Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V2R1

Published: 2021-12-29

Updated At: 2022-04-06 01:09:45

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-221272r414501_rule OH12-1X-000001 CCI-000054 MEDIUM OHS must have the mpm property set to use the worker Multi-Processing Module (MPM) as the preferred means to limit the number of allowed simultaneous requests. Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service at
    SV-221273r414504_rule OH12-1X-000002 CCI-000054 MEDIUM OHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests. Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service at
    SV-221274r414507_rule OH12-1X-000003 CCI-000054 MEDIUM OHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests. Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service at
    SV-221275r414510_rule OH12-1X-000004 CCI-000054 MEDIUM OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests. Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service at
    SV-221276r414513_rule OH12-1X-000005 CCI-000054 MEDIUM OHS must limit the number of worker processes to limit the number of allowed simultaneous requests. Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service at
    SV-221277r414516_rule OH12-1X-000007 CCI-000068 HIGH OHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server. The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retriev
    SV-221278r414519_rule OH12-1X-000008 CCI-000068 HIGH OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server. The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retriev
    SV-221279r414522_rule OH12-1X-000009 CCI-000068 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server. The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retriev
    SV-221280r414525_rule OH12-1X-000010 CCI-000068 HIGH OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server. The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retriev
    SV-221281r414528_rule OH12-1X-000011 CCI-001453 HIGH OHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-221282r414531_rule OH12-1X-000012 CCI-001453 HIGH OHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-221283r414534_rule OH12-1X-000013 CCI-001453 HIGH OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-221284r414537_rule OH12-1X-000014 CCI-001453 HIGH OHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-221285r414540_rule OH12-1X-000015 CCI-001453 MEDIUM OHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-221286r414543_rule OH12-1X-000016 CCI-001453 MEDIUM OHS must have the WLSSLWallet directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-221287r414546_rule OH12-1X-000017 CCI-001453 MEDIUM OHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-221288r414549_rule OH12-1X-000018 CCI-001453 MEDIUM OHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-221289r414552_rule OH12-1X-000019 CCI-000067 MEDIUM OHS must have the LoadModule log_config_module directive enabled to generate information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-221290r414555_rule OH12-1X-000020 CCI-000067 MEDIUM OHS must have the OraLogMode set to Oracle Diagnostic Logging text mode to generate information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-221291r414558_rule OH12-1X-000021 CCI-000067 MEDIUM OHS must have a log directory location defined to generate information for use by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-221292r414561_rule OH12-1X-000022 CCI-000067 MEDIUM OHS must have the OraLogSeverity directive defined to generate adequate information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-221293r414564_rule OH12-1X-000023 CCI-000067 MEDIUM OHS must have the log rotation parameter set to allow generated information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-221294r414567_rule OH12-1X-000024 CCI-000067 MEDIUM OHS must have a log format defined to generate adequate information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-221295r414570_rule OH12-1X-000025 CCI-000067 MEDIUM OHS must have a SSL log format defined to allow generated information to be used by external applications or entities to monitor and control remote access in accordance with the categorization of data hosted by the web server. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-221296r414573_rule OH12-1X-000026 CCI-000067 MEDIUM OHS must have a log file defined for each site/virtual host to capture information to be used by external applications or entities to monitor and control remote access. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information
    SV-221297r414576_rule OH12-1X-000030 CCI-002314 MEDIUM Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely an
    SV-221298r414579_rule OH12-1X-000031 CCI-002314 MEDIUM OHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely an
    SV-221299r414582_rule OH12-1X-000032 CCI-002314 MEDIUM OHS must have the Order, Allow, and Deny directives set within the Files directives set to restrict inbound connections from nonsecure zones. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely an
