Oracle WebLogic Server 12c Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000108-AS-000067
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must provide a real-time alert when organization-defined audit failure events occur.
<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required....Rule Low Severity -
SRG-APP-000108-AS-000067
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must alert designated individual organizational officials in the event of an audit processing failure.
<VulnDiscussion> Audit processing failures include, but are not limited to, failures in the application server log capturing mechanisms or au...Rule Low Severity -
SRG-APP-000108-AS-000067
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must notify administrative personnel as a group in the event of audit processing failure.
<VulnDiscussion> Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage ca...Rule Low Severity -
SRG-APP-000116-AS-000076
<GroupDescription></GroupDescription>Group -
SRG-APP-000516-AS-000237
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must use internal system clocks to generate time stamps for audit records.
<VulnDiscussion>Without the use of an approved and synchronized time source, configured on the systems, events cannot be accurately correlate...Rule Low Severity -
SRG-APP-000372-AS-000212
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must synchronize with internal information system clocks which, in turn, are synchronized on an organization-defined frequency with an organization-defined authoritative time source.
<VulnDiscussion>Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysi...Rule Low Severity -
SRG-APP-000118-AS-000078
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must protect audit information from any type of unauthorized read access.
<VulnDiscussion>If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially ma...Rule Low Severity -
SRG-APP-000121-AS-000081
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must protect audit tools from unauthorized access.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending up...Rule Medium Severity -
SRG-APP-000122-AS-000082
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must uniquely identify and authenticate users (or processes acting on behalf of users).
<VulnDiscussion>To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authentica...Rule High Severity -
Oracle WebLogic must protect audit tools from unauthorized modification.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending up...Rule Medium Severity -
SRG-APP-000123-AS-000083
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must protect audit tools from unauthorized deletion.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending up...Rule Medium Severity -
SRG-APP-000133-AS-000092
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).
<VulnDiscussion>Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server...Rule Medium Severity -
SRG-APP-000141-AS-000095
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.
<VulnDiscussion> Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be de...Rule Medium Severity -
SRG-APP-000142-AS-000014
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
<VulnDiscussion>Application servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these proces...Rule Medium Severity -
SRG-APP-000516-AS-000237
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must authenticate users individually prior to using a group authenticator.
<VulnDiscussion>To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on be...Rule High Severity -
SRG-APP-000516-AS-000237
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must enforce minimum password length.
<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...Rule Medium Severity -
SRG-APP-000516-AS-000237
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must enforce password complexity by the number of upper-case characters used.
<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...Rule Medium Severity -
SRG-APP-000516-AS-000237
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must enforce password complexity by the number of lower-case characters used.
<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...Rule Medium Severity -
SRG-APP-000516-AS-000237
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must enforce password complexity by the number of numeric characters used.
<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...Rule Medium Severity -
SRG-APP-000516-AS-000237
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must enforce password complexity by the number of special characters used.
<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...Rule Medium Severity -
SRG-APP-000172-AS-000120
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must encrypt passwords during transmission.
<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmissi...Rule High Severity -
SRG-APP-000172-AS-000121
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must utilize encryption when using LDAP for authentication.
<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmissi...Rule High Severity -
SRG-APP-000175-AS-000124
<GroupDescription></GroupDescription>Group -
Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
<VulnDiscussion>A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of publ...Rule Medium Severity -
SRG-APP-000177-AS-000126
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must map the PKI-based authentication identity to the user account.
<VulnDiscussion>The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptogra...Rule Medium Severity -
SRG-APP-000179-AS-000129
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
<VulnDiscussion>Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified ...Rule Medium Severity -
SRG-APP-000179-AS-000129
<GroupDescription></GroupDescription>Group -
Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
<VulnDiscussion>Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.