Possible Error in CIS Oracle Database 19c Benchmark 1.1.0 Chapter 3.2

1 votes

Hi all,

I'am currently working on CIS Oracle Database 19c Benchmark 1.1.0 and in Chapter 3.2-Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1' the query provided perdicates:

...
'UNLIMITED','9999',
P.LIMIT)) < 1
AND P.RESOURCE_NAME = 'PASSWORD_LOCK_TIME'
...

and as a result: Lack of results implies compliance.

When the query returns no rows, then it should be a finding, since it is not 1 or greater.

Same found in 3.3.:

DECODE(P.LIMIT,
'DEFAULT',(SELECT DECODE(LIMIT,'UNLIMITED',9999,LIMIT)
...
P.LIMIT)) > 90
AND P.RESOURCE_NAME = 'PASSWORD_LIFE_TIME'
AND EXISTS ( SELECT 'X' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE )
ORDER BY CON_ID, PROFILE, RESOURCE_NAME;

Lack of results implies compliance.

If it should be less than or equal 90 than a Lack of results should be a finding (especially if decode UNLIMITED with 9999), or?

Please clearify...

best regards,
Stefan

Done Benchmark Community Suggestion Suggested by: Stefan Obermeyer (15 Jan, '25) • Upvoted: 15 Jan, '25 • Comments: 1

Comments: 1
Oldest • Newest • Most likes • Fewest likes

21 Jan, '25
Moderator Admin
Hi Stephan

Can you please post that question to the Oracle Workbench Community https://workbench.cisecurity.org/communities/40

The members of the community will be able to respond to your question

Thanks

Possible Error in CIS Oracle Database 19c Benchmark 1.1.0 Chapter 3.2

Comments: 1 Oldest • Newest • Most likes • Fewest likes

Comments: 1
Oldest • Newest • Most likes • Fewest likes