Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R7

Published: 2020-06-12

Updated At: 2020-08-15 20:24:37

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-77643r1_rule OH12-1X-000001 CCI-000054 MEDIUM OHS must have the mpm property set to use the worker Multi-Processing Module (MPM) as the preferred means to limit the number of allowed simultaneous requests. Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service at
    SV-78615r1_rule OH12-1X-000002 CCI-000054 MEDIUM OHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests. Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service at
    SV-78617r1_rule OH12-1X-000003 CCI-000054 MEDIUM OHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests. Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service at
    SV-78619r1_rule OH12-1X-000004 CCI-000054 MEDIUM OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests. Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service at
    SV-78621r1_rule OH12-1X-000005 CCI-000054 MEDIUM OHS must limit the number of worker processes to limit the number of allowed simultaneous requests. Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service at
    SV-78623r1_rule OH12-1X-000007 CCI-000068 HIGH OHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server. The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retriev
    SV-78625r1_rule OH12-1X-000008 CCI-000068 HIGH OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server. The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retriev
    SV-78627r2_rule OH12-1X-000009 CCI-000068 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server. The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retriev
    SV-78629r2_rule OH12-1X-000010 CCI-000068 HIGH OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server. The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retriev
    SV-78631r1_rule OH12-1X-000011 CCI-001453 HIGH OHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-78633r1_rule OH12-1X-000012 CCI-001453 HIGH OHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-78635r2_rule OH12-1X-000013 CCI-001453 HIGH OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-78637r1_rule OH12-1X-000014 CCI-001453 HIGH OHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-78639r1_rule OH12-1X-000015 CCI-001453 MEDIUM OHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-78641r1_rule OH12-1X-000016 CCI-001453 MEDIUM OHS must have the WLSSLWallet directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-78643r1_rule OH12-1X-000017 CCI-001453 MEDIUM OHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-78645r1_rule OH12-1X-000018 CCI-001453 MEDIUM OHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-78647r1_rule OH12-1X-000019 CCI-000067 MEDIUM OHS must have the LoadModule log_config_module directive enabled to generate information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-78649r1_rule OH12-1X-000020 CCI-000067 MEDIUM OHS must have the OraLogMode set to Oracle Diagnostic Logging text mode to generate information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-78651r1_rule OH12-1X-000021 CCI-000067 MEDIUM OHS must have a log directory location defined to generate information for use by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-78653r1_rule OH12-1X-000022 CCI-000067 MEDIUM OHS must have the OraLogSeverity directive defined to generate adequate information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-78655r1_rule OH12-1X-000023 CCI-000067 MEDIUM OHS must have the log rotation parameter set to allow generated information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-78657r1_rule OH12-1X-000024 CCI-000067 MEDIUM OHS must have a log format defined to generate adequate information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-78659r1_rule OH12-1X-000025 CCI-000067 MEDIUM OHS must have a SSL log format defined to allow generated information to be used by external applications or entities to monitor and control remote access in accordance with the categorization of data hosted by the web server. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-78661r1_rule OH12-1X-000026 CCI-000067 MEDIUM OHS must have a log file defined for each site/virtual host to capture information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-78663r1_rule OH12-1X-000040 CCI-000169 MEDIUM OHS must have the client requests logging module loaded to generate log records for system startup and shutdown, system access, and system authentication logging. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-78665r1_rule OH12-1X-000041 CCI-000169 MEDIUM OHS must have OraLogMode set to Oracle Diagnostic Logging text mode to generate log records for system startup and shutdown, system access, and system authentication logging. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-78667r1_rule OH12-1X-000042 CCI-000169 MEDIUM OHS must have a log directory location defined to generate log records for system startup and shutdown, system access, and system authentication logging. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-78669r1_rule OH12-1X-000043 CCI-000169 MEDIUM OHS must have a log level severity defined to generate adequate log records for system startup and shutdown, system access, and system authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-78671r1_rule OH12-1X-000044 CCI-000169 MEDIUM OHS must have the log rotation parameter set to allow for the generation log records for system startup and shutdown, system access, and system authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-78673r1_rule OH12-1X-000045 CCI-000169 MEDIUM OHS must have a log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-78675r1_rule OH12-1X-000046 CCI-000169 MEDIUM OHS must have a SSL log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-78677r1_rule OH12-1X-000047 CCI-000169 MEDIUM OHS must have a log file defined for each site/virtual host to capture logs generated by system startup and shutdown, system access, and system authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-78679r1_rule OH12-1X-000049 CCI-001462 MEDIUM OHS must capture, record, and log all content related to a user session. A user session to a web server is in the context of a user accessing a hosted application that extends to any plug-ins/modules and services that may execute on behalf of the user. The web server must be capable of enabling a setting for troubleshooting,
