DG0066-ORACLE11 - Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.

Information

New accounts authenticated by passwords that are created without a password or with an easily guessed password are vulnerable to unauthorized access. Procedures for creating new accounts with passwords should include the required assignment of a temporary password to be modified by the user upon first use.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Develop, document and implement procedures for assigning, distributing and changing of temporary passwords for new database user accounts.

Procedures should include instruction that meet current DoD password length and complexity requirements and provide a secure method to relay the temporary password to the user.

Temporary passwords should also be short-lived and require immediate update by the user upon first use.

Consider using account authentication using certificates or other credentials in place of password authentication.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-24639r1_rule, STIG-ID|DG0066-ORACLE11, Vuln-ID|V-3811

Plugin: Unix

Control ID: 15016a609a25850e20e6b8636ccffd72fbd7040f845c0f3e196f4b530efbd21e