Skip to content
Log In

II - Mission Support Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • A private OHS installation must be located on a separate controlled access subnet.

    Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but, ...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The version of the OHS installation must be vendor-supported.

    Many vulnerabilities are associated with older versions of software. As hot fixes and patches are issued, these solutions are included in the next version of the server software. Maintaining OHS ...
    Rule High Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must be certified with accompanying Fusion Middleware products.

    OHS is capable of being used with other Oracle products. For the products to work properly and not introduce vulnerabilities or errors, Oracle certifies which versions work with each other. Insis...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS tools must be restricted to the web manager and the web managers designees.

    All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or damag...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • All utility programs, not necessary for operations, must be removed or disabled.

    Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer...
    Rule Low Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The OHS htpasswd files (if present) must reflect proper ownership and permissions.

    In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition to allowing or denying all access rights, a rule...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • A public OHS installation must limit email to outbound only.

    Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, Email represents the main use of the Inter...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS content and configuration files must be part of a routine backup program.

    Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to determ...
    Rule Low Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must be segregated from other services.

    The web server installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streamin...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM).

    The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services ...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.

    A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity....
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must have the ScoreBoardFile directive disabled.

    The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apache processes. If the directive is specified, then Apache will use the con...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The OHS document root directory must not be on a network share.

    Sharing of web server content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network ...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The OHS server root directory must not be on a network share.

    Sharing of the web server directory where the executables are stored is a security risk when a web server is involved. Users that have access to the share may not be administrative users. These u...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • Symbolic links must not be used in the web content directory tree.

    A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and sym...
    Rule High Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS administration must be performed over a secure path or at the local console.

    Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can...
    Rule High Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must not contain any robots.txt files.

    Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In tur...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must prohibit anonymous FTP user access to interactive scripts.

    The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pa...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory.

    Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is access...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The OHS DocumentRoot directory must be on a separate partition from OS root partition.

    Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is access...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.

    Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code. A remote web user whose agency has a ...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • A public OHS server must use TLS if authentication is required to host web sites.

    Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authen...
    Rule Medium Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines.

    Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the automated information system (AIS)....
    Rule Low Severity
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • OHS must not have the directive PlsqlDatabasePassword set in clear text.

    OHS supports the use of the module mod_plsql, which allows applications to be hosted that are PL/SQL-based. To access the database, the module must have a valid username, password and database nam...
    Rule High Severity
    Show

  • SRG-APP-000141-WSR-000075

    Group
    Show

  • If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level.

    A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules