DBMS_RANDOM.string('a',16)||''account lock password expire';
end loop;
end;

See Also

https://workbench.cisecurity.org/benchmarks/13413

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-2(3), 800-53|IA-5, CSCv6|5.3, CSCv6|18, CSCv7|4.2, CSCv7|16.9

Plugin: OracleDB

Control ID: 7e5e7e14ddc3e7ca9b0a1a9e81a6b44cb75cdd57eb63d1002b03b9f3c3cf151e