Oracle Database must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-270495	SRG-APP-000001-DB-000031	O19C-00-000100	SV-270495r1167748_rule	2025-12-09	1

Description
Database management includes the ability to control the number of users and user sessions using a database management system (DBMS). Unlimited concurrent connections to the DBMS could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. This requirement addresses concurrent session control for a single account. It does not address concurrent sessions by a single user via multiple system accounts; and it does not deal with the total number of sessions across all accounts. The capability to limit the number of concurrent sessions per user must be configured in or added to the DBMS by modifying user database profiles. Note that it is not sufficient to limit sessions via a web server or application server alone, because legitimate users and adversaries can potentially connect to the DBMS by other means. The organization must to define the maximum number of concurrent sessions by user type, by account, or a combination thereof. In deciding on the appropriate number, it is important to consider the work requirements of the various types of users. For example, two might be an acceptable limit for general users accessing the database via an application; but three might be too few for a database administrator using a database management GUI tool, where each query tab and navigation pane may count as a separate session: An account associated with a connection pool might require hundreds or thousands. (Sessions may also be referred to as connections or logons, which for the purposes of this requirement are synonyms.)

Description

Database management includes the ability to control the number of users and user sessions using a database management system (DBMS). Unlimited concurrent connections to the DBMS could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. This requirement addresses concurrent session control for a single account. It does not address concurrent sessions by a single user via multiple system accounts; and it does not deal with the total number of sessions across all accounts. The capability to limit the number of concurrent sessions per user must be configured in or added to the DBMS by modifying user database profiles. Note that it is not sufficient to limit sessions via a web server or application server alone, because legitimate users and adversaries can potentially connect to the DBMS by other means. The organization must to define the maximum number of concurrent sessions by user type, by account, or a combination thereof. In deciding on the appropriate number, it is important to consider the work requirements of the various types of users. For example, two might be an acceptable limit for general users accessing the database via an application; but three might be too few for a database administrator using a database management GUI tool, where each query tab and navigation pane may count as a separate session: An account associated with a connection pool might require hundreds or thousands. (Sessions may also be referred to as connections or logons, which for the purposes of this requirement are synonyms.)

ℹ️ Check
Retrieve the settings for concurrent sessions for each profile with the query: SELECT con_id, inherited, limit FROM sys.cdb_profiles WHERE resource_name = 'SESSIONS_PER_USER'; If the DBMS settings for concurrent sessions for each profile are greater than the site-specific maximum number of sessions (or the database maximum number of sessions) for the user type, this is a finding. The reason for "site-specific" is because two different databases at different "sites" could have very different requirements. Also, two different databases at the same "site" (data center) could have very different requirements.

ℹ️ Check

Retrieve the settings for concurrent sessions for each profile with the query: SELECT con_id, inherited, limit FROM sys.cdb_profiles WHERE resource_name = 'SESSIONS_PER_USER'; If the DBMS settings for concurrent sessions for each profile are greater than the site-specific maximum number of sessions (or the database maximum number of sessions) for the user type, this is a finding. The reason for "site-specific" is because two different databases at different "sites" could have very different requirements. Also, two different databases at the same "site" (data center) could have very different requirements.

✔️ Fix
Limit concurrent connections for each system account to a number less than or equal to the organization-defined number of sessions using the following SQL. Create profiles that conform to the requirements. Assign users to the appropriate profile. The user profile, ORA_STIG_PROFILE, has been provided with Oracle 19c to satisfy the STIG requirements pertaining to profile parameters. Oracle recommends that this profile be customized with requirements and assigned to all users through the creation of user type specific profiles such as (Single-Session, Administrators, Application Connection Pool) where applicable. Note: The ORA_STIG_PROFILE limit for SESSIONS_PER_USER is DEFAULT which is, on installation, not compliant and must be configured for each database and in a container database for CDB$ROOT and, potentially, for each PDB. Set concurrent sessions for each profile with the following SQL statement, as required. ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER <integer>;

✔️ Fix

Limit concurrent connections for each system account to a number less than or equal to the organization-defined number of sessions using the following SQL. Create profiles that conform to the requirements. Assign users to the appropriate profile. The user profile, ORA_STIG_PROFILE, has been provided with Oracle 19c to satisfy the STIG requirements pertaining to profile parameters. Oracle recommends that this profile be customized with requirements and assigned to all users through the creation of user type specific profiles such as (Single-Session, Administrators, Application Connection Pool) where applicable. Note: The ORA_STIG_PROFILE limit for SESSIONS_PER_USER is DEFAULT which is, on installation, not compliant and must be configured for each database and in a container database for CDB$ROOT and, potentially, for each PDB. Set concurrent sessions for each profile with the following SQL statement, as required. ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER <integer>;