    SV-78681r1_rule OH12-1X-000050 CCI-000130 MEDIUM OHS must have a log level severity defined to produce sufficient log records to establish what type of events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic
    SV-78683r1_rule OH12-1X-000051 CCI-000130 MEDIUM OHS must have a log format defined for log records generated to capture sufficient information to establish what type of events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic
    SV-78685r1_rule OH12-1X-000052 CCI-000130 MEDIUM OHS must have a SSL log format defined for log records generated to capture sufficient information to establish what type of events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic
    SV-78687r1_rule OH12-1X-000053 CCI-000130 MEDIUM OHS must have a log file defined for each site/virtual host to capture sufficient information to establish what type of events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic
    SV-78689r1_rule OH12-1X-000054 CCI-000131 MEDIUM OHS must have a log format defined for log records generated to capture sufficient information to establish when an event occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during fo
    SV-78691r1_rule OH12-1X-000055 CCI-000131 MEDIUM OHS must have a SSL log format defined for log records generated to capture sufficient information to establish when an event occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during fo
    SV-78693r1_rule OH12-1X-000056 CCI-000131 MEDIUM OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of when an event occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during fo
    SV-78695r1_rule OH12-1X-000057 CCI-000132 MEDIUM OHS must have a log format defined for log records that allow the establishment of where within OHS the events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the even
    SV-78697r1_rule OH12-1X-000058 CCI-000132 MEDIUM OHS must have a SSL log format defined for log records that allow the establishment of where within OHS the events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the even
    SV-78699r1_rule OH12-1X-000059 CCI-000132 MEDIUM OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of where within OHS the events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the even
    SV-78701r1_rule OH12-1X-000060 CCI-000133 MEDIUM OHS must have a log format defined for log records that allow the establishment of the source of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-78703r1_rule OH12-1X-000061 CCI-000133 MEDIUM OHS must have a SSL log format defined for log records that allow the establishment of the source of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-78705r1_rule OH12-1X-000062 CCI-000133 MEDIUM OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of the source of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-78707r1_rule OH12-1X-000063 CCI-000133 MEDIUM OHS, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-78709r1_rule OH12-1X-000064 CCI-000133 MEDIUM OHS, behind a load balancer or proxy server, must have the SSL log format set correctly to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-78711r1_rule OH12-1X-000065 CCI-000133 MEDIUM OHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-78713r1_rule OH12-1X-000066 CCI-000134 MEDIUM OHS must have a log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic anal
    SV-78715r1_rule OH12-1X-000067 CCI-000134 MEDIUM OHS must have a SSL log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic anal
    SV-78717r1_rule OH12-1X-000068 CCI-000134 MEDIUM OHS must have a log file defined for each site/virtual host to produce log records that contain sufficient information to establish the outcome (success or failure) of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic anal
    SV-78719r1_rule OH12-1X-000069 CCI-001487 MEDIUM OHS must have a log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running pr
    SV-78721r1_rule OH12-1X-000070 CCI-001487 MEDIUM OHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running pr
    SV-78723r1_rule OH12-1X-000071 CCI-001487 MEDIUM OHS must have a log file defined for each site/virtual host to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running pr
    SV-78725r1_rule OH12-1X-000074 CCI-000162 MEDIUM OHS log files must only be accessible by privileged users. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-78727r1_rule OH12-1X-000075 CCI-000163 MEDIUM The log information from OHS must be protected from unauthorized modification. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-78729r1_rule OH12-1X-000076 CCI-000164 MEDIUM The log information from OHS must be protected from unauthorized deletion. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-78731r1_rule OH12-1X-000077 CCI-001348 MEDIUM The log data and records from OHS must be backed up onto a different system or media. Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catas
