The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.
An XCCDF Rule
Description
<VulnDiscussion>Setting this value to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and connect to the database without having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only information a remote user needs to connect to the database is the name of any user whose account is setup to be authenticated by the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-219702r879887_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Document remote OS authentication in the System Security Plan.
If not required or not mitigated to an acceptable level, disable remote OS authentication.
From SQL*Plus: