Detections
Analytics
DG0133-ORACLE11 - Unlimited account lock times should be specified for locked accounts.
Information
When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database.Solution
Set the password_lock_time on all defined profiles to unlimited.This will require the DBA manually to re-enable every locked account after the failed login limit has been reached.
From SQL*Plus:
alter profile default limit password_lock_time unlimited;
alter profile [profile name] limit password_lock_time default;
Replace [profile name] with an existing, non-default profile name.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip
Item Details
Audit Name: DISA STIG Oracle 11 Instance v9r1 Database
References: CAT|II, Rule-ID|SV-24426r2_rule, STIG-ID|DG0133-ORACLE11, Vuln-ID|V-15639
Plugin: OracleDB
Control ID: 5c54d2a5e75c5c670ce34f5151db2db0ec854ceb14eb098b168859a5ea4f0cbd