3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'

Information

The PASSWORD_LOCK_TIME setting determines how many days must pass for the user's account to be unlocked after the set number of failed login attempts has occurred. The suggested value for this is one day or greater.

Rationale:

Locking the user account after repeated failed login attempts can block further brute-force login attacks, but can create administrative headaches as this account unlocking process always requires DBA intervention.

Solution

Remediate this setting by executing the following SQL statement for each PROFILE returned by the audit procedure.

ALTER PROFILE <profile_name> LIMIT PASSWORD_LOCK_TIME 1;

See Also

https://workbench.cisecurity.org/benchmarks/13413