By Mouhamadou Diaw
In my previous blog I was testing the creation of a new Oracle 21c database. In this blog I am talking about two changes about the security.
In each new release Oracle strengthens security. That’s why since Oracle 12.2, to meet Security Technical Implementation Guides (STIG) compliance, Oracle Database provided the profile ORA_STIG_PROFILE
With Oracle 21c the profile ORA_STIG_PROFILE was updated and Oracle has provided a new profile to meet CIS standard : the profile ORA_CIS_PROFILE
The ORA_STIG_PROFILE user profile has been updated with the latest Security Technical Implementation Guide’s (STIG) guidelines
The ORA_CIS_PROFILE has the latest Center for Internet Security (CIS) guidelines
ORA_STIG_PROFILE
In an Oracle 19c database, we can fine following for the ORA_STIG_PROFILE.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
SQL> select profile,resource_name,limit from dba_profiles where profile='ORA_STIG_PROFILE' order by resource_name;PROFILE RESOURCE_NAME LIMIT------------------------------ ------------------------------ ------------------------------ORA_STIG_PROFILE COMPOSITE_LIMIT DEFAULTORA_STIG_PROFILE CONNECT_TIME DEFAULTORA_STIG_PROFILE CPU_PER_CALL DEFAULTORA_STIG_PROFILE CPU_PER_SESSION DEFAULTORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3ORA_STIG_PROFILE IDLE_TIME 15ORA_STIG_PROFILE INACTIVE_ACCOUNT_TIME 35ORA_STIG_PROFILE LOGICAL_READS_PER_CALL DEFAULTORA_STIG_PROFILE LOGICAL_READS_PER_SESSION DEFAULTORA_STIG_PROFILE PASSWORD_GRACE_TIME 5ORA_STIG_PROFILE PASSWORD_LIFE_TIME 60ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITEDORA_STIG_PROFILE PASSWORD_REUSE_MAX 10ORA_STIG_PROFILE PASSWORD_REUSE_TIME 365ORA_STIG_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_STIG_VERIFY_FUNCTIONORA_STIG_PROFILE PRIVATE_SGA DEFAULTORA_STIG_PROFILE SESSIONS_PER_USER DEFAULT17 rows selected.SQL> |
Now in in Oracle 21c, we can see that there are some changes.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
SQL> select profile,resource_name,limit from dba_profiles where profile='ORA_STIG_PROFILE' order by RESOURCE_NAME;PROFILE RESOURCE_NAME LIMIT------------------------------ ------------------------------ ------------------------------ORA_STIG_PROFILE COMPOSITE_LIMIT DEFAULTORA_STIG_PROFILE CONNECT_TIME DEFAULTORA_STIG_PROFILE CPU_PER_CALL DEFAULTORA_STIG_PROFILE CPU_PER_SESSION DEFAULTORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3ORA_STIG_PROFILE IDLE_TIME 15ORA_STIG_PROFILE INACTIVE_ACCOUNT_TIME 35ORA_STIG_PROFILE LOGICAL_READS_PER_CALL DEFAULTORA_STIG_PROFILE LOGICAL_READS_PER_SESSION DEFAULTORA_STIG_PROFILE PASSWORD_GRACE_TIME 0ORA_STIG_PROFILE PASSWORD_LIFE_TIME 35ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITEDORA_STIG_PROFILE PASSWORD_REUSE_MAX 5ORA_STIG_PROFILE PASSWORD_REUSE_TIME 175ORA_STIG_PROFILE PASSWORD_ROLLOVER_TIME DEFAULTORA_STIG_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_STIG_VERIFY_FUNCTIONORA_STIG_PROFILE PRIVATE_SGA DEFAULTORA_STIG_PROFILE SESSIONS_PER_USER DEFAULT18 rows selected.SQL> |
The following parameters were updated
-PASSWORD_GRACE_TIME
-PASSWORD_LIFE_TIME
-PASSWORD_REUSE_MAX
-PASSWORD_REUSE_TIME
-And there is a new parameter PASSWORD_ROLLOVER_TIME
ORA_CIS_PROFILE
Below the new characteristics for the new profile
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
SQL> select profile,resource_name,limit from dba_profiles where profile='ORA_CIS_PROFILE' order by RESOURCE_NAME;PROFILE RESOURCE_NAME LIMIT------------------------------ ------------------------------ ------------------------------ORA_CIS_PROFILE COMPOSITE_LIMIT DEFAULTORA_CIS_PROFILE CONNECT_TIME DEFAULTORA_CIS_PROFILE CPU_PER_CALL DEFAULTORA_CIS_PROFILE CPU_PER_SESSION DEFAULTORA_CIS_PROFILE FAILED_LOGIN_ATTEMPTS 5ORA_CIS_PROFILE IDLE_TIME DEFAULTORA_CIS_PROFILE INACTIVE_ACCOUNT_TIME 120ORA_CIS_PROFILE LOGICAL_READS_PER_CALL DEFAULTORA_CIS_PROFILE LOGICAL_READS_PER_SESSION DEFAULTORA_CIS_PROFILE PASSWORD_GRACE_TIME 5ORA_CIS_PROFILE PASSWORD_LIFE_TIME 90ORA_CIS_PROFILE PASSWORD_LOCK_TIME 1ORA_CIS_PROFILE PASSWORD_REUSE_MAX 20ORA_CIS_PROFILE PASSWORD_REUSE_TIME 365ORA_CIS_PROFILE PASSWORD_ROLLOVER_TIME DEFAULTORA_CIS_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_VERIFY_FUNCTIONORA_CIS_PROFILE PRIVATE_SGA DEFAULTORA_CIS_PROFILE SESSIONS_PER_USER 1018 rows selected.SQL> |
These user profiles can be directly used with the database users or as part of your own user profiles. Oracle keeps these profiles up to date to make it easier for you to implement password policies that meet STIG and CIS guidelines.
![Thumbnail [60x60]](https://www.dbi-services.com/blog/wp-content/uploads/2022/12/oracle-square.png)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/ENB_web-min-scaled.jpg)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/DWE_web-min-scaled.jpg)