By Mouhamadou Diaw
In my previous blog I was testing the creation of a new Oracle 21c database. In this blog I am talking about two changes about the security.
In each new release Oracle strengthens security. That’s why since Oracle 12.2, to meet Security Technical Implementation Guides (STIG) compliance, Oracle Database provided the profile ORA_STIG_PROFILE
With Oracle 21c the profile ORA_STIG_PROFILE was updated and Oracle has provided a new profile to meet CIS standard : the profile ORA_CIS_PROFILE
The ORA_STIG_PROFILE user profile has been updated with the latest Security Technical Implementation Guide’s (STIG) guidelines
The ORA_CIS_PROFILE has the latest Center for Internet Security (CIS) guidelines
ORA_STIG_PROFILE
In an Oracle 19c database, we can fine following for the ORA_STIG_PROFILE.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
SQL> select profile,resource_name,limit from dba_profiles where profile= 'ORA_STIG_PROFILE' order by resource_name; PROFILE RESOURCE_NAME LIMIT ------------------------------ ------------------------------ ------------------------------ ORA_STIG_PROFILE COMPOSITE_LIMIT DEFAULT ORA_STIG_PROFILE CONNECT_TIME DEFAULT ORA_STIG_PROFILE CPU_PER_CALL DEFAULT ORA_STIG_PROFILE CPU_PER_SESSION DEFAULT ORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3 ORA_STIG_PROFILE IDLE_TIME 15 ORA_STIG_PROFILE INACTIVE_ACCOUNT_TIME 35 ORA_STIG_PROFILE LOGICAL_READS_PER_CALL DEFAULT ORA_STIG_PROFILE LOGICAL_READS_PER_SESSION DEFAULT ORA_STIG_PROFILE PASSWORD_GRACE_TIME 5 ORA_STIG_PROFILE PASSWORD_LIFE_TIME 60 ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITED ORA_STIG_PROFILE PASSWORD_REUSE_MAX 10 ORA_STIG_PROFILE PASSWORD_REUSE_TIME 365 ORA_STIG_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_STIG_VERIFY_FUNCTION ORA_STIG_PROFILE PRIVATE_SGA DEFAULT ORA_STIG_PROFILE SESSIONS_PER_USER DEFAULT 17 rows selected. SQL> |
Now in in Oracle 21c, we can see that there are some changes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
SQL> select profile,resource_name,limit from dba_profiles where profile= 'ORA_STIG_PROFILE' order by RESOURCE_NAME; PROFILE RESOURCE_NAME LIMIT ------------------------------ ------------------------------ ------------------------------ ORA_STIG_PROFILE COMPOSITE_LIMIT DEFAULT ORA_STIG_PROFILE CONNECT_TIME DEFAULT ORA_STIG_PROFILE CPU_PER_CALL DEFAULT ORA_STIG_PROFILE CPU_PER_SESSION DEFAULT ORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3 ORA_STIG_PROFILE IDLE_TIME 15 ORA_STIG_PROFILE INACTIVE_ACCOUNT_TIME 35 ORA_STIG_PROFILE LOGICAL_READS_PER_CALL DEFAULT ORA_STIG_PROFILE LOGICAL_READS_PER_SESSION DEFAULT ORA_STIG_PROFILE PASSWORD_GRACE_TIME 0 ORA_STIG_PROFILE PASSWORD_LIFE_TIME 35 ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITED ORA_STIG_PROFILE PASSWORD_REUSE_MAX 5 ORA_STIG_PROFILE PASSWORD_REUSE_TIME 175 ORA_STIG_PROFILE PASSWORD_ROLLOVER_TIME DEFAULT ORA_STIG_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_STIG_VERIFY_FUNCTION ORA_STIG_PROFILE PRIVATE_SGA DEFAULT ORA_STIG_PROFILE SESSIONS_PER_USER DEFAULT 18 rows selected. SQL> |
The following parameters were updated
-PASSWORD_GRACE_TIME
-PASSWORD_LIFE_TIME
-PASSWORD_REUSE_MAX
-PASSWORD_REUSE_TIME
-And there is a new parameter PASSWORD_ROLLOVER_TIME
ORA_CIS_PROFILE
Below the new characteristics for the new profile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
SQL> select profile,resource_name,limit from dba_profiles where profile= 'ORA_CIS_PROFILE' order by RESOURCE_NAME; PROFILE RESOURCE_NAME LIMIT ------------------------------ ------------------------------ ------------------------------ ORA_CIS_PROFILE COMPOSITE_LIMIT DEFAULT ORA_CIS_PROFILE CONNECT_TIME DEFAULT ORA_CIS_PROFILE CPU_PER_CALL DEFAULT ORA_CIS_PROFILE CPU_PER_SESSION DEFAULT ORA_CIS_PROFILE FAILED_LOGIN_ATTEMPTS 5 ORA_CIS_PROFILE IDLE_TIME DEFAULT ORA_CIS_PROFILE INACTIVE_ACCOUNT_TIME 120 ORA_CIS_PROFILE LOGICAL_READS_PER_CALL DEFAULT ORA_CIS_PROFILE LOGICAL_READS_PER_SESSION DEFAULT ORA_CIS_PROFILE PASSWORD_GRACE_TIME 5 ORA_CIS_PROFILE PASSWORD_LIFE_TIME 90 ORA_CIS_PROFILE PASSWORD_LOCK_TIME 1 ORA_CIS_PROFILE PASSWORD_REUSE_MAX 20 ORA_CIS_PROFILE PASSWORD_REUSE_TIME 365 ORA_CIS_PROFILE PASSWORD_ROLLOVER_TIME DEFAULT ORA_CIS_PROFILE PASSWORD_VERIFY_FUNCTION ORA12C_VERIFY_FUNCTION ORA_CIS_PROFILE PRIVATE_SGA DEFAULT ORA_CIS_PROFILE SESSIONS_PER_USER 10 18 rows selected. SQL> |
These user profiles can be directly used with the database users or as part of your own user profiles. Oracle keeps these profiles up to date to make it easier for you to implement password policies that meet STIG and CIS guidelines.