4.1 Ensure All Default Passwords Are Changed

Information

Default passwords should not be used by Oracle database users.

Rationale:

Default passwords should be considered 'well known' to attackers. Consequently, if default passwords remain in place, any attacker with access to the database can authenticate as the user with that default password.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

Manually issue the following SQL statement for each USERNAME returned in the Audit Procedure:

Execute the following SQL script to assign a randomly generated password to each account using a default password:

begin
for r_user in (select username
from dba_users_with_defpwd
where username not like '%XS$NULL%')
loop
DBMS_OUTPUT.PUT_LINE('Password for user '||r_user.username||' will be changed.');
execute immediate 'alter user ''||r_user.username||'' identified by ''||
DBMS_RANDOM.string('a',16)||''account lock password expire';
end loop;
end;

References:

http://docs.oracle.com/database/121/TDPSG/GUID-3EC7A894-D620-4497-AFB1-64EB8C33D854.htm#TDPSG20021

https://support.oracle.com/epmos/faces/DocumentDisplay?id=2173962.1

See Also

https://workbench.cisecurity.org/files/2741

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-6(10), 800-53|IA-5, CSCv6|5.3, CSCv6|18.9, CSCv7|4.2, CSCv7|4.7

Plugin: OracleDB

Control ID: abc02e6f2151f4e540e485117df9130e9beefe4e159f192f2beef8ca7c29695d