Documentation - V-270568

Title

When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.

Description

<VulnDiscussion>The DOD standard for authentication is DOD-approved public key infrastructure (PKI) certificates. Normally, with PKI authentication, the interaction with the user for authentication will be handled by a software component separate from the database management system (DBMS), such as ActivIdentity ActivClient. However, in cases where the DBMS controls the interaction, this requirement applies. To prevent the compromise of authentication information such as passwords and PINs duri...

Fix Text (Documentation Requirement)

For Oracle SQL*Plus, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation: 1. Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval. 2. Train all users of the tool in the importance of not using the plain-text password option and how to keep the password hidden. Consider wrapping the startup command with a shell or wrapper and using an Oracle external password store. Oracle provides the capability to provide for a secure external password facility. Use the Oracle mkstore to create a secure storage area for passwords for applications, batch jobs, and scripts to use or deploy a site-authorized facility to perform this function. Check to verify what has been stored in the Oracle External...