    SV-221300r414585_rule OH12-1X-000033 CCI-002314 MEDIUM OHS must have the Order, Allow, and Deny directives set within the Location directives set to restrict inbound connections from nonsecure zones. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely an
    SV-221301r414588_rule OH12-1X-000034 CCI-002322 MEDIUM OHS must provide the capability to immediately disconnect or disable remote access to the hosted applications. During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack. The web server must provide a capability to disconnect users to a hosted application wit
    SV-221302r414591_rule OH12-1X-000035 CCI-002235 MEDIUM Non-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account. By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web serve
    SV-221303r414594_rule OH12-1X-000040 CCI-000169 MEDIUM OHS must have the client requests logging module loaded to generate log records for system startup and shutdown, system access, and system authentication logging. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-221304r414597_rule OH12-1X-000041 CCI-000169 MEDIUM OHS must have OraLogMode set to Oracle Diagnostic Logging text mode to generate log records for system startup and shutdown, system access, and system authentication logging. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-221305r414600_rule OH12-1X-000042 CCI-000169 MEDIUM OHS must have a log directory location defined to generate log records for system startup and shutdown, system access, and system authentication logging. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-221306r414603_rule OH12-1X-000043 CCI-000169 MEDIUM OHS must have a log level severity defined to generate adequate log records for system startup and shutdown, system access, and system authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-221307r414606_rule OH12-1X-000044 CCI-000169 MEDIUM OHS must have the log rotation parameter set to allow for the generation log records for system startup and shutdown, system access, and system authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-221308r414609_rule OH12-1X-000045 CCI-000169 MEDIUM OHS must have a log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-221309r414612_rule OH12-1X-000046 CCI-000169 MEDIUM OHS must have a SSL log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-221310r414615_rule OH12-1X-000047 CCI-000169 MEDIUM OHS must have a log file defined for each site/virtual host to capture logs generated by system startup and shutdown, system access, and system authentication events. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the
    SV-221312r414621_rule OH12-1X-000050 CCI-000130 MEDIUM OHS must have a log level severity defined to produce sufficient log records to establish what type of events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic
    SV-221313r414624_rule OH12-1X-000051 CCI-000130 MEDIUM OHS must have a log format defined for log records generated to capture sufficient information to establish what type of events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic
    SV-221314r414627_rule OH12-1X-000052 CCI-000130 MEDIUM OHS must have a SSL log format defined for log records generated to capture sufficient information to establish what type of events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic
    SV-221315r414630_rule OH12-1X-000053 CCI-000130 MEDIUM OHS must have a log file defined for each site/virtual host to capture sufficient information to establish what type of events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic
    SV-221316r414633_rule OH12-1X-000054 CCI-000131 MEDIUM OHS must have a log format defined for log records generated to capture sufficient information to establish when an event occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during fo
    SV-221317r414636_rule OH12-1X-000055 CCI-000131 MEDIUM OHS must have a SSL log format defined for log records generated to capture sufficient information to establish when an event occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during fo
    SV-221318r414639_rule OH12-1X-000056 CCI-000131 MEDIUM OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of when an event occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during fo
    SV-221319r414642_rule OH12-1X-000057 CCI-000132 MEDIUM OHS must have a log format defined for log records that allow the establishment of where within OHS the events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the even
    SV-221320r414645_rule OH12-1X-000058 CCI-000132 MEDIUM OHS must have a SSL log format defined for log records that allow the establishment of where within OHS the events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the even
    SV-221321r414648_rule OH12-1X-000059 CCI-000132 MEDIUM OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of where within OHS the events occurred. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the even