    SV-78733r1_rule OH12-1X-000093 CCI-000381 MEDIUM OHS must have the LoadModule file_cache_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78735r1_rule OH12-1X-000094 CCI-000381 LOW OHS must have the LoadModule vhost_alias_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78737r1_rule OH12-1X-000095 CCI-000381 MEDIUM OHS must have the LoadModule env_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78739r1_rule OH12-1X-000096 CCI-000381 LOW OHS must have the LoadModule mime_magic_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78741r1_rule OH12-1X-000097 CCI-000381 LOW OHS must have the LoadModule negotiation_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78743r1_rule OH12-1X-000098 CCI-000381 LOW OHS must not have the LanguagePriority directive enabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78745r1_rule OH12-1X-000099 CCI-000381 LOW OHS must not have the ForceLanguagePriority directive enabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78747r1_rule OH12-1X-000100 CCI-000381 MEDIUM OHS must have the LoadModule status_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78749r1_rule OH12-1X-000101 CCI-000381 MEDIUM OHS must have the LoadModule info_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78751r1_rule OH12-1X-000102 CCI-000381 MEDIUM OHS must have the LoadModule include_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78753r1_rule OH12-1X-000103 CCI-000381 MEDIUM OHS must have the LoadModule autoindex_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78755r1_rule OH12-1X-000104 CCI-000381 MEDIUM OHS must have the IndexOptions directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78757r1_rule OH12-1X-000105 CCI-000381 MEDIUM OHS must have the AddIconByEncoding directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78759r1_rule OH12-1X-000106 CCI-000381 MEDIUM OHS must have the AddIconByType directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78761r1_rule OH12-1X-000107 CCI-000381 MEDIUM OHS must have the AddIcon directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78763r1_rule OH12-1X-000108 CCI-000381 MEDIUM OHS must have the DefaultIcon directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78765r1_rule OH12-1X-000109 CCI-000381 MEDIUM OHS must have the ReadmeName directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78767r1_rule OH12-1X-000110 CCI-000381 MEDIUM OHS must have the HeaderName directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78769r1_rule OH12-1X-000111 CCI-000381 MEDIUM OHS must have the IndexIgnore directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78771r1_rule OH12-1X-000112 CCI-000381 LOW OHS must have the LoadModule dir_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78773r1_rule OH12-1X-000113 CCI-000381 LOW OHS must have the DirectoryIndex directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78775r1_rule OH12-1X-000114 CCI-000381 MEDIUM OHS must have the LoadModule cgi_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78777r1_rule OH12-1X-000115 CCI-000381 MEDIUM OHS must have the LoadModule fastcgi_module disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78779r1_rule OH12-1X-000116 CCI-000381 MEDIUM OHS must have the LoadModule cgid_module directive disabled for mpm workers. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78781r1_rule OH12-1X-000117 CCI-000381 LOW OHS must have the IfModule cgid_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78783r1_rule OH12-1X-000118 CCI-000381 LOW OHS must have the LoadModule mpm_winnt_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78785r1_rule OH12-1X-000119 CCI-000381 MEDIUM OHS must have the ScriptAlias directive for CGI scripts disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78787r1_rule OH12-1X-000120 CCI-000381 MEDIUM OHS must have the ScriptSock directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78789r2_rule OH12-1X-000121 CCI-000381 MEDIUM OHS must have the cgi-bin directory disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78791r1_rule OH12-1X-000122 CCI-000381 MEDIUM OHS must have directives pertaining to certain scripting languages removed from virtual hosts. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78793r1_rule OH12-1X-000123 CCI-000381 LOW OHS must have the LoadModule asis_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78795r1_rule OH12-1X-000124 CCI-000381 LOW OHS must have the LoadModule imagemap_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78797r1_rule OH12-1X-000125 CCI-000381 MEDIUM OHS must have the LoadModule actions_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78799r1_rule OH12-1X-000126 CCI-000381 LOW OHS must have the LoadModule speling_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78801r1_rule OH12-1X-000127 CCI-000381 MEDIUM OHS must have the LoadModule userdir_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78803r1_rule OH12-1X-000128 CCI-000381 MEDIUM OHS must have the AliasMatch directive pertaining to the OHS manuals disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78805r1_rule OH12-1X-000129 CCI-000381 MEDIUM OHS must have the Directory directive pointing to the OHS manuals disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78807r1_rule OH12-1X-000130 CCI-000381 MEDIUM OHS must have the LoadModule auth_basic_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78809r2_rule OH12-1X-000131 CCI-000381 MEDIUM OHS must have the LoadModule authz_user_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too insecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78811r1_rule OH12-1X-000132 CCI-000381 MEDIUM OHS must have the LoadModule authn_file_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78813r1_rule OH12-1X-000133 CCI-000381 MEDIUM OHS must have the LoadModule authn_anon_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78815r2_rule OH12-1X-000134 CCI-000381 MEDIUM OHS must have the LoadModule proxy_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78817r2_rule OH12-1X-000135 CCI-000381 MEDIUM OHS must have the LoadModule proxy_http_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78819r1_rule OH12-1X-000136 CCI-000381 MEDIUM OHS must have the LoadModule proxy_ftp_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78821r1_rule OH12-1X-000137 CCI-000381 MEDIUM OHS must have the LoadModule proxy_connect_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78823r1_rule OH12-1X-000138 CCI-000381 MEDIUM OHS must have the LoadModule proxy_balancer_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78825r1_rule OH12-1X-000139 CCI-000381 LOW OHS must have the LoadModule cern_meta_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78827r1_rule OH12-1X-000140 CCI-000381 LOW OHS must have the LoadModule expires_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78829r1_rule OH12-1X-000141 CCI-000381 LOW OHS must have the LoadModule usertrack_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78831r2_rule OH12-1X-000142 