III - Administrative Public
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
A private OHS installation must be located on a separate controlled access subnet.
<VulnDiscussion>Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition t...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
The version of the OHS installation must be vendor-supported.
<VulnDiscussion>Many vulnerabilities are associated with older versions of software. As hot fixes and patches are issued, these solutions ar...Rule High Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS must be certified with accompanying Fusion Middleware products.
<VulnDiscussion>OHS is capable of being used with other Oracle products. For the products to work properly and not introduce vulnerabilities...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS tools must be restricted to the web manager and the web managers designees.
<VulnDiscussion>All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protect...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
All utility programs, not necessary for operations, must be removed or disabled.
<VulnDiscussion>Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running u...Rule Low Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
The OHS htpasswd files (if present) must reflect proper ownership and permissions.
<VulnDiscussion>In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
A public OHS installation must limit email to outbound only.
<VulnDiscussion>Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this t...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS content and configuration files must be part of a routine backup program.
<VulnDiscussion>Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be acc...Rule Low Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS must be segregated from other services.
<VulnDiscussion>The web server installation and configuration plan should not support the co-hosting of multiple services such as Domain Name...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM).
<VulnDiscussion>The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the w...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
<VulnDiscussion>A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a c...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS must have the ScoreBoardFile directive disabled.
<VulnDiscussion>The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apach...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
The OHS document root directory must not be on a network share.
<VulnDiscussion>Sharing of web server content is a security risk when a web server is involved. Users accessing the share anonymously could e...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
The OHS server root directory must not be on a network share.
<VulnDiscussion>Sharing of the web server directory where the executables are stored is a security risk when a web server is involved. Users...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
Symbolic links must not be used in the web content directory tree.
<VulnDiscussion>A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic li...Rule High Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS administration must be performed over a secure path or at the local console.
<VulnDiscussion>Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a majo...Rule High Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS must not contain any robots.txt files.
<VulnDiscussion>Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders ...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS must prohibit anonymous FTP user access to interactive scripts.
<VulnDiscussion>The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to ...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory.
<VulnDiscussion>Application partitioning enables an additional security measure by securing user traffic under one security context, while ma...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
The OHS DocumentRoot directory must be on a separate partition from OS root partition.
<VulnDiscussion>Application partitioning enables an additional security measure by securing user traffic under one security context, while ma...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
<VulnDiscussion>Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and chec...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
A public OHS server must use TLS if authentication is required to host web sites.
<VulnDiscussion>Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the ...Rule Medium Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines.
<VulnDiscussion>Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary pro...Rule Low Severity -
SRG-APP-000516-WSR-000174
<GroupDescription></GroupDescription>Group -
OHS must not have the directive PlsqlDatabasePassword set in clear text.
<VulnDiscussion>OHS supports the use of the module mod_plsql, which allows applications to be hosted that are PL/SQL-based. To access the da...Rule High Severity -
SRG-APP-000141-WSR-000075
<GroupDescription></GroupDescription>Group -
If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level.
<VulnDiscussion>A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to r...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.