    SV-221322r414651_rule OH12-1X-000060 CCI-000133 MEDIUM OHS must have a log format defined for log records that allow the establishment of the source of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-221323r414654_rule OH12-1X-000061 CCI-000133 MEDIUM OHS must have a SSL log format defined for log records that allow the establishment of the source of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-221324r414657_rule OH12-1X-000062 CCI-000133 MEDIUM OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of the source of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-221325r414660_rule OH12-1X-000063 CCI-000133 MEDIUM OHS, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-221326r414663_rule OH12-1X-000064 CCI-000133 MEDIUM OHS, behind a load balancer or proxy server, must have the SSL log format set correctly to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-221327r539625_rule OH12-1X-000065 CCI-000133 MEDIUM OHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important duri
    SV-221328r414669_rule OH12-1X-000066 CCI-000134 MEDIUM OHS must have a log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic anal
    SV-221329r414672_rule OH12-1X-000067 CCI-000134 MEDIUM OHS must have a SSL log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic anal
    SV-221330r414675_rule OH12-1X-000068 CCI-000134 MEDIUM OHS must have a log file defined for each site/virtual host to produce log records that contain sufficient information to establish the outcome (success or failure) of events. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic anal
    SV-221331r414678_rule OH12-1X-000069 CCI-001487 MEDIUM OHS must have a log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running pr
    SV-221332r414681_rule OH12-1X-000070 CCI-001487 MEDIUM OHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running pr
    SV-221333r414684_rule OH12-1X-000071 CCI-001487 MEDIUM OHS must have a log file defined for each site/virtual host to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running pr
    SV-221334r414687_rule OH12-1X-000074 CCI-000162 MEDIUM OHS log files must only be accessible by privileged users. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-221335r414690_rule OH12-1X-000075 CCI-000163 MEDIUM The log information from OHS must be protected from unauthorized modification. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-221336r414693_rule OH12-1X-000076 CCI-000164 MEDIUM The log information from OHS must be protected from unauthorized deletion. Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromis
    SV-221337r414696_rule OH12-1X-000077 CCI-001348 MEDIUM The log data and records from OHS must be backed up onto a different system or media. Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catas
    SV-221338r414699_rule OH12-1X-000081 CCI-001851 MEDIUM OHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes. A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensur
    SV-221339r414702_rule OH12-1X-000082 CCI-001851 MEDIUM OHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes. A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensur
    SV-221340r414705_rule OH12-1X-000093 CCI-000381 MEDIUM OHS must have the LoadModule file_cache_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221341r414708_rule OH12-1X-000094 CCI-000381 LOW OHS must have the LoadModule vhost_alias_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221342r414711_rule OH12-1X-000095 CCI-000381 MEDIUM OHS must have the LoadModule env_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221343r414714_rule OH12-1X-000096 CCI-000381 LOW OHS must have the LoadModule mime_magic_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221344r414717_rule OH12-1X-000097 CCI-000381 LOW OHS must have the LoadModule negotiation_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221345r414720_rule OH12-1X-000098 CCI-000381 LOW OHS must not have the LanguagePriority directive enabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221346r414723_rule OH12-1X-000099 CCI-000381 LOW OHS must not have the ForceLanguagePriority directive enabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221347r414726_rule OH12-1X-000100 CCI-000381 MEDIUM OHS must have the LoadModule status_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221348r414729_rule OH12-1X-000101 CCI-000381 MEDIUM OHS must have the LoadModule info_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221349r414732_rule OH12-1X-000102 CCI-000381 MEDIUM OHS must have the LoadModule include_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221350r414735_rule OH12-1X-000103 CCI-000381 MEDIUM OHS must have the LoadModule autoindex_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221351r414738_rule OH12-1X-000104 CCI-000381 MEDIUM OHS must have the IndexOptions directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221352r414741_rule OH12-1X-000105 CCI-000381 MEDIUM OHS must have the AddIconByEncoding directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221353r414744_rule OH12-1X-000106 CCI-000381 MEDIUM OHS must have the AddIconByType directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221354r414747_rule OH12-1X-000107 CCI-000381 MEDIUM OHS must have the AddIcon directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221355r414750_rule OH12-1X-000108 CCI-000381 MEDIUM OHS must have the DefaultIcon directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221356r414753_rule OH12-1X-000109 CCI-000381 MEDIUM OHS must have the