I'm an Oracle database security consultant, and I have a question regarding SAP installs on Oracle.
I've seen on a couple customers sites (who are running SAP) that they have the REMOTE_OS_AUTHENT parameter set to TRUE with an externally identified account "OPS$<sapsid>ADM".
Now this is a known Oracle security issue. It leaves all the data in the database vulnerable to query and update. I recommend to our clients that they change it, however they always respond with "but SAP requires it".
I've tried to googling for a solution, with little success. The only half solution I can find is from some SAP online documentation. See link below
The problem is that I don't know of many sites that would restrict database access by IP address as most sites run client software that accesses the database directly.
Has anyone seen a better solution to for this?