Infrastructure at your Service

Mouhamadou Diaw

Oracle 21c Security : ORA_STIG_PROFILE and ORA_CIS_PROFILE

In my previous blog I was testing the creation of a new Oracle 21c database. In this blog I am talking about two changes about the security.
In each new release Oracle strengthens security. That’s why since Oracle 12.2, to meet Security Technical Implementation Guides (STIG) compliance, Oracle Database provided the profile ORA_STIG_PROFILE
With Oracle 21c the profile ORA_STIG_PROFILE was updated and Oracle has provided a new profile to meet CIS standard : the profile ORA_CIS_PROFILE
The ORA_STIG_PROFILE user profile has been updated with the latest Security Technical Implementation Guide’s (STIG) guidelines
The ORA_CIS_PROFILE has the latest Center for Internet Security (CIS) guidelines

ORA_STIG_PROFILE
In an Oracle 19c database, we can fine following for the ORA_STIG_PROFILE.

SQL> select profile,resource_name,limit from dba_profiles where profile='ORA_STIG_PROFILE' order by resource_name;

PROFILE                        RESOURCE_NAME                  LIMIT
------------------------------ ------------------------------ ------------------------------
ORA_STIG_PROFILE               COMPOSITE_LIMIT                DEFAULT
ORA_STIG_PROFILE               CONNECT_TIME                   DEFAULT
ORA_STIG_PROFILE               CPU_PER_CALL                   DEFAULT
ORA_STIG_PROFILE               CPU_PER_SESSION                DEFAULT
ORA_STIG_PROFILE               FAILED_LOGIN_ATTEMPTS          3
ORA_STIG_PROFILE               IDLE_TIME                      15
ORA_STIG_PROFILE               INACTIVE_ACCOUNT_TIME          35
ORA_STIG_PROFILE               LOGICAL_READS_PER_CALL         DEFAULT
ORA_STIG_PROFILE               LOGICAL_READS_PER_SESSION      DEFAULT
ORA_STIG_PROFILE               PASSWORD_GRACE_TIME            5
ORA_STIG_PROFILE               PASSWORD_LIFE_TIME             60
ORA_STIG_PROFILE               PASSWORD_LOCK_TIME             UNLIMITED
ORA_STIG_PROFILE               PASSWORD_REUSE_MAX             10
ORA_STIG_PROFILE               PASSWORD_REUSE_TIME            365
ORA_STIG_PROFILE               PASSWORD_VERIFY_FUNCTION       ORA12C_STIG_VERIFY_FUNCTION
ORA_STIG_PROFILE               PRIVATE_SGA                    DEFAULT
ORA_STIG_PROFILE               SESSIONS_PER_USER              DEFAULT

17 rows selected.

SQL>

Now in in Oracle 21c, we can see that there are some changes.

SQL> select profile,resource_name,limit from dba_profiles where profile='ORA_STIG_PROFILE' order by RESOURCE_NAME;

PROFILE                        RESOURCE_NAME                  LIMIT
------------------------------ ------------------------------ ------------------------------
ORA_STIG_PROFILE               COMPOSITE_LIMIT                DEFAULT
ORA_STIG_PROFILE               CONNECT_TIME                   DEFAULT
ORA_STIG_PROFILE               CPU_PER_CALL                   DEFAULT
ORA_STIG_PROFILE               CPU_PER_SESSION                DEFAULT
ORA_STIG_PROFILE               FAILED_LOGIN_ATTEMPTS          3
ORA_STIG_PROFILE               IDLE_TIME                      15
ORA_STIG_PROFILE               INACTIVE_ACCOUNT_TIME          35
ORA_STIG_PROFILE               LOGICAL_READS_PER_CALL         DEFAULT
ORA_STIG_PROFILE               LOGICAL_READS_PER_SESSION      DEFAULT
ORA_STIG_PROFILE               PASSWORD_GRACE_TIME            0
ORA_STIG_PROFILE               PASSWORD_LIFE_TIME             35
ORA_STIG_PROFILE               PASSWORD_LOCK_TIME             UNLIMITED
ORA_STIG_PROFILE               PASSWORD_REUSE_MAX             5
ORA_STIG_PROFILE               PASSWORD_REUSE_TIME            175
ORA_STIG_PROFILE               PASSWORD_ROLLOVER_TIME         DEFAULT
ORA_STIG_PROFILE               PASSWORD_VERIFY_FUNCTION       ORA12C_STIG_VERIFY_FUNCTION
ORA_STIG_PROFILE               PRIVATE_SGA                    DEFAULT
ORA_STIG_PROFILE               SESSIONS_PER_USER              DEFAULT

18 rows selected.

SQL>

The following parameters were updated

-PASSWORD_GRACE_TIME
-PASSWORD_LIFE_TIME
-PASSWORD_REUSE_MAX
-PASSWORD_REUSE_TIME
-And there is a new parameter PASSWORD_ROLLOVER_TIME

ORA_CIS_PROFILE
Below the new characteristics for the new profile

SQL> select profile,resource_name,limit from dba_profiles where profile='ORA_CIS_PROFILE' order by RESOURCE_NAME;

PROFILE                        RESOURCE_NAME                  LIMIT
------------------------------ ------------------------------ ------------------------------
ORA_CIS_PROFILE                COMPOSITE_LIMIT                DEFAULT
ORA_CIS_PROFILE                CONNECT_TIME                   DEFAULT
ORA_CIS_PROFILE                CPU_PER_CALL                   DEFAULT
ORA_CIS_PROFILE                CPU_PER_SESSION                DEFAULT
ORA_CIS_PROFILE                FAILED_LOGIN_ATTEMPTS          5
ORA_CIS_PROFILE                IDLE_TIME                      DEFAULT
ORA_CIS_PROFILE                INACTIVE_ACCOUNT_TIME          120
ORA_CIS_PROFILE                LOGICAL_READS_PER_CALL         DEFAULT
ORA_CIS_PROFILE                LOGICAL_READS_PER_SESSION      DEFAULT
ORA_CIS_PROFILE                PASSWORD_GRACE_TIME            5
ORA_CIS_PROFILE                PASSWORD_LIFE_TIME             90
ORA_CIS_PROFILE                PASSWORD_LOCK_TIME             1
ORA_CIS_PROFILE                PASSWORD_REUSE_MAX             20
ORA_CIS_PROFILE                PASSWORD_REUSE_TIME            365
ORA_CIS_PROFILE                PASSWORD_ROLLOVER_TIME         DEFAULT
ORA_CIS_PROFILE                PASSWORD_VERIFY_FUNCTION       ORA12C_VERIFY_FUNCTION
ORA_CIS_PROFILE                PRIVATE_SGA                    DEFAULT
ORA_CIS_PROFILE                SESSIONS_PER_USER              10

18 rows selected.

SQL>

These user profiles can be directly used with the database users or as part of your own user profiles. Oracle keeps these profiles up to date to make it easier for you to implement password policies that meet STIG and CIS guidelines.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Mouhamadou Diaw
Mouhamadou Diaw

Senior Consultant