on 04-07-2008 5:16 PM
Hi,
I'm an Oracle database security consultant, and I have a question regarding SAP installs on Oracle.
I've seen on a couple customers sites (who are running SAP) that they have the REMOTE_OS_AUTHENT parameter set to TRUE with an externally identified account "OPS$<sapsid>ADM".
Now this is a known Oracle security issue. It leaves all the data in the database vulnerable to query and update. I recommend to our clients that they change it, however they always respond with "but SAP requires it".
I've tried to googling for a solution, with little success. The only half solution I can find is from some SAP online documentation. See link below
http://help.sap.com/saphelp_nwmobile71/helpdata/en/8b/2488392020b625e10000000a114084/content.htm
The problem is that I don't know of many sites that would restrict database access by IP address as most sites run client software that accesses the database directly.
Has anyone seen a better solution to for this?
Hello Simon,
Stefan is correct. To make the answer a little more complete, perhaps you can take a look at the SAP Note 700548 FAQ: Oracle authorizations.
If I'm not wrong, any user of the SDN can access the notes using the search functionality, no need for access to SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Simon,
your customers are right - the "REMOTE_OS_AUTHENT" is needed for running a sap system.
The only solutions to "protect" your database is:
Restrict db access from the network
Enable TCP.VALIDNODE_CHECKING as you mentioned in the link
But wait: Why protecting your database for OPS$ access?
The user OPS$* has only restricted access by default (SAPDBA role and access to the table SAPUSER which includes the encrypted R/3 password for the sap schema user)
I don't think that it is necessary to protect the database for the REMOTE_OS_AUTHENT access. You can not really do any bad things with that access.
I can understand your point of view (from oracle security consultant), but these are the only solutions that you have.
Regards
Stefan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.