The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-219830 | O121-BP-021900 | SV-219830r961863_rule | High |
| Description |
| Setting this value to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and connect to the database without having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only information a remote user needs to connect to the database is the name of any user whose account is setup to be authenticated by the operating system. |
| STIG | Date |
| Oracle Database 12c Security Technical Implementation Guide | 2025-02-12 |
Details
| Check Text (C-21541r533029_chk) |
| From SQL*Plus: select value from v$parameter where name = 'remote_os_authent'; If the value returned does not equal FALSE, this is a finding. |
| Fix Text (F-21540r533030_fix) |
| Document remote OS authentication in the System Security Plan. If not required or not mitigated to an acceptable level, disable remote OS authentication. From SQL*Plus: alter system set remote_os_authent = FALSE scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup. |