DG0125-ORACLE11 - DBMS account passwords should be set to expire every 60 days or more frequently - 'Database password expiration < 60 days'

Information

The PASSWORD_LIFE_TIME value specifies the length of time the same password may be used to authenticate to a database account. After the time period specified has passed for the assigned password, the user is required to change their password or else forfeit access to the database. Frequent password changes help to decrease the likelihood or duration of a password compromise that would result in unauthorized access.

Solution

Assign a password lifetime of 60 days or less to the default database profile.

Assign a password lifetime of 60 days or less to non-default profiles assigned to interactive database accounts.

Assign as password lifetime of 365 days or less to non-default profiles assigned to non-interactive database accounts that do not support frequent password changes.

Include a list of all database accounts and their profile assignments in the System Security Plan.

Modify profiles to assign a password lifetime.

From SQL*Plus:
alter profile default limit password_life_time 60;
alter profile [profile name] limit password_life_time [60 to 365];

Replace [profile name] with any existing, non-default profile name and [60 to 365] with a value between 60 and 365 (days) inclusive.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(d), CAT|II, Rule-ID|SV-24780r2_rule, STIG-ID|DG0125-ORACLE11, Vuln-ID|V-15153

Plugin: OracleDB

Control ID: 5f9fbc1329f69f9f6dbabe04cab0abb08ae87811c316408239ddf1df2600623f