REMOTE_LOGIN_PASSWORDFILE='NONE' Setting and Data Guard
I have results from a recent security scan on an Oracle 10gR2 Database with Data Guard, running on Redhat 4. One of the remediation items advises setting REMOTE_LOGIN_PASSWORDFILE='NONE'
The security expert's rationale for the change is leaving REMOTE_LOGIN_PASSWORDFILE set to 'EXCLUSIVE' leaves SYS vulnerable to a brute force password attack, since locking SYS on failed attempts is not available.
I have found conflicting guidance which directs this may remain as 'EXCLUSIVE' in some security plan guidance, but I'm looking at all options.
The issue this creates effects the proper functioning of HA Data Guard. Data Guard requires remote access as SYS. Setting this parameter to 'NONE' on the standby prohibits the movement of Data Guard-required redo logs to the standby.
The security expert's rationale for the change is leaving REMOTE_LOGIN_PASSWORDFILE set to 'EXCLUSIVE' leaves SYS vulnerable to a brute force password attack, since locking SYS on failed attempts is not available.
I have found conflicting guidance which directs this may remain as 'EXCLUSIVE' in some security plan guidance, but I'm looking at all options.
The issue this creates effects the proper functioning of HA Data Guard. Data Guard requires remote access as SYS. Setting this parameter to 'NONE' on the standby prohibits the movement of Data Guard-required redo logs to the standby.
0