ReadmeName directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221357r414756_rule OH12-1X-000110 CCI-000381 MEDIUM OHS must have the HeaderName directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221358r414759_rule OH12-1X-000111 CCI-000381 MEDIUM OHS must have the IndexIgnore directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221359r414762_rule OH12-1X-000112 CCI-000381 LOW OHS must have the LoadModule dir_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221360r414765_rule OH12-1X-000113 CCI-000381 LOW OHS must have the DirectoryIndex directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221361r414768_rule OH12-1X-000114 CCI-000381 MEDIUM OHS must have the LoadModule cgi_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221362r414771_rule OH12-1X-000115 CCI-000381 MEDIUM OHS must have the LoadModule fastcgi_module disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221363r414774_rule OH12-1X-000116 CCI-000381 MEDIUM OHS must have the LoadModule cgid_module directive disabled for mpm workers. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221364r414777_rule OH12-1X-000117 CCI-000381 LOW OHS must have the IfModule cgid_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221365r414780_rule OH12-1X-000118 CCI-000381 LOW OHS must have the LoadModule mpm_winnt_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221366r414783_rule OH12-1X-000119 CCI-000381 MEDIUM OHS must have the ScriptAlias directive for CGI scripts disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221367r414786_rule OH12-1X-000120 CCI-000381 MEDIUM OHS must have the ScriptSock directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221368r414789_rule OH12-1X-000121 CCI-000381 MEDIUM OHS must have the cgi-bin directory disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221369r414792_rule OH12-1X-000122 CCI-000381 MEDIUM OHS must have directives pertaining to certain scripting languages removed from virtual hosts. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221370r414795_rule OH12-1X-000123 CCI-000381 LOW OHS must have the LoadModule asis_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221371r414798_rule OH12-1X-000124 CCI-000381 LOW OHS must have the LoadModule imagemap_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221372r414801_rule OH12-1X-000125 CCI-000381 MEDIUM OHS must have the LoadModule actions_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221373r414804_rule OH12-1X-000126 CCI-000381 LOW OHS must have the LoadModule speling_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221374r414807_rule OH12-1X-000127 CCI-000381 MEDIUM OHS must have the LoadModule userdir_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221375r414810_rule OH12-1X-000128 CCI-000381 MEDIUM OHS must have the AliasMatch directive pertaining to the OHS manuals disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221376r414813_rule OH12-1X-000129 CCI-000381 MEDIUM OHS must have the Directory directive pointing to the OHS manuals disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221377r414816_rule OH12-1X-000130 CCI-000381 MEDIUM OHS must have the LoadModule auth_basic_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221378r539627_rule OH12-1X-000131 CCI-000381 MEDIUM OHS must have the LoadModule authz_user_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221379r414822_rule OH12-1X-000132 CCI-000381 MEDIUM OHS must have the LoadModule authn_file_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221380r414825_rule OH12-1X-000133 CCI-000381 MEDIUM OHS must have the LoadModule authn_anon_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221381r457170_rule OH12-1X-000134 CCI-000381 MEDIUM OHS must have the LoadModule proxy_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221382r539629_rule OH12-1X-000135 CCI-000381 MEDIUM OHS must have the LoadModule proxy_http_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221383r414834_rule OH12-1X-000136 CCI-000381 MEDIUM OHS must have the LoadModule proxy_ftp_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221384r414837_rule OH12-1X-000137 CCI-000381 MEDIUM OHS must have the LoadModule proxy_connect_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221385r414840_rule OH12-1X-000138 CCI-000381 MEDIUM OHS must have the LoadModule proxy_balancer_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221386r414843_rule OH12-1X-000139 CCI-000381 LOW OHS must have the LoadModule cern_meta_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221387r414846_rule OH12-1X-000140 CCI-000381 LOW OHS must have the LoadModule expires_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221388r414849_rule OH12-1X-000141 CCI-000381 LOW OHS must have the LoadModule usertrack_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221389r414852_rule OH12-1X-000142 CCI-000381 LOW OHS must have the LoadModule uniqueid_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221390r414855_rule OH12-1X-000143 CCI-000381 MEDIUM OHS must have the LoadModule setenvif_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221391r414858_rule OH12-1X-000144 CCI-000381 MEDIUM OHS must have the BrowserMatch directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221392r414861_rule OH12-1X-000145 CCI-000381 MEDIUM OHS must have the LoadModule dumpio_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221393r414864_rule OH12-1X-000146 CCI-000381 LOW OHS must have the IfModule dumpio_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221394r414867_rule OH12-1X-000147 CCI-000381 MEDIUM OHS must have the Alias /icons/ directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221395r414870_rule OH12-1X-000148 CCI-000381 MEDIUM OHS must have the path to the icons directory disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221396r414873_rule OH12-1X-000149 CCI-000381 LOW OHS must have the IfModule mpm_winnt_module directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221397r539631_rule OH12-1X-000150 CCI-000381 MEDIUM OHS must have the LoadModule proxy_module directive disabled. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very comm
    SV-221398r539633_rule OH12-1X-000151 CCI-000381 MEDIUM OHS must have the LoadModule proxy_http_module directive disabled. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very comm
    SV-221399r414882_rule OH12-1X-000152 CCI-000381 MEDIUM OHS must have the LoadModule proxy_ftp_module directive disabled. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very comm
    SV-221400r414885_rule OH12-1X-000153 CCI-000381 MEDIUM OHS must have the LoadModule proxy_connect_module directive disabled. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very comm
    SV-221401r414888_rule OH12-1X-000154 CCI-000381 MEDIUM OHS must have the LoadModule proxy_balancer_module directive disabled. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very comm
    SV-221402r414891_rule OH12-1X-000156 CCI-000381 LOW OHS must disable the directive pointing to the directory containing the OHS manuals. Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationa
    SV-221403r414894_rule OH12-1X-000157 CCI-000381 MEDIUM OHS must have the AliasMatch directive disabled for the OHS manuals. Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationa
    SV-221404r414897_rule OH12-1X-000160 CCI-000381 MEDIUM OHS must have the AddHandler directive disabled. Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too
    SV-221405r414900_rule OH12-1X-000161 CCI-000381 MEDIUM OHS must have the LoadModule cgi_module directive disabled. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-221406r414903_rule OH12-1X-000162 CCI-000381 MEDIUM OHS must have the LoadModule cgid_module directive disabled. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-221407r414906_rule OH12-1X-000163 CCI-000381 MEDIUM OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-221408r414909_rule OH12-1X-000164 CCI-000381 LOW OHS must have the LoadModule cgi_module directive disabled within the IfModule mpm_winnt_module directive. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-221409r414912_rule OH12-1X-000165 CCI-000381 MEDIUM OHS must have the ScriptAlias /cgi-bin/ directive within a IfModule alias_module directive disabled. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-221410r414915_rule OH12-1X-000166 CCI-000381 MEDIUM OHS must have the ScriptSock directive within a IfModule cgid_module directive disabled. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-221411r810869_rule OH12-1X-000167 CCI-000381 MEDIUM OHS must have the cgi-bin directory disabled. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-221412r414921_rule OH12-1X-000168 CCI-000381 MEDIUM OHS must have directives pertaining to certain scripting languages removed from virtual hosts. Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server.
    SV-221413r414924_rule OH12-1X-000169 CCI-000381 MEDIUM OHS must have resource mappings set to disable the serving of certain file types. Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can
    SV-221414r414927_rule OH12-1X-000172 CCI-000381 MEDIUM Users and scripts running on behalf of users must be contained to the document root or home directory tree of OHS. A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and applicatio
    SV-221415r414930_rule OH12-1X-000173 CCI-000382 MEDIUM OHS must be configured to use a specified IP address, port, and protocol. The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server ha
    SV-221416r414933_rule OH12-1X-000176 CCI-000366 MEDIUM The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc. During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user
    SV-221417r414936_rule OH12-1X-000178 CCI-000366 MEDIUM OHS must have Entity tags (ETags) disabled. Entity tags (ETags) are used for cache management to save network bandwidth by not sending a web page to the requesting client if the cached version on the client is current. When the client only has the ETag information, the client will make a request t
    SV-221418r414939_rule OH12-1X-000179 CCI-000366 MEDIUM The SecureListener property of the Node Manager configured to support OHS must be enabled for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. To protect the information being sent between WebLogic Scripting Tool and Node Manager, the Node Manager listening address must be secured.