CCI-000381 LOW OHS must have the LoadModule uniqueid_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78833r1_rule OH12-1X-000143 CCI-000381 MEDIUM OHS must have the LoadModule setenvif_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78835r1_rule OH12-1X-000144 CCI-000381 MEDIUM OHS must have the BrowserMatch directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78837r1_rule OH12-1X-000145 CCI-000381 MEDIUM OHS must have the LoadModule dumpio_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78839r1_rule OH12-1X-000146 CCI-000381 LOW OHS must have the IfModule dumpio_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78841r1_rule OH12-1X-000147 CCI-000381 MEDIUM OHS must have the Alias /icons/ directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78843r1_rule OH12-1X-000148 CCI-000381 MEDIUM OHS must have the path to the icons directory disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78845r1_rule OH12-1X-000149 CCI-000381 LOW OHS must have the IfModule mpm_winnt_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78847r1_rule OH12-1X-000235 CCI-000381 MEDIUM If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78849r1_rule OH12-1X-000236 CCI-000381 MEDIUM If mod_plsql is not in use with OHS, OHS must have the include moduleconf/* directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-78851r2_rule OH12-1X-000150 CCI-000381 MEDIUM OHS must have the LoadModule proxy_module directive disabled. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very comm
    SV-78853r2_rule OH12-1X-000151 CCI-000381 MEDIUM OHS must have the LoadModule proxy_http_module directive disabled. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very comm
    SV-78855r1_rule OH12-1X-000152 CCI-000381 MEDIUM OHS must have the LoadModule proxy_ftp_module directive disabled. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very comm
    SV-78865r1_rule OH12-1X-000153 CCI-000381 MEDIUM OHS must have the LoadModule proxy_connect_module directive disabled. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very comm
    SV-78867r1_rule OH12-1X-000154 CCI-000381 MEDIUM OHS must have the LoadModule proxy_balancer_module directive disabled. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very comm
    SV-78869r1_rule OH12-1X-000156 CCI-000381 LOW OHS must disable the directive pointing to the directory containing the OHS manuals. Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationa
    SV-78871r1_rule OH12-1X-000157 CCI-000381 MEDIUM OHS must have the AliasMatch directive disabled for the OHS manuals. Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationa
    SV-78873r1_rule OH12-1X-000160 CCI-000381 MEDIUM OHS must have the AddHandler directive disabled. Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too
    SV-78875r1_rule OH12-1X-000161 CCI-000381 MEDIUM OHS must have the LoadModule cgi_module directive disabled. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-78877r1_rule OH12-1X-000162 CCI-000381 MEDIUM OHS must have the LoadModule cgid_module directive disabled. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-78879r1_rule OH12-1X-000163 CCI-000381 MEDIUM OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-78881r1_rule OH12-1X-000164 CCI-000381 LOW OHS must have the LoadModule cgi_module directive disabled within the IfModule mpm_winnt_module directive. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-78883r1_rule OH12-1X-000165 CCI-000381 MEDIUM OHS must have the ScriptAlias /cgi-bin/ directive within a IfModule alias_module directive disabled. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-78885r1_rule OH12-1X-000166 CCI-000381 MEDIUM OHS must have the ScriptSock directive within a IfModule cgid_module directive disabled. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-78887r1_rule OH12-1X-000167 CCI-000381 MEDIUM OHS must have the cgi-bin directory disabled. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-78889r1_rule OH12-1X-000168 CCI-000381 MEDIUM OHS must have directives pertaining to certain scripting languages removed from virtual hosts. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-78891r1_rule OH12-1X-000169 CCI-000381 MEDIUM OHS must have resource mappings set to disable the serving of certain file types. Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can
    SV-78893r1_rule OH12-1X-000172 CCI-000381 MEDIUM Users and scripts running on behalf of users must be contained to the document root or home directory tree of OHS. A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and applicatio
    SV-78895r1_rule OH12-1X-000173 CCI-000382 MEDIUM OHS must be configured to use a specified IP address, port, and protocol. The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server ha
    SV-78897r1_rule OH12-1X-000240 CCI-000197 HIGH OHS must have the LoadModule ossl_module directive enabled to encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-78899r1_rule OH12-1X-000241 CCI-000197 HIGH OHS must use FIPS modules to encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-78901r2_rule OH12-1X-000242 CCI-000197 HIGH OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-78903r1_rule OH12-1X-000243 CCI-000197 HIGH OHS must have the SSLCipherSuite directive enabled to encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-78905r1_rule OH12-1X-000244 CCI-000185 MEDIUM OHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-78907r1_rule OH12-1X-000245 CCI-000185 MEDIUM OHS must use FIPS modules to perform RFC 5280-compliant certification path validation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-78909r2_rule OH12-1X-000246 CCI-000185 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-78911r1_rule OH12-1X-000247 CCI-000185 MEDIUM OHS must have the SSLCipherSuite directive enabled to perform RFC 5280-compliant certification path validation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-78913r1_rule OH12-1X-000248 CCI-000185 MEDIUM OHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-78915r1_rule OH12-1X-000249 CCI-000185 MEDIUM OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-78917r1_rule OH12-1X-000250 CCI-000185 MEDIUM OHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-78919r1_rule OH12-1X-000251 CCI-000185 MEDIUM OHS must be integrated with a tool such as Oracle Access Manager to enforce a client-side certificate revocation check through the OCSP protocol. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-78921r1_rule OH12-1X-000253 CCI-000803 MEDIUM OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIP
