Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.
An XCCDF Rule
Description
Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system. Application servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance, for example, disabling dynamic JSP reloading on production application servers as a best practice.
- ID
- SV-235961r628661_rule
- Version
- WBLC-03-000127
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
1. Access AC
2. From 'Domain Structure', select 'Deployments'
3. Select a deployment of type 'Web Application' from list of deployments
4. Select 'Configuration' tab -> 'General' tab
5. Utilize 'Change Center' to create a new change session
6. Set 'JSP Page Check' field value to '-1', which indicates JSP reloading is disabled within this deployment. Click 'Save'. Repeat steps 3-6 for all 'Web Application' type deployments.
7. For every WebLogic resource within the domain, the 'Configuration' tab and associated subtabs provide the ability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance