DG0073-ORACLE11 - Database accounts should not specify account lock times less than the site-approved minimum - 'Account lockout is < 3'

Information

The FAILED_LOGIN_ATTEMPTS value limits the number of failed login attempts allowed before an account is locked. Setting this value limits the ability of unauthorized users to guess passwords and alerts the DBA when password guessing has occurred (accounts display as locked). For non-interactive accounts, the number of failed logins should be set to an IAO-approved value.

Solution

Modify profiles to meet the failed login attempt requirement limit.

From SQL*Plus:
alter profile default limit
failed_login_attempts 3;

alter profile [profile name] limit
failed_login_attempts [IAO-approved value];

Replace [profile name] with any existing, non-default profile names.

Document in the System Security Plan all profiles and settings.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-24650r2_rule, STIG-ID|DG0073-ORACLE11, Vuln-ID|V-3817

Plugin: OracleDB

Control ID: 8f2721378c308d2f79f228ad7e10a2e36385f67f10c6f9252ab732b16a4b8167