    SV-78923r1_rule OH12-1X-000254 CCI-000803 MEDIUM OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIP
    SV-78925r2_rule OH12-1X-000255 CCI-000803 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIP
    SV-78927r1_rule OH12-1X-000256 CCI-000803 MEDIUM OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIP
    SV-78929r1_rule OH12-1X-000257 CCI-000803 MEDIUM OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS
    SV-78931r1_rule OH12-1X-000258 CCI-000803 MEDIUM OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS
    SV-78933r2_rule OH12-1X-000259 CCI-000803 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS
    SV-78935r1_rule OH12-1X-000260 CCI-000803 MEDIUM OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS
    SV-78937r1_rule OH12-1X-000265 CCI-001166 MEDIUM OHS utilizing mobile code must meet DoD-defined mobile code requirements. Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid, as opposed to a static web page. The data presentation becomes more appealing to the user, is easier to analyze, and navigatio
    SV-78939r1_rule OH12-1X-000266 CCI-001082 HIGH OHS accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts. As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also b
    SV-78941r1_rule OH12-1X-000281 CCI-001084 MEDIUM OHS must have the DocumentRoot directive set to a separate partition from the OHS system files. A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major
    SV-78943r1_rule OH12-1X-000282 CCI-001084 MEDIUM OHS must have the Directory directive accompanying the DocumentRoot directive set to a separate partition from the OHS system files. A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major
    SV-78945r1_rule OH12-1X-000283 CCI-001094 MEDIUM OHS must have the Timeout directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-78947r1_rule OH12-1X-000284 CCI-001094 MEDIUM OHS must have the KeepAlive directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-78949r1_rule OH12-1X-000285 CCI-001094 MEDIUM OHS must have the KeepAliveTimeout properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-78951r1_rule OH12-1X-000286 CCI-001094 MEDIUM OHS must have the MaxKeepAliveRequests directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-78953r1_rule OH12-1X-000287 CCI-001094 MEDIUM OHS must have the ListenBacklog properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-78955r2_rule OH12-1X-000288 CCI-001094 MEDIUM OHS must have the LimitRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-78957r1_rule OH12-1X-000289 CCI-001094 MEDIUM OHS must have the LimitRequestFields directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-78959r1_rule OH12-1X-000290 CCI-001094 MEDIUM OHS must have the LimitRequestFieldSize directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-78961r1_rule OH12-1X-000291 CCI-001094 MEDIUM OHS must have the LimitRequestLine directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-78963r1_rule OH12-1X-000292 CCI-001094 MEDIUM OHS must have the LimitXMLRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-78965r1_rule OH12-1X-000293 CCI-001094 MEDIUM OHS must have the LimitInternalRecursion directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-78967r1_rule OH12-1X-000346 CCI-001312 LOW OHS must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this
    SV-78969r1_rule OH12-1X-000347 CCI-001312 MEDIUM OHS must have the ServerSignature directive disabled. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-78971r1_rule OH12-1X-000348 CCI-001312 LOW OHS must have the ServerTokens directive set to limit the response header. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-78973r1_rule OH12-1X-000349 CCI-001312 MEDIUM OHS must have the Alias /error directive defined to reference the directory accompanying the ErrorDocument directives to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-78975r2_rule OH12-1X-000350 CCI-001312 MEDIUM OHS must have the permissions set properly via the Directory directive accompanying the ErrorDocument directives to minimize improper access to the warning and error messages displayed to clients. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-78977r1_rule OH12-1X-000351 CCI-001312 LOW OHS must have defined error pages for common error codes that minimize the identity of the web server, patches, loaded modules, and directory paths. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-78979r1_rule OH12-1X-000352 CCI-001312 LOW OHS must have production information removed from error documents to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-78981r1_rule OH12-1X-000353 CCI-001312 MEDIUM Debugging and trace information used to diagnose OHS must be disabled. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-78983r1_rule OH12-1X-000030 CCI-002314 MEDIUM Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely an
    SV-78985r1_rule OH12-1X-000031 CCI-002314 MEDIUM OHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely an
    SV-78987r1_rule OH12-1X-000032 CCI-002314 MEDIUM OHS must have the Order, Allow, and Deny directives set within the Files directives set to restrict inbound connections from nonsecure zones. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely an
    SV-78989r1_rule OH12-1X-000033 CCI-002314 MEDIUM OHS must have the Order, Allow, and Deny directives set within the Location directives set to restrict inbound connections from nonsecure zones. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely an
    SV-78991r1_rule OH12-1X-000034 CCI-002322 MEDIUM OHS must provide the capability to immediately disconnect or disable remote access to the hosted applications. During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack. The web server must provide a capability to disconnect users to a hosted application wit
