hard

 Existing,Recommended,Modified

Root login enabled via SSH,Disable direct root SSH login and enforce sudo-based access,

X server installed on DB server,Remove X server from DB and App servers,

Oracle user allowed direct remote login,Disallow direct remote login to oracle user,

Listener has EXTPROC in main listener,Separate EXTPROC into dedicated listener,

EXTPROC listener running as oracle user,Run EXTPROC listener as unprivileged OS user,

ADMIN_RESTRICTIONS not enabled on listener,Set ADMIN_RESTRICTIONS_<listener>=ON,

Listener logging disabled or minimal,Enable listener logging with LOG_STATUS=ON,

XDB service enabled in database,Disable XDB and remove XDB dispatcher,

Default database accounts not reviewed,Lock or change passwords for default accounts,

REMOTE_OS_AUTHENT parameter enabled,Set REMOTE_OS_AUTHENT=FALSE,

Unused database links exist,Remove unused database links,

Database auditing disabled,Enable database auditing and audit trail retention,

APPL_TOP permissions too permissive,Restrict APPL_TOP permissions to applmgr only,

trusted.conf allows open access,Restrict admin URLs to trusted IPs only,

s_admin_ui_access_nodes not configured,Configure trusted admin IPs via AutoConfig,

Allowed Resources feature not configured,Enable and configure Allowed Resources allowlist,

Allowed Redirects not restricted,Configure allowed_redirects.conf and custom include file,

Allow Unrestricted Redirects profile enabled,Set Allow Unrestricted Redirects to No,

Weak TLS or SSL protocols enabled,Enforce TLS 1.2 and disable weak protocols,

Weak cipher suites enabled,Disable RC4 and ciphers below 128-bit,

HTTP security headers not enforced,Enable X-Frame-Options SAMEORIGIN and nosniff,

Guest user enabled unnecessarily,Disable Guest user access where not required,

Unlimited session timeout configured,Set ICX_SESSION_TIMEOUT to 30 minutes,

Weak password length allowed,Set SIGNON_PASSWORD_LENGTH to minimum 8,

Password reuse allowed,Set SIGNON_PASSWORD_NO_REUSE to 180 days,

Case-insensitive passwords allowed,Enable case-sensitive passwords,

High failed login attempts allowed,Set SIGNON_PASSWORD_FAILURE_LIMIT to 5,

Concurrent program credentials exposed,Use ENCRYPT option for HOST executables,

File upload type unrestricted,Restrict file types using fnd_mime_types,

Unlimited file upload size allowed,Configure UPLOAD_FILE_SIZE_LIMIT,

AntiSamy HTML filter disabled,Enable AntiSamy HTML filter,

Workflow mailer access key enabled,Set WF_MAILER SEND_ACCESS_KEY to No,

Secure Configuration Console not used,Run SCC and remediate HIGH severity findings,

Audit trail not enabled for sensitive tables,Enable Audit Trail on critical tables,

Proxy user delegation unrestricted,Restrict proxy access and enable proxy auditing,

Desktop Java version outdated,Upgrade to certified Java version,

Browser cache storing sensitive data,Enable FND_SEC_FILESTREAM_NOSTORE=SECURE