Oracle HTTP Server 12.1.3 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OHS must have resource mappings set to disable the serving of certain file types.
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be...Rule Medium Severity -
The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc.
During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, whic...Rule Medium Severity -
The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager.
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. For connections to be made to the Node Manager, it must listen on an assigned address. When this param...Rule Medium Severity -
The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication.
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityAlias" specifies the alias when loading the private key into the keystore. This p...Rule Medium Severity -
The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "Fusion Middleware" WebLogic Scripting Tool needs to trust the certi...Rule Medium Severity -
OHS must have the AllowOverride directive set properly.
The property "AllowOverride" is used to allow directives to be set differently than those set for the overall architecture. When the property is not set to "None", OHS will check for directives in...Rule Medium Severity -
The OHS instance installation must not contain an .htaccess file.
.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is loca...Rule Medium Severity -
OHS must have the RewriteEngine directive enabled.
The rewrite engine is used to evaluate URL requests and modify the requests on the fly. Enabling this engine gives the system administrator the capability to trap potential attacks before reaching...Rule Low Severity -
A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from ...Rule Medium Severity -
All utility programs, not necessary for operations, must be removed or disabled.
Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer...Rule Low Severity -
The OHS htpasswd files (if present) must reflect proper ownership and permissions.
In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition to allowing or denying all access rights, a rule...Rule Medium Severity -
OHS content and configuration files must be part of a routine backup program.
Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to determ...Rule Low Severity -
OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM).
The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services ...Rule Medium Severity -
OHS administration must be performed over a secure path or at the local console.
Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can...Rule High Severity -
Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code. A remote web user whose agency has a ...Rule Medium Severity -
OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines.
Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the automated information system (AIS)....Rule Low Severity -
If mod_plsql is not in use with OHS, OHS must have the include moduleconf/* directive disabled.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity -
OHS must use FIPS modules to encrypt passwords during transmission.
Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authe...Rule High Severity -
OHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation.
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make...Rule Medium Severity -
OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation.
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.