    SV-78993r1_rule OH12-1X-000035 CCI-002235 MEDIUM Non-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account. By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web serve
    SV-78995r1_rule OH12-1X-000081 CCI-001851 MEDIUM OHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes. A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensur
    SV-78997r1_rule OH12-1X-000082 CCI-001851 MEDIUM OHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes. A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensur
    SV-78999r1_rule OH12-1X-000294 CCI-002450 HIGH OHS must have the LoadModule ossl_module directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for prot
    SV-79001r1_rule OH12-1X-000295 CCI-002450 HIGH OHS must have the SSLFIPS directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for prot
    SV-79003r2_rule OH12-1X-000296 CCI-002450 HIGH OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for prot
    SV-79005r1_rule OH12-1X-000297 CCI-002450 HIGH OHS must have the SSLCipherSuite directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for prot
    SV-79007r1_rule OH12-1X-000298 CCI-002470 MEDIUM OHS must have the LoadModule ossl_module directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-79009r1_rule OH12-1X-000299 CCI-002470 MEDIUM OHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-79011r2_rule OH12-1X-000300 CCI-002470 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-79013r1_rule OH12-1X-000301 CCI-002470 MEDIUM OHS must have the SSLCipherSuite directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-79015r1_rule OH12-1X-000302 CCI-002470 MEDIUM OHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-79017r1_rule OH12-1X-000303 CCI-002470 MEDIUM OHS must use wallets that have only DoD certificate authorities defined. Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-79019r1_rule OH12-1X-000307 CCI-002385 MEDIUM OHS must be tuned to handle the operational requirements of the hosted application. A Denial of Service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a DoS condition even with expected traffic from users. To avoi
    SV-79031r1_rule OH12-1X-000308 CCI-002418 HIGH OHS must have the LoadModule ossl_module directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-79033r1_rule OH12-1X-000309 CCI-002418 HIGH OHS must have the SSLFIPS directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-79035r2_rule OH12-1X-000310 CCI-002418 HIGH OHS must have the SSLEngine, SSLProtocol, SSLWallet directives enabled and configured to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-79037r1_rule OH12-1X-000311 CCI-002418 HIGH OHS must have the SSLCipherSuite directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-79039r1_rule OH12-1X-000312 CCI-002418 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-79041r1_rule OH12-1X-000313 CCI-002418 MEDIUM OHS must have the WLSSLWallet directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-79043r1_rule OH12-1X-000314 CCI-002418 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WebLogicSSLVersion directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-79045r1_rule OH12-1X-000315 CCI-002418 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-79047r1_rule OH12-1X-000320 CCI-002418 MEDIUM OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-79049r1_rule OH12-1X-000321 CCI-002418 MEDIUM OHS must have the SSLFIPS directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-79051r2_rule OH12-1X-000322 CCI-002418 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-79053r1_rule OH12-1X-000323 CCI-002418 MEDIUM OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-79055r1_rule OH12-1X-000324 CCI-002420 MEDIUM OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-79057r1_rule OH12-1X-000325 CCI-002420 MEDIUM OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-79059r2_rule OH12-1X-000326 CCI-002420 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-79061r1_rule OH12-1X-000327 CCI-002420 MEDIUM OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-79063r1_rule OH12-1X-000328 CCI-002420 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-79065r1_rule OH12-1X-000329 CCI-002420 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-79067r1_rule OH12-1X-000330 CCI-002420 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLSProxySSL directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-79069r1_rule OH12-1X-000331 CCI-002422 MEDIUM OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-79071r1_rule OH12-1X-000332 CCI-002422 MEDIUM OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-79073r2_rule OH12-1X-000333 CCI-002422 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-79075r1_rule OH12-1X-000334 CCI-002422 MEDIUM OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-79077r1_rule OH12-1X-000335 CCI-002422 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SSLSecureProxy directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-79079r1_rule OH12-1X-000336 CCI-002422 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-79081r1_rule OH12-1X-000337 CCI-002422 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-79083r1_rule OH12-1X-000176 CCI-000366 MEDIUM The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc. During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user
    SV-79085r1_rule OH12-1X-000178 CCI-000366 MEDIUM OHS must have Entity tags (ETags) disabled. Entity tags (ETags) are used for cache management to save network bandwidth by not sending a web page to the requesting client if the cached version on the client is current. When the client only has the ETag information, the client will make a request t
    SV-79087r1_rule OH12-1X-000179 CCI-000366 MEDIUM The SecureListener property of the Node Manager configured to support OHS must be enabled for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. To protect the information being sent between WebLogic Scripting Tool and Node Manager, the Node Manager listening address must be secured.
