Rule ID
SV-270524r1112471_rule
Version
V1R5
CCIs
Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user could impersonate another operating system user over a network connection. DOD requires the REMOTE_OS_ROLES to be set to FALSE.
To verify the current status of the remote_os_roles parameter use the SQL statement: If using a non-CDB database: From SQL*Plus: COLUMN name format a20 COLUMN parameter_value format a20 SELECT name, con_id, value AS PARAMETER_VALUE FROM sys.v_$parameter WHERE vp.name = 'remote_os_roles' ORDER BY 1; If the PARAMETER_VALUE is not FALSE, that is a finding. If using a CDB database: From SQL*Plus (in the CDB database): COLUMN name format a20 COLUMN parameter_value format a20 SELECT name, inst_id, con_id, value AS PARAMETER_VALUE FROM sys.gv_$parameter WHERE vp.name = 'remote_os_roles' ORDER BY 1; In the CDB database, if the PARAMETER_VALUE is not FALSE, that is a finding.
Set the parameter to FALSE for all instances. If using Oracle Multitenant, set the value to FALSE for the container database and all pluggable databases will be set to FALSE as well. ALTER SYSTEM SET remote_os_roles = FALSE scope=spfile; sid='container_name' is optional Restart the database for the change to take effect.