Password Related checks are not available as part of the CIS Benchmark Is there a reason for this why the benchmark is not complete for Oracle & Sybase?
For Oracle, all the required controls by CIS are there in the benchmark. See the screenshot below. The reference column lists the CIS benchmark reference numbers.
For Sybase, see the screenshot below from the Security & Config policy.
CIS benchmark policies are in the Policy Library for Oracle 11g/R2 and 12c. For Sybase we have a Security and Config policy in the library which is based on CIS and missing a handful of controls. The CIS benchmark work is under way for Sybase 15 along with Sybase 16.x support.
Can you elaborate on what you mean by password related checks? Are you referring to "Password Audit Controls" as the other password related controls are in both Oracle and Sybase policies.
Thank you for your reply. Controls which Iam referring to is
1. Oracle: password length, complexity, expiry, upper case of password, usage of numbers in password and reuse of password etc.
2. Same for sybase.
@Qsingh i have gone throught the CIS Benchmark for Oracle it dosent have what iam asking for which is basic confgiuration check which is why i have this question even in your screen shots i dont see any controls for Oracle specially where the CIS benchmark checks for :
1. Password Upper Case
2. Password Lower Case.
3. Password to have Numbers.
4. Password to Have Special Characters.
Thank you for the inputs on Sybase that was helpfull.
Unless I missed something I did not see a reference in the CIS benchmark for controls you've listed. I did find some references to the upper and lower case requirement under "enforce password complexity" in the STIG. However, they mentioned that if the passwords are managed through OS or other enterprise-level authentication/access mechanism then you should assess these controls there.
My suggestion is to file an FR with your TAM along with the requirements and we can create these controls. If you are indeed using OS authentication or some other mechanism then you should assess the controls there.
Hope this helps.
Retrieving data ...