    SV-79089r1_rule OH12-1X-000180 CCI-000366 MEDIUM The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. For connections to be made to the Node Manager, it must listen on an assigned address. When this parameter is not set, the Node Manager will listen on all avail
    SV-79091r1_rule OH12-1X-000181 CCI-000366 MEDIUM The AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. To accept connections from the WebLogic Scripting Tool, the Node Manager can be setup to authenticate the connections or not. If connections are not authenticat
    SV-79093r1_rule OH12-1X-000182 CCI-000366 MEDIUM The KeyStores property of the Node Manager configured to support OHS must be configured for secure communication. Oracle Node Manager is a utility that can be used to perform common operational tasks across Managed Servers. These servers can be distributed across multiple machines and geographical locations. The "KeyStores" property is used to configure the keyst
    SV-79095r1_rule OH12-1X-000183 CCI-000366 MEDIUM The CustomIdentityKeyStoreFileName property of the Node Manager configured to support OHS must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityKeyStoreFileName" property specifies the file name of the identity keystore. This property is required when the "KeyStores" property is set t
    SV-79097r1_rule OH12-1X-000184 CCI-000366 MEDIUM The CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityKeyStorePassPhrase" property is used to protect the data within the keystore. Without protection, the data within the keystore could be compr
    SV-79099r1_rule OH12-1X-000185 CCI-000366 MEDIUM The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityAlias" specifies the alias when loading the private key into the keystore. This property is required when the "KeyStores" property is set t
    SV-79101r1_rule OH12-1X-000186 CCI-000366 MEDIUM The CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityPrivateKeyPassPhrase" is the password that protects the private key when creating certificates. If a password is not used, the private key is
    SV-79103r1_rule OH12-1X-000187 CCI-000366 MEDIUM The listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml file to setup the communication to the Node Manager. If th
    SV-79105r1_rule OH12-1X-000188 CCI-000366 MEDIUM The listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml file to setup the communication to the Node Manager. If th
    SV-79107r1_rule OH12-1X-000189 CCI-000366 MEDIUM The WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "OHS" WebLogic Scripting Tool needs to trust the certificate presented by the Node Manager in order to setup secure communicat
    SV-79109r1_rule OH12-1X-000190 CCI-000366 MEDIUM The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "Fusion Middleware" WebLogic Scripting Tool needs to trust the certificate presented by the Node Manager in order to setup sec
    SV-79111r1_rule OH12-1X-000234 CCI-000366 HIGH OHS must not have the directive PlsqlDatabasePassword set in clear text. OHS supports the use of the module mod_plsql, which allows applications to be hosted that are PL/SQL-based. To access the database, the module must have a valid username, password and database name. To keep the password from an attacker, the password mu
    SV-79113r1_rule OH12-1X-000192 CCI-000366 MEDIUM OHS must limit access to the Dynamic Monitoring Service (DMS). The Oracle Dynamic Monitoring Service (DMS) enables application developers, support analysts, system administrators, and others to measure application specific performance information. If OHS allows any machine to connect and monitor performance, an atta
    SV-79115r1_rule OH12-1X-000193 CCI-000366 MEDIUM OHS must have the AllowOverride directive set properly. The property "AllowOverride" is used to allow directives to be set differently than those set for the overall architecture. When the property is not set to "None", OHS will check for directives in the htaccess files at each directory level until the requ
    SV-79117r1_rule OH12-1X-000194 CCI-000366 MEDIUM OHS must be set to evaluate deny directives first when considering whether to serve a file. Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the evaluation is reversed. By ordering the access as first deny
    SV-79119r1_rule OH12-1X-000195 CCI-000366 MEDIUM OHS must deny all access by default when considering whether to serve a file. Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the evaluation is reversed. By ordering the access as first deny
    SV-79121r1_rule OH12-1X-000196 CCI-000366 MEDIUM The OHS instance installation must not contain an .htaccess file. .htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .ht
    SV-79123r1_rule OH12-1X-000197 CCI-000366 MEDIUM The OHS instance configuration must not reference directories that contain an .htaccess file. .htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .ht
    SV-79125r1_rule OH12-1X-000198 CCI-000366 LOW OHS must have the HostnameLookups directive enabled. Setting the "HostnameLookups" to "On" allows for more information to be logged in the event of an attack and subsequent investigation. This information can be added to other information gathered to narrow the attacker location. The DNS name can also be
    SV-79127r1_rule OH12-1X-000199 CCI-000366 MEDIUM OHS must have the ServerAdmin directive set properly. Making sure that information is given to the system administrator in a timely fashion is important. This information can be system status, warnings that may need attention before system failure or actual failure notification. Having this information sen
    SV-79129r1_rule OH12-1X-000200 CCI-000366 MEDIUM OHS must restrict access methods. The directive "" allows the system administrator to restrict what users may use which methods. An example of methods would be GET, POST and DELETE. These three are the most common used by applications and should be allowed. Methods such as TRACE, if al
    SV-79131r1_rule OH12-1X-000201 CCI-000366 MEDIUM The OHS htdocs directory must not contain any default files. Default files from the OHS installation should not be part of the htdocs directory. These files are not always patched or supported and may become an attacker vector in the future.
