The Oracle OS_AUTHENT_PREFIX parameter should be changed from the default value of OPS$.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2531	DO3447-ORACLE11	SV-24902r2_rule		Low

Description
The OS_AUTHENT_PREFIX parameter defines the prefix for database account names to be identified EXTERNALLY by the operating system. When set to the special value of OPS$, accounts defined with the prefix of OPS$ may authenticate either with a password or with OS authentication. Use of more than one authentication method to access a single account results in a loss of accountability, that is, it is similar to a shared account. Setting this parameter to a value other than OPS$ prevents a shared usage of a single account.

Description

The OS_AUTHENT_PREFIX parameter defines the prefix for database account names to be identified EXTERNALLY by the operating system. When set to the special value of OPS$, accounts defined with the prefix of OPS$ may authenticate either with a password or with OS authentication. Use of more than one authentication method to access a single account results in a loss of accountability, that is, it is similar to a shared account. Setting this parameter to a value other than OPS$ prevents a shared usage of a single account.

STIG	Date
Oracle Database 11g Instance STIG	2017-06-29

Details

Check Text ( C-29461r2_chk )
From SQL*Plus: select value from v$parameter where name = 'os_authent_prefix'; If the value returned is OPS$ or ops$, this is a Finding.

Fix Text (F-26523r1_fix)
Specify an operating system authenticated username prefix other than OPS$. From SQLPlus: alter system set os_authent_prefix = [prefix value] scope = spfile; Compliant selections for [prefix value] are: a null string ('') a text value other than 'OPS$' The above SQLPlus command will set the parameter to take effect at next system startup.