    SV-221419r414942_rule OH12-1X-000180 CCI-000366 MEDIUM The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. For connections to be made to the Node Manager, it must listen on an assigned address. When this parameter is not set, the Node Manager will listen on all avail
    SV-221420r414945_rule OH12-1X-000181 CCI-000366 MEDIUM The AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. To accept connections from the WebLogic Scripting Tool, the Node Manager can be setup to authenticate the connections or not. If connections are not authenticat
    SV-221421r414948_rule OH12-1X-000182 CCI-000366 MEDIUM The KeyStores property of the Node Manager configured to support OHS must be configured for secure communication. Oracle Node Manager is a utility that can be used to perform common operational tasks across Managed Servers. These servers can be distributed across multiple machines and geographical locations. The "KeyStores" property is used to configure the keyst
    SV-221422r414951_rule OH12-1X-000183 CCI-000366 MEDIUM The CustomIdentityKeyStoreFileName property of the Node Manager configured to support OHS must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityKeyStoreFileName" property specifies the file name of the identity keystore. This property is required when the "KeyStores" property is set t
    SV-221423r414954_rule OH12-1X-000184 CCI-000366 MEDIUM The CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityKeyStorePassPhrase" property is used to protect the data within the keystore. Without protection, the data within the keystore could be compr
    SV-221424r414957_rule OH12-1X-000185 CCI-000366 MEDIUM The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityAlias" specifies the alias when loading the private key into the keystore. This property is required when the "KeyStores" property is set t
    SV-221425r414960_rule OH12-1X-000186 CCI-000366 MEDIUM The CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityPrivateKeyPassPhrase" is the password that protects the private key when creating certificates. If a password is not used, the private key is
    SV-221426r414963_rule OH12-1X-000187 CCI-000366 MEDIUM The listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml file to setup the communication to the Node Manager. If th
    SV-221427r414966_rule OH12-1X-000188 CCI-000366 MEDIUM The listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml file to setup the communication to the Node Manager. If th
    SV-221428r414969_rule OH12-1X-000189 CCI-000366 MEDIUM The WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "OHS" WebLogic Scripting Tool needs to trust the certificate presented by the Node Manager in order to setup secure communicat
    SV-221429r414972_rule OH12-1X-000190 CCI-000366 MEDIUM The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS. Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "Fusion Middleware" WebLogic Scripting Tool needs to trust the certificate presented by the Node Manager in order to setup sec
    SV-221430r414975_rule OH12-1X-000192 CCI-000366 MEDIUM OHS must limit access to the Dynamic Monitoring Service (DMS). The Oracle Dynamic Monitoring Service (DMS) enables application developers, support analysts, system administrators, and others to measure application specific performance information. If OHS allows any machine to connect and monitor performance, an atta
    SV-221431r414978_rule OH12-1X-000193 CCI-000366 MEDIUM OHS must have the AllowOverride directive set properly. The property "AllowOverride" is used to allow directives to be set differently than those set for the overall architecture. When the property is not set to "None", OHS will check for directives in the htaccess files at each directory level until the requ
    SV-221432r414981_rule OH12-1X-000194 CCI-000366 MEDIUM OHS must be set to evaluate deny directives first when considering whether to serve a file. Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the evaluation is reversed. By ordering the access as first deny
    SV-221433r414984_rule OH12-1X-000195 CCI-000366 MEDIUM OHS must deny all access by default when considering whether to serve a file. Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the evaluation is reversed. By ordering the access as first deny
    SV-221434r414987_rule OH12-1X-000196 CCI-000366 MEDIUM The OHS instance installation must not contain an .htaccess file. .htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .ht
    SV-221435r414990_rule OH12-1X-000197 CCI-000366 MEDIUM The OHS instance configuration must not reference directories that contain an .htaccess file. .htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .ht
    SV-221436r414993_rule OH12-1X-000198 CCI-000366 LOW OHS must have the HostnameLookups directive enabled. Setting the "HostnameLookups" to "On" allows for more information to be logged in the event of an attack and subsequent investigation. This information can be added to other information gathered to narrow the attacker location. The DNS name can also be
    SV-221437r414996_rule OH12-1X-000199 CCI-000366 MEDIUM OHS must have the ServerAdmin directive set properly. Making sure that information is given to the system administrator in a timely fashion is important. This information can be system status, warnings that may need attention before system failure or actual failure notification. Having this information sen
    SV-221438r414999_rule OH12-1X-000200 CCI-000366 MEDIUM OHS must restrict access methods. The directive "" allows the system administrator to restrict what users may use which methods. An example of methods would be GET, POST and DELETE. These three are the most common used by applications and should be allowed. Methods such as TRACE, if al
    SV-221439r415002_rule OH12-1X-000201 CCI-000366 MEDIUM The OHS htdocs directory must not contain any default files. Default files from the OHS installation should not be part of the htdocs directory. These files are not always patched or supported and may become an attacker vector in the future.
