Oracle WebLogic Server 12c Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Oracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality.
Application server management functionality includes functions necessary to administer the application server and requires privileged access via one of the accounts assigned to a management role. ...Rule Medium Severity -
Oracle WebLogic must be configured to perform complete application deployments.
Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an appli...Rule Medium Severity -
Oracle WebLogic must fail securely in the event of an operational failure.
Fail secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended securi...Rule Medium Severity -
Oracle WebLogic must employ approved cryptographic mechanisms when transmitting sensitive data.
Preventing the disclosure of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the...Rule Medium Severity -
Oracle WebLogic must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and c...Rule Medium Severity -
Oracle WebLogic must be integrated with a tool to monitor audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).
It is critical that, when a system is at risk of failing to process audit logs, it detects and takes action to mitigate the failure. As part of the mitigation, the system must send a notification ...Rule Medium Severity -
SRG-APP-000014-AS-000009
Group -
SRG-APP-000015-AS-000010
Group -
Oracle WebLogic must use cryptography to protect the integrity of the remote access session.
Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. ...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
SRG-APP-000142-AS-000014
Group -
Oracle WebLogic must support the capability to disable network protocols deemed by the organization to be non-secure except for explicitly identified components in support of specific operational requirements.
Some networking protocols may not meet organizational security requirements to protect data and components. Application servers natively host a number of various features such as management inter...Rule Medium Severity -
SRG-APP-000509-AS-000234
Group -
Oracle WebLogic must automatically audit account creation.
Application servers require user accounts for server management purposes, and if the creation of new accounts is not logged, there is limited or no capability to track or alarm on account creation....Rule Medium Severity -
SRG-APP-000509-AS-000234
Group -
Oracle WebLogic must automatically audit account modification.
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify a...Rule Medium Severity -
SRG-APP-000504-AS-000229
Group -
Oracle WebLogic must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.
In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who utilize a separate distinct account when acces...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
SRG-APP-000516-AS-000237
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.