Oracle HTTP Server 12.1.3 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests.
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limit...Rule Medium Severity -
OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption use...Rule High Severity -
OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption use...Rule High Severity -
OHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed ...Rule Medium Severity -
OHS must have the OraLogMode set to Oracle Diagnostic Logging text mode to generate information to be used by external applications or entities to monitor and control remote access.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
OHS must have the OraLogSeverity directive defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
OHS must have a log format defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
OHS must have a log file defined for each site/virtual host to capture information to be used by external applications or entities to monitor and control remote access.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
OHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
OHS must provide the capability to immediately disconnect or disable remote access to the hosted applications.
During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack. The web server must provide a ...Rule Medium Severity -
Non-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account.
By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged accou...Rule Medium Severity -
OHS must have the client requests logging module loaded to generate log records for system startup and shutdown, system access, and system authentication logging.
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionali...Rule Medium Severity -
OHS must have a log directory location defined to generate log records for system startup and shutdown, system access, and system authentication logging.
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionali...Rule Medium Severity -
OHS must have a log level severity defined to generate adequate log records for system startup and shutdown, system access, and system authentication events.
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionali...Rule Medium Severity -
OHS must have a log file defined for each site/virtual host to capture logs generated by system startup and shutdown, system access, and system authentication events.
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionali...Rule Medium Severity -
OHS must have a log format defined for log records generated to capture sufficient information to establish what type of events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
OHS must have a log file defined for each site/virtual host to capture sufficient information to establish what type of events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
OHS must have a log format defined for log records that allow the establishment of where within OHS the events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of where within OHS the events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
OHS must have a SSL log format defined for log records that allow the establishment of the source of events.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
OHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
OHS must have a log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the succes...Rule Medium Severity -
OHS must have a log file defined for each site/virtual host to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the succes...Rule Medium Severity -
OHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user account...Rule Medium Severity -
OHS log files must only be accessible by privileged users.
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activ...Rule Medium Severity -
OHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purpose...Rule Medium Severity -
OHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purpose...Rule Medium Severity -
OHS must have the LoadModule status_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the AddIconByEncoding directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the AddIcon directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the DirectoryIndex directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabili...Rule Low Severity -
OHS must have the ScriptAlias directive for CGI scripts disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the LoadModule actions_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the LoadModule authz_user_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the LoadModule proxy_connect_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the LoadModule setenvif_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the IfModule mpm_winnt_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Low Severity -
OHS must have the LoadModule proxy_connect_module directive disabled.
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy r...Rule Medium Severity -
OHS must disable the directive pointing to the directory containing the OHS manuals.
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production w...Rule Low Severity -
OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration.
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operat...Rule Medium Severity -
OHS must have resource mappings set to disable the serving of certain file types.
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be...Rule Medium Severity -
The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc.
During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, whic...Rule Medium Severity -
The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager.
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. For connections to be made to the Node Manager, it must listen on an assigned address. When this param...Rule Medium Severity -
The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication.
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityAlias" specifies the alias when loading the private key into the keystore. This p...Rule Medium Severity -
The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "Fusion Middleware" WebLogic Scripting Tool needs to trust the certi...Rule Medium Severity -
OHS must have the AllowOverride directive set properly.
The property "AllowOverride" is used to allow directives to be set differently than those set for the overall architecture. When the property is not set to "None", OHS will check for directives in...Rule Medium Severity -
The OHS instance installation must not contain an .htaccess file.
.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is loca...Rule Medium Severity -
OHS must have the RewriteEngine directive enabled.
The rewrite engine is used to evaluate URL requests and modify the requests on the fly. Enabling this engine gives the system administrator the capability to trap potential attacks before reaching...Rule Low Severity -
A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from ...Rule Medium Severity -
All utility programs, not necessary for operations, must be removed or disabled.
Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.