    SV-221440r415005_rule OH12-1X-000202 CCI-000366 MEDIUM OHS must have the SSLSessionCacheTimeout directive set properly. During an SSL session, information about the session is stored in the global/inter-process SSL Session Cache, the OpenSSL internal memory cache and for sessions resumed by TLS session resumption (RFC 5077). This information must not be allowed to live fo
    SV-221441r415008_rule OH12-1X-000203 CCI-000366 LOW OHS must have the RewriteEngine directive enabled. The rewrite engine is used to evaluate URL requests and modify the requests on the fly. Enabling this engine gives the system administrator the capability to trap potential attacks before reaching the hosted applications or to modify the URL to fix issue
    SV-221442r415011_rule OH12-1X-000204 CCI-000366 LOW OHS must have the RewriteOptions directive set properly. The rules for the rewrite engine can be configured to inherit those from the parent and build upon that set of rules, to copy the rules from the parent if there are none defined or to only process the rules if the input is a URL. Of these, the most secur
    SV-221443r415014_rule OH12-1X-000205 CCI-000366 LOW OHS must have the RewriteLogLevel directive set to the proper log level. Logging must not contain sensitive information or more information necessary than that needed to administer the system. The log levels from the rewrite engine range from 0 to 9 where 0 is no logging and 9 being the most verbose. A log level that gives e
    SV-221444r415017_rule OH12-1X-000206 CCI-000366 LOW OHS must have the RewriteLog directive set properly. Specifying where the log files are written gives the system administrator the capability to store the files in a location other than the default, with system files or in a globally accessible location. The system administrator can also specify a location
    SV-221445r415020_rule OH12-1X-000207 CCI-000366 MEDIUM All accounts installed with the web server software and tools must have passwords assigned and default passwords changed. During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user
    SV-221446r415023_rule OH12-1X-000208 CCI-000366 MEDIUM A production OHS Installation must prohibit the installation of a compiler. The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker’s code can be uploaded and compiled on the server under
    SV-221447r415026_rule OH12-1X-000209 CCI-000366 MEDIUM A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension. To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from publically based sources, such as the public Internet. Onc
    SV-221448r415029_rule OH12-1X-000210 CCI-000366 MEDIUM A private OHS installation must be located on a separate controlled access subnet. Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but, in either case, can cause a disruption in service of the w
    SV-221449r415032_rule OH12-1X-000211 CCI-000366 HIGH The version of the OHS installation must be vendor-supported. Many vulnerabilities are associated with older versions of software. As hot fixes and patches are issued, these solutions are included in the next version of the server software. Maintaining OHS at a current version makes the efforts of a malicious user
    SV-221450r415035_rule OH12-1X-000212 CCI-000366 MEDIUM OHS must be certified with accompanying Fusion Middleware products. OHS is capable of being used with other Oracle products. For the products to work properly and not introduce vulnerabilities or errors, Oracle certifies which versions work with each other. Insisting that the certified versions be installed together in
    SV-221451r415038_rule OH12-1X-000214 CCI-000366 MEDIUM OHS tools must be restricted to the web manager and the web managers designees. All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or damage that may ultimately compromise the mission. Adequate pr
    SV-221452r415041_rule OH12-1X-000215 CCI-000366 LOW All utility programs, not necessary for operations, must be removed or disabled. Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and g
    SV-221453r415044_rule OH12-1X-000216 CCI-000366 MEDIUM The OHS htpasswd files (if present) must reflect proper ownership and permissions. In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition to allowing or denying all access rights, a rule can be specified that allows or denies partial access rig
    SV-221454r415047_rule OH12-1X-000217 CCI-000366 MEDIUM A public OHS installation must limit email to outbound only. Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, Email represents the main use of the Internet. It is specialized application that requires the dedic
    SV-221455r415050_rule OH12-1X-000218 CCI-000366 LOW OHS content and configuration files must be part of a routine backup program. Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to determine and recover from subsequent unauthorized changes to th
    SV-221456r415053_rule OH12-1X-000219 CCI-000366 MEDIUM OHS must be segregated from other services. The web server installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server that is providing the web publi
    SV-221457r415056_rule OH12-1X-000220 CCI-000366 MEDIUM OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM). The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services available to notify users of known security threats. The s
    SV-221458r415059_rule OH12-1X-000221 CCI-000366 MEDIUM A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA. A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity. Most web browsers perform server authentication automatic
    SV-221459r415062_rule OH12-1X-000222 CCI-000366 MEDIUM OHS must have the ScoreBoardFile directive disabled. The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apache processes. If the directive is specified, then Apache will use the configured file for the inter-process communication. Therefor
