Skip to content
Log In

II - Mission Support Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.

    Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityKeyStorePassPhrase" property is used to protect the data within the keystore. Witho...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication.

    Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityAlias" specifies the alias when loading the private key into the keystore. This p...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.

    Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityPrivateKeyPassPhrase" is the password that protects the private key when creating ce...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication.

    Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml f...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication.

    Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml f...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.

    Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "OHS" WebLogic Scripting Tool needs to trust the certificate present...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.

    Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "Fusion Middleware" WebLogic Scripting Tool needs to trust the certi...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must limit access to the Dynamic Monitoring Service (DMS).

    The Oracle Dynamic Monitoring Service (DMS) enables application developers, support analysts, system administrators, and others to measure application specific performance information. If OHS allo...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must have the AllowOverride directive set properly.

    The property "AllowOverride" is used to allow directives to be set differently than those set for the overall architecture. When the property is not set to "None", OHS will check for directives in...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must be set to evaluate deny directives first when considering whether to serve a file.

    Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the eva...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must deny all access by default when considering whether to serve a file.

    Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the eva...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The OHS instance installation must not contain an .htaccess file.

    .htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is loca...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The OHS instance configuration must not reference directories that contain an .htaccess file.

    .htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is loca...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must have the HostnameLookups directive enabled.

    Setting the "HostnameLookups" to "On" allows for more information to be logged in the event of an attack and subsequent investigation. This information can be added to other information gathered t...
    Rule Low Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must have the ServerAdmin directive set properly.

    Making sure that information is given to the system administrator in a timely fashion is important. This information can be system status, warnings that may need attention before system failure or...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must restrict access methods.

    The directive "<LimitExcept>" allows the system administrator to restrict what users may use which methods. An example of methods would be GET, POST and DELETE. These three are the most common us...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The OHS htdocs directory must not contain any default files.

    Default files from the OHS installation should not be part of the htdocs directory. These files are not always patched or supported and may become an attacker vector in the future.
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must have the SSLSessionCacheTimeout directive set properly.

    During an SSL session, information about the session is stored in the global/inter-process SSL Session Cache, the OpenSSL internal memory cache and for sessions resumed by TLS session resumption (R...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must have the RewriteEngine directive enabled.

    The rewrite engine is used to evaluate URL requests and modify the requests on the fly. Enabling this engine gives the system administrator the capability to trap potential attacks before reaching...
    Rule Low Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must have the RewriteOptions directive set properly.

    The rules for the rewrite engine can be configured to inherit those from the parent and build upon that set of rules, to copy the rules from the parent if there are none defined or to only process ...
    Rule Low Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must have the RewriteLogLevel directive set to the proper log level.

    Logging must not contain sensitive information or more information necessary than that needed to administer the system. The log levels from the rewrite engine range from 0 to 9 where 0 is no loggi...
    Rule Low Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must have the RewriteLog directive set properly.

    Specifying where the log files are written gives the system administrator the capability to store the files in a location other than the default, with system files or in a globally accessible locat...
    Rule Low Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • All accounts installed with the web server software and tools must have passwords assigned and default passwords changed.

    During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, whic...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • A production OHS Installation must prohibit the installation of a compiler.

    The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker’s...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.

    To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from ...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules