Oracle Authentication

Databases

Oracle

Oracle Security

REMOTE_LOGIN_PASSWORDFILE

SEC_CASE_SENSITIVE_LOGON

Check

Change

SEC_MAX_FAILED_LOGIN_ATTEMPTS

Check

Change

SEC_PROTOCOL_ERROR_FURTHER_ACTION

Check

Change

SEC_PROTOCOL_ERROR_TRACE_ACTION

Check

Bibliography

REMOTE_LOGIN_PASSWORDFILE

This is a CIS Benchmark requirement

Check

SELECT UPPER(VALUE)

FROM V$SYSTEM_PARAMETER

WHERE UPPER(NAME)='REMOTE_LOGIN_PASSWORDFILE';

Change

ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;

REMOTE_OS_AUTHENT

This is a CIS Benchmark requirement

Deprecated in 12.1 amd higher.
Default: FALSE
Recommended: FALSE

Check

SELECT UPPER(VALUE)

FROM V$SYSTEM_PARAMETER

WHERE UPPER(NAME)='REMOTE_OS_AUTHENT';

Change

ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;

SEC_CASE_SENSITIVE_LOGON

This is a CIS Benchmark requirement

Default: TRUE
If TRUE then passwords are case sensitive.
Recommended: TRUE

Check

SELECT UPPER(VALUE)

FROM V$SYSTEM_PARAMETER

WHERE UPPER(NAME)='SEC_CASE_SENSITIVE_LOGON';

Change

ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;

SEC_MAX_FAILED_LOGIN_ATTEMPTS

This is a CIS Benchmark requirement

Governs number of failed authentication attempts that can be made by a client before connection is dropped.
Default: 3
Recommended: 3 (or less)

Check

SELECT UPPER(VALUE)

FROM V$SYSTEM_PARAMETER

WHERE UPPER(NAME)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';

Change

ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 SCOPE = SPFILE;

This change will take effect at database instance restart

SEC_PROTOCOL_ERROR_FURTHER_ACTION

This is a CIS Benchmark requirement

Governs what happens when receiving bad packets from a client;
Default: (DROP,3)
Recommended: (DROP,3)

Check

SELECT UPPER(VALUE)

FROM V$SYSTEM_PARAMETER

WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';

Change

ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = '(DROP,3)' SCOPE = BOTH;

(Recommended, Default)

Forcefully terminate connection after 3 bad packets

ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = '(DELAY,9)' SCOPE = BOTH;

Wait for 9 seconds before accepting the next request from a connection where the previous packet was bad.

ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = '(CONTINUE)' SCOPE = BOTH;

Carry on regardless of bad packets. This puts you at risk of a Denial of Service (DoS) attack.

SEC_PROTOCOL_ERROR_TRACE_ACTION

This is a CIS Benchmark requirement

Default: TRACE
Recommended: LOG

Check

SELECT UPPER(VALUE)

FROM V$SYSTEM_PARAMETER

WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';

Bibliography

OS Authenticationhttps://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11_QUESTION_ID:142212348066
REMOTE_LOGIN_PASSWORDFILEhttps://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/REMOTE_LOGIN_PASSWORDFILE.html
REMOTE_OS_AUTHENT (Deprecated)https://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/REMOTE_OS_AUTHENT.html
SEC_CASE_SENSITIVE_LOGONhttps://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/SEC_CASE_SENSITIVE_LOGON.html
SEC_MAX_FAILED_LOGIN_ATTEMPTShttps://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/SEC_MAX_FAILED_LOGIN_ATTEMPTS.html
SEC_PROTOCOL_ERROR_FURTHER_ACTIONhttps://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/SEC_PROTOCOL_ERROR_FURTHER_ACTION.html
SEC_PROTOCOL_ERROR_TRACE_ACTION https://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/SEC_PROTOCOL_ERROR_TRACE_ACTION.html

Page updated

Google Sites

Report abuse