Skip to content
Log In

Oracle WebLogic Server 12c Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Oracle WebLogic must produce audit records containing sufficient information to establish what type of JVM-related events and severity levels occurred.

    Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps, sour...
    Rule Low Severity
    Show

  • SRG-APP-000095-AS-000056

    Group
    Show

  • SRG-APP-000096-AS-000059

    Group
    Show

  • Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system.

    Without a trusted communication path, the application server is vulnerable to a man-in-the-middle attack. Application server user interfaces are used for management of the application server so th...
    Rule Medium Severity
    Show

  • SRG-APP-000097-AS-000060

    Group
    Show

  • SRG-APP-000098-AS-000061

    Group
    Show

  • Oracle WebLogic must produce audit records containing sufficient information to establish the sources of the events.

    Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited...
    Rule Low Severity
    Show

  • SRG-APP-000099-AS-000062

    Group
    Show

  • Oracle WebLogic must produce audit records that contain sufficient information to establish the outcome (success or failure) of application server and application events.

    Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limite...
    Rule Low Severity
    Show

  • SRG-APP-000100-AS-000063

    Group
    Show

  • Oracle WebLogic must utilize automated mechanisms to prevent program execution on the information system.

    The application server must provide a capability to halt or otherwise disable the automatic execution of deployed applications until such time that the application is considered part of the establi...
    Rule Low Severity
    Show

  • SRG-APP-000148-AS-000101

    Group
    Show

  • SRG-APP-000515-AS-000203

    Group
    Show

  • Oracle WebLogic must provide the ability to write specified audit record content to an audit log server.

    Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limite...
    Rule Medium Severity
    Show

  • SRG-APP-000108-AS-000067

    Group
    Show

  • Oracle WebLogic must provide a real-time alert when organization-defined audit failure events occur.

    It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include software/hardware errors, failures in...
    Rule Low Severity
    Show

  • SRG-APP-000108-AS-000067

    Group
    Show

  • SRG-APP-000108-AS-000067

    Group
    Show

  • Oracle WebLogic must notify administrative personnel as a group in the event of audit processing failure.

    Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. To ensure flexibility and ease of use,...
    Rule Low Severity
    Show

  • SRG-APP-000116-AS-000076

    Group
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • SRG-APP-000372-AS-000212

    Group
    Show

  • Oracle WebLogic must synchronize with internal information system clocks which, in turn, are synchronized on an organization-defined frequency with an organization-defined authoritative time source.

    Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronization of system clocks is...
    Rule Low Severity
    Show

  • SRG-APP-000118-AS-000078

    Group
    Show

  • Oracle WebLogic must protect audit information from any type of unauthorized read access.

    If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In ...
    Rule Low Severity
    Show

  • SRG-APP-000121-AS-000081

    Group
    Show

  • Oracle WebLogic must protect audit tools from unauthorized access.

    Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may ...
    Rule Medium Severity
    Show

  • SRG-APP-000122-AS-000082

    Group
    Show

  • Oracle WebLogic must uniquely identify and authenticate users (or processes acting on behalf of users).

    To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. The application server must uniquely identify and authenticate ap...
    Rule High Severity
    Show

  • SRG-APP-000123-AS-000083

    Group
    Show

  • Oracle WebLogic must protect audit tools from unauthorized deletion.

    Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may ...
    Rule Medium Severity
    Show

  • SRG-APP-000133-AS-000092

    Group
    Show

  • Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).

    Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one pr...
    Rule Medium Severity
    Show

  • SRG-APP-000141-AS-000095

    Group
    Show

  • Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.

    Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system...
    Rule Medium Severity
    Show

  • SRG-APP-000142-AS-000014

    Group
    Show

  • Oracle WebLogic must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.

    Application servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed to be unnecessary or too insecure to run on a producti...
    Rule Medium Severity
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • Oracle WebLogic must enforce minimum password length.

    Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one of several factors that helps t...
    Rule Medium Severity
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • Oracle WebLogic must enforce password complexity by the number of upper-case characters used.

    Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time a...
    Rule Medium Severity
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • Oracle WebLogic must enforce password complexity by the number of lower-case characters used.

    Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time a...
    Rule Medium Severity
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • Oracle WebLogic must enforce password complexity by the number of numeric characters used.

    Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time a...
    Rule Medium Severity
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • SRG-APP-000172-AS-000120

    Group
    Show

  • Oracle WebLogic must encrypt passwords during transmission.

    Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize either certific...
    Rule High Severity
    Show

  • SRG-APP-000172-AS-000121

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules