OpenControls Logo

STIG Viewer

The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-270524O19C-00-009200SV-270524r1112471_ruleCCI-000366medium
Description
Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user could impersonate another operating system user over a network connection. DOD requires the REMOTE_OS_ROLES to be set to FALSE.
STIGDate
Oracle Database 19c Security Technical Implementation Guide2025-06-24

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
CM-6
1.00
  • DISA · 1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
  • DISA · 1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
  • DISA · 1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
  • DISA · 1 · disa_xccdf · related

Details

Check Text (C-270524r1112471_chk)

To verify the current status of the remote_os_roles parameter use the SQL statement: If using a non-CDB database: From SQL*Plus: COLUMN name format a20 COLUMN parameter_value format a20 SELECT name, con_id, value AS PARAMETER_VALUE FROM sys.v_$parameter WHERE vp.name = 'remote_os_roles' ORDER BY 1; If the PARAMETER_VALUE is not FALSE, that is a finding. If using a CDB database: From SQL*Plus (in the CDB database): COLUMN name format a20 COLUMN parameter_value format a20 SELECT name, inst_id, con_id, value AS PARAMETER_VALUE FROM sys.gv_$parameter WHERE vp.name = 'remote_os_roles' ORDER BY 1; In the CDB database, if the PARAMETER_VALUE is not FALSE, that is a finding.

Fix Text (F-74458r1064849_fix)

Set the parameter to FALSE for all instances. If using Oracle Multitenant, set the value to FALSE for the container database and all pluggable databases will be set to FALSE as well. ALTER SYSTEM SET remote_os_roles = FALSE scope=spfile; sid='container_name' is optional Restart the database for the change to take effect.