    SV-79133r1_rule OH12-1X-000202 CCI-000366 MEDIUM OHS must have the SSLSessionCacheTimeout directive set properly. During an SSL session, information about the session is stored in the global/inter-process SSL Session Cache, the OpenSSL internal memory cache and for sessions resumed by TLS session resumption (RFC 5077). This information must not be allowed to live fo
    SV-79135r1_rule OH12-1X-000203 CCI-000366 LOW OHS must have the RewriteEngine directive enabled. The rewrite engine is used to evaluate URL requests and modify the requests on the fly. Enabling this engine gives the system administrator the capability to trap potential attacks before reaching the hosted applications or to modify the URL to fix issue
    SV-79137r1_rule OH12-1X-000204 CCI-000366 LOW OHS must have the RewriteOptions directive set properly. The rules for the rewrite engine can be configured to inherit those from the parent and build upon that set of rules, to copy the rules from the parent if there are none defined or to only process the rules if the input is a URL. Of these, the most secur
    SV-79139r1_rule OH12-1X-000205 CCI-000366 LOW OHS must have the RewriteLogLevel directive set to the proper log level. Logging must not contain sensitive information or more information necessary than that needed to administer the system. The log levels from the rewrite engine range from 0 to 9 where 0 is no logging and 9 being the most verbose. A log level that gives e
    SV-79141r1_rule OH12-1X-000206 CCI-000366 LOW OHS must have the RewriteLog directive set properly. Specifying where the log files are written gives the system administrator the capability to store the files in a location other than the default, with system files or in a globally accessible location. The system administrator can also specify a location
    SV-79143r2_rule OH12-1X-000207 CCI-000366 MEDIUM All accounts installed with the web server software and tools must have passwords assigned and default passwords changed. During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user
    SV-79145r1_rule OH12-1X-000208 CCI-000366 MEDIUM A production OHS Installation must prohibit the installation of a compiler. The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker’s code can be uploaded and compiled on the server under
    SV-79147r1_rule OH12-1X-000209 CCI-000366 MEDIUM A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension. To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from publically based sources, such as the public Internet. Onc
    SV-79149r1_rule OH12-1X-000210 CCI-000366 MEDIUM A private OHS installation must be located on a separate controlled access subnet. Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but, in either case, can cause a disruption in service of the w
    SV-79151r1_rule OH12-1X-000211 CCI-000366 HIGH The version of the OHS installation must be vendor-supported. Many vulnerabilities are associated with older versions of software. As hot fixes and patches are issued, these solutions are included in the next version of the server software. Maintaining OHS at a current version makes the efforts of a malicious user
    SV-79153r1_rule OH12-1X-000212 CCI-000366 MEDIUM OHS must be certified with accompanying Fusion Middleware products. OHS is capable of being used with other Oracle products. For the products to work properly and not introduce vulnerabilities or errors, Oracle certifies which versions work with each other. Insisting that the certified versions be installed together in
    SV-79155r1_rule OH12-1X-000214 CCI-000366 MEDIUM OHS tools must be restricted to the web manager and the web managers designees. All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or damage that may ultimately compromise the mission. Adequate pr
    SV-79157r1_rule OH12-1X-000215 CCI-000366 LOW All utility programs, not necessary for operations, must be removed or disabled. Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and g
    SV-79159r1_rule OH12-1X-000216 CCI-000366 MEDIUM The OHS htpasswd files (if present) must reflect proper ownership and permissions. In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition to allowing or denying all access rights, a rule can be specified that allows or denies partial access rig
    SV-79161r1_rule OH12-1X-000217 CCI-000366 MEDIUM A public OHS installation must limit email to outbound only. Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, Email represents the main use of the Internet. It is specialized application that requires the dedic
    SV-79163r1_rule OH12-1X-000218 CCI-000366 LOW OHS content and configuration files must be part of a routine backup program. Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to determine and recover from subsequent unauthorized changes to th
    SV-79165r1_rule OH12-1X-000219 CCI-000366 MEDIUM OHS must be segregated from other services. The web server installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server that is providing the web publi
    SV-79167r1_rule OH12-1X-000220 CCI-000366 MEDIUM OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM). The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services available to notify users of known security threats. The s
    SV-79169r1_rule OH12-1X-000221 CCI-000366 MEDIUM A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA. A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity. Most web browsers perform server authentication automatic
    SV-79171r1_rule OH12-1X-000222 CCI-000366 MEDIUM OHS must have the ScoreBoardFile directive disabled. The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apache processes. If the directive is specified, then Apache will use the configured file for the inter-process communication. Therefor
    SV-79173r1_rule OH12-1X-000223 CCI-000366 MEDIUM The OHS document root directory must not be on a network share. Sharing of web server content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their co
    SV-79175r1_rule OH12-1X-000224 CCI-000366 MEDIUM The OHS server root directory must not be on a network share. Sharing of the web server directory where the executables are stored is a security risk when a web server is involved. Users that have access to the share may not be administrative users. These users could make changes to the web server without going th
    SV-79177r1_rule OH12-1X-000225 CCI-000366 HIGH Symbolic links must not be used in the web content directory tree. A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to
    SV-79179r1_rule OH12-1X-000226 CCI-000366 HIGH OHS administration must be performed over a secure path or at the local console. Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administra
    SV-79181r1_rule OH12-1X-000227 CCI-000366 MEDIUM OHS must not contain any robots.txt files. Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and c
    SV-79183r1_rule OH12-1X-000228 CCI-000366 MEDIUM OHS must prohibit anonymous FTP user access to interactive scripts. The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon use
    SV-79185r1_rule OH12-1X-000229 CCI-000366 MEDIUM The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory. Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have
    SV-79187r1_rule OH12-1X-000230 CCI-000366 MEDIUM The OHS DocumentRoot directory must be on a separate partition from OS root partition. Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have
    SV-79189r1_rule OH12-1X-000231 CCI-000366 MEDIUM Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory. Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code. A remote web user whose agency has a Memorandum of Agreement (MOA) with the hosting agency and
    SV-79191r2_rule OH12-1X-000232 CCI-000366 MEDIUM A public OHS server must use TLS if authentication is required to host web sites. Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would b
    SV-79193r1_rule OH12-1X-000233 CCI-000366 LOW OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines. Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the automated information system (AIS). The ISSM will ensure web servers are configured to use o