Oracle Authentication
REMOTE_LOGIN_PASSWORDFILE
This is a CIS Benchmark requirementCheck
SELECT UPPER(VALUE)
FROM V$SYSTEM_PARAMETER
WHERE UPPER(NAME)='REMOTE_LOGIN_PASSWORDFILE';
Change
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;
REMOTE_OS_AUTHENT
This is a CIS Benchmark requirementDeprecated in 12.1 amd higher.
Default: FALSE
Recommended: FALSE
Check
SELECT UPPER(VALUE)
FROM V$SYSTEM_PARAMETER
WHERE UPPER(NAME)='REMOTE_OS_AUTHENT';
Change
ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;
SEC_CASE_SENSITIVE_LOGON
This is a CIS Benchmark requirementDefault: TRUE
If TRUE then passwords are case sensitive.
Recommended: TRUE
Check
SELECT UPPER(VALUE)
FROM V$SYSTEM_PARAMETER
WHERE UPPER(NAME)='SEC_CASE_SENSITIVE_LOGON';
Change
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;
SEC_MAX_FAILED_LOGIN_ATTEMPTS
This is a CIS Benchmark requirementGoverns number of failed authentication attempts that can be made by a client before connection is dropped.
Default: 3
Recommended: 3 (or less)
Check
SELECT UPPER(VALUE)
FROM V$SYSTEM_PARAMETER
WHERE UPPER(NAME)='SEC_MAX_FAILED_LOGIN_ATTEMPTS';
Change
ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 SCOPE = SPFILE;
This change will take effect at database instance restartSEC_PROTOCOL_ERROR_FURTHER_ACTION
This is a CIS Benchmark requirementGoverns what happens when receiving bad packets from a client;
Default: (DROP,3)
Recommended: (DROP,3)
Check
SELECT UPPER(VALUE)
FROM V$SYSTEM_PARAMETER
WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_FURTHER_ACTION';
Change
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = '(DROP,3)' SCOPE = BOTH;
(Recommended, Default)Forcefully terminate connection after 3 bad packets
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = '(DELAY,9)' SCOPE = BOTH;
Wait for 9 seconds before accepting the next request from a connection where the previous packet was bad.
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = '(CONTINUE)' SCOPE = BOTH;
Carry on regardless of bad packets. This puts you at risk of a Denial of Service (DoS) attack.
SEC_PROTOCOL_ERROR_TRACE_ACTION
This is a CIS Benchmark requirementDefault: TRACE
Recommended: LOG
Check
SELECT UPPER(VALUE)
FROM V$SYSTEM_PARAMETER
WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';
Bibliography
REMOTE_LOGIN_PASSWORDFILEhttps://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/REMOTE_LOGIN_PASSWORDFILE.html
REMOTE_OS_AUTHENT (Deprecated)https://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/REMOTE_OS_AUTHENT.html
SEC_CASE_SENSITIVE_LOGONhttps://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/SEC_CASE_SENSITIVE_LOGON.html
SEC_MAX_FAILED_LOGIN_ATTEMPTShttps://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/SEC_MAX_FAILED_LOGIN_ATTEMPTS.html
SEC_PROTOCOL_ERROR_FURTHER_ACTIONhttps://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/SEC_PROTOCOL_ERROR_FURTHER_ACTION.html
SEC_PROTOCOL_ERROR_TRACE_ACTION https://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/SEC_PROTOCOL_ERROR_TRACE_ACTION.html