The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
An XCCDF Rule
Description
<VulnDiscussion>It is critically important to the security of your system that you protect your password file and the environment variables that identify the location of the password file. Any user with access to these could potentially compromise the security of the connection. The REMOTE_LOGIN_PASSWORDFILE setting of "NONE" disallows remote administration of the database. The REMOTE_LOGIN_PASSWORDFILE setting of "EXCLUSIVE" allows for auditing of individual DBA logins to the SYS account. If not set to "EXCLUSIVE,” remote connections to the database as "internal" or "as SYSDBA" are not logged to an individual account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-219705r879887_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Disable use of the remote_login_passwordfile where remote administration is not authorized by specifying a value of NONE.
If authorized, restrict use of a password file to exclusive use by each database by specifying a value of EXCLUSIVE.
From SQL*Plus: