Detections
Analytics
DG0128-ORACLE11 - DBMS default accounts should be assigned custom passwords - 'No default accounts are OPEN'
Information
Oracle databases have several well-known default username/password combinations. Default passwords may provide unauthorized access to the server. Default accounts should be locked and expired when they are not required for daily operations.This finding is a Category I severity because the fully privileged Database Administrator accounts SYS and SYSTEM have well known default passwords and these accounts provide full access to the database.
Solution
Change passwords from the default.Ensure passwords meet complexity standards outlined in STIG Requirement DG0079.
From SQL*Plus:
alter user [username] identified by [password];
Lock and expire any accounts not required for interactive access.
From SQL*Plus:
alter user [username] account lock;
alter user [username] password expire;
NOTE: Follow Oracle documentation for changing any default passwords. Some accounts require coordinated actions in order to maintain operational status.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip
Item Details
Audit Name: DISA STIG Oracle 11 Instance v9r1 Database
References: CAT|I, Rule-ID|SV-24796r3_rule, STIG-ID|DG0128-ORACLE11, Vuln-ID|V-15635
Plugin: OracleDB
Control ID: bbcb4675204cedd099426fcd6d573aed7c67f82f656a97613144d859b744d195