Oracle HTTP Server 12.1.3 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS administration must be performed over a secure path or at the local console.
<VulnDiscussion>Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a majo...Rule High Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS must not contain any robots.txt files.
<VulnDiscussion>Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders ...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS must prohibit anonymous FTP user access to interactive scripts.
<VulnDiscussion>The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to ...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory.
<VulnDiscussion>Application partitioning enables an additional security measure by securing user traffic under one security context, while ma...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
The OHS DocumentRoot directory must be on a separate partition from OS root partition.
<VulnDiscussion>Application partitioning enables an additional security measure by securing user traffic under one security context, while ma...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
SRG-APP-000439-WSR-000151
<GroupDescription></GroupDescription>Group -
Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
<VulnDiscussion>Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and chec...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
A public OHS server must use TLS if authentication is required to host web sites.
<VulnDiscussion>Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the ...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines.
<VulnDiscussion>Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary pro...Rule Low Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS must not have the directive PlsqlDatabasePassword set in clear text.
<VulnDiscussion>OHS supports the use of the module mod_plsql, which allows applications to be hosted that are PL/SQL-based. To access the da...Rule High Severity -
SRG-APP-000141-WSR-000075
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.