Oracle HTTP Server 12.1.3 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
OHS must have a log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the succes...Rule Medium Severity -
OHS must have a log file defined for each site/virtual host to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the succes...Rule Medium Severity -
OHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user account...Rule Medium Severity -
OHS log files must only be accessible by privileged users.
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activ...Rule Medium Severity -
OHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purpose...Rule Medium Severity -
OHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purpose...Rule Medium Severity -
OHS must have the LoadModule status_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the AddIconByEncoding directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the AddIcon directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the DirectoryIndex directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabili...Rule Low Severity -
OHS must have the ScriptAlias directive for CGI scripts disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the LoadModule actions_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the LoadModule authz_user_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the LoadModule proxy_connect_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the LoadModule setenvif_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must have the IfModule mpm_winnt_module directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Low Severity -
OHS must have the LoadModule proxy_connect_module directive disabled.
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy r...Rule Medium Severity -
OHS must disable the directive pointing to the directory containing the OHS manuals.
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production w...Rule Low Severity -
OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration.
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operat...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.