1 Reply Latest reply: May 19, 2017 6:19 AM by jsbrown RSS

Database Audit Compliance Nessus Script for passwords

khadijaazam Novice

Hi,

i want to create .audit file using nessus script for Oracle Database compliance.

Below are the checks that i need to perform:


Different passwords must be set for all administrative accounts such as SYSTEM, SYSMAN and DBSNMP.
Password Policy can be summarized as follows:
Password Expiry:
Expire in 90 days
Lock  10 days past expiration

Password History:
Keep for 180 days (Any number of passwords cannot be reused within 180 days)

Account Lockout
User must be locked out after Five invalid attempts.
Lock for  unlimited days. (Only ABC can unlock accounts)

Password Complexity
Password complexity is ensured by implementing a complexity function.
There must be at least 8 characters in the password.
The password must have alphanumeric characters.
Password cannot be the same as username or contain username.
Since oracle does not allow punctuation to be part of password, password cannot contain punctuation.
Password must not exist in the supplied dictionary for default and commonly used passwords.
Password cannot contain more than 3 characters of the old password.

  • Re: Database Audit Compliance Nessus Script for passwords
    jsbrown Apprentice

    I believe a number of those checks already exist in some of our provided audit files.

     

    For example, the CIS Oracle 12c v1.2.0 audit has example checks (you might need to change some of the specific values, but t he logic is there for the check)

     

    Password History - 3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'

    Account Lockout - 3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'

    Password Complexity - 3.8 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles

     

    I'd start with looking thru the checks in the included audits, that might take care of most of your list and I'd be happy to help point you in the direction of how to cover the other ones.

     

    If you have existing queries that you're using to test those things manually it should be a pretty simple process to integrate your query into a check.