The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-219830	SRG-APP-000516-DB-000363	O121-BP-021900	SV-219830r961863_rule	2025-02-12	3

Description
Setting this value to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and connect to the database without having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only information a remote user needs to connect to the database is the name of any user whose account is setup to be authenticated by the operating system.

Description

Setting this value to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and connect to the database without having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only information a remote user needs to connect to the database is the name of any user whose account is setup to be authenticated by the operating system.

ℹ️ Check
From SQL*Plus: select value from v$parameter where name = 'remote_os_authent'; If the value returned does not equal FALSE, this is a finding.

✔️ Fix
Document remote OS authentication in the System Security Plan. If not required or not mitigated to an acceptable level, disable remote OS authentication. From SQLPlus: alter system set remote_os_authent = FALSE scope = spfile; The above SQLPlus command will set the parameter to take effect at next system startup.