The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-270524 | O19C-00-009200 | SV-270524r1112471_rule | Medium |
| Description |
| Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user could impersonate another operating system user over a network connection. DOD requires the REMOTE_OS_ROLES to be set to FALSE. |
| STIG | Date |
| Oracle Database 19c Security Technical Implementation Guide | 2025-06-24 |
Details
| Check Text (C-74557r1112470_chk) |
| To verify the current status of the remote_os_roles parameter use the SQL statement: If using a non-CDB database: From SQL*Plus: COLUMN name format a20 COLUMN parameter_value format a20 SELECT name, con_id, value AS PARAMETER_VALUE FROM sys.v_$parameter WHERE vp.name = 'remote_os_roles' ORDER BY 1; If the PARAMETER_VALUE is not FALSE, that is a finding. If using a CDB database: From SQL*Plus (in the CDB database): COLUMN name format a20 COLUMN parameter_value format a20 SELECT name, inst_id, con_id, value AS PARAMETER_VALUE FROM sys.gv_$parameter WHERE vp.name = 'remote_os_roles' ORDER BY 1; In the CDB database, if the PARAMETER_VALUE is not FALSE, that is a finding. |
| Fix Text (F-74458r1064849_fix) |
| Set the parameter to FALSE for all instances. If using Oracle Multitenant, set the value to FALSE for the container database and all pluggable databases will be set to FALSE as well. ALTER SYSTEM SET remote_os_roles = FALSE scope=spfile; sid='container_name' is optional Restart the database for the change to take effect. |