DG0128-ORACLE11 - DBMS default accounts should be assigned custom passwords - 'No default accounts are OPEN'

Information

Oracle databases have several well-known default username/password combinations. Default passwords may provide unauthorized access to the server. Default accounts should be locked and expired when they are not required for daily operations.

This finding is a Category I severity because the fully privileged Database Administrator accounts SYS and SYSTEM have well known default passwords and these accounts provide full access to the database.

Solution

Change passwords from the default.

Ensure passwords meet complexity standards outlined in STIG Requirement DG0079.

From SQL*Plus:
alter user [username] identified by [password];

Lock and expire any accounts not required for interactive access.

From SQL*Plus:
alter user [username] account lock;
alter user [username] password expire;

NOTE: Follow Oracle documentation for changing any default passwords. Some accounts require coordinated actions in order to maintain operational status.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

References: CAT|I, Rule-ID|SV-24796r3_rule, STIG-ID|DG0128-ORACLE11, Vuln-ID|V-15635

Plugin: OracleDB

Control ID: bbcb4675204cedd099426fcd6d573aed7c67f82f656a97613144d859b744d195