    SV-221460r415065_rule OH12-1X-000223 CCI-000366 MEDIUM The OHS document root directory must not be on a network share. Sharing of web server content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their co
    SV-221461r415068_rule OH12-1X-000224 CCI-000366 MEDIUM The OHS server root directory must not be on a network share. Sharing of the web server directory where the executables are stored is a security risk when a web server is involved. Users that have access to the share may not be administrative users. These users could make changes to the web server without going th
    SV-221462r415071_rule OH12-1X-000225 CCI-000366 HIGH Symbolic links must not be used in the web content directory tree. A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to
    SV-221463r415074_rule OH12-1X-000226 CCI-000366 HIGH OHS administration must be performed over a secure path or at the local console. Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administra
    SV-221464r415077_rule OH12-1X-000227 CCI-000366 MEDIUM OHS must not contain any robots.txt files. Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and c
    SV-221465r415080_rule OH12-1X-000228 CCI-000366 MEDIUM OHS must prohibit anonymous FTP user access to interactive scripts. The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon use
    SV-221466r415083_rule OH12-1X-000229 CCI-000366 MEDIUM The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory. Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have
    SV-221467r415086_rule OH12-1X-000230 CCI-000366 MEDIUM The OHS DocumentRoot directory must be on a separate partition from OS root partition. Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have
    SV-221468r415089_rule OH12-1X-000231 CCI-000366 MEDIUM Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory. Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code. A remote web user whose agency has a Memorandum of Agreement (MOA) with the hosting agency and
    SV-221469r415092_rule OH12-1X-000232 CCI-000366 MEDIUM A public OHS server must use TLS if authentication is required to host web sites. Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would b
    SV-221470r415095_rule OH12-1X-000233 CCI-000366 LOW OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines. Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the automated information system (AIS). The ISSM will ensure web servers are configured to use o
    SV-221471r415098_rule OH12-1X-000234 CCI-000366 HIGH OHS must not have the directive PlsqlDatabasePassword set in clear text. OHS supports the use of the module mod_plsql, which allows applications to be hosted that are PL/SQL-based. To access the database, the module must have a valid username, password and database name. To keep the password from an attacker, the password mu
    SV-221472r415101_rule OH12-1X-000235 CCI-000381 MEDIUM If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221473r415104_rule OH12-1X-000236 CCI-000381 MEDIUM If mod_plsql is not in use with OHS, OHS must have the include moduleconf/* directive disabled. A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and
    SV-221474r415107_rule OH12-1X-000240 CCI-000197 HIGH OHS must have the LoadModule ossl_module directive enabled to encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-221475r415110_rule OH12-1X-000241 CCI-000197 HIGH OHS must use FIPS modules to encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-221476r415113_rule OH12-1X-000242 CCI-000197 HIGH OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-221477r415116_rule OH12-1X-000243 CCI-000197 HIGH OHS must have the SSLCipherSuite directive enabled to encrypt passwords during transmission. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many
    SV-221478r415119_rule OH12-1X-000244 CCI-000185 MEDIUM OHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-221479r415122_rule OH12-1X-000245 CCI-000185 MEDIUM OHS must use FIPS modules to perform RFC 5280-compliant certification path validation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-221480r415125_rule OH12-1X-000246 CCI-000185 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-221481r415128_rule OH12-1X-000247 CCI-000185 MEDIUM OHS must have the SSLCipherSuite directive enabled to perform RFC 5280-compliant certification path validation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-221482r415131_rule OH12-1X-000248 CCI-000185 MEDIUM OHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-221483r415134_rule OH12-1X-000249 CCI-000185 MEDIUM OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-221484r415137_rule OH12-1X-000250 CCI-000185 MEDIUM OHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-221485r415140_rule OH12-1X-000251 CCI-000185 MEDIUM OHS must be integrated with a tool such as Oracle Access Manager to enforce a client-side certificate revocation check through the OCSP protocol. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-221486r415143_rule OH12-1X-000253 CCI-000803 MEDIUM OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIP
    SV-221487r415146_rule OH12-1X-000254 CCI-000803 MEDIUM OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIP
    SV-221488r415149_rule OH12-1X-000255 CCI-000803 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIP
    SV-221489r415152_rule OH12-1X-000256 CCI-000803 MEDIUM OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIP
    SV-221490r415155_rule OH12-1X-000257 CCI-000803 MEDIUM OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS
    SV-221491r415158_rule OH12-1X-000258 CCI-000803 MEDIUM OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS
    SV-221492r415161_rule OH12-1X-000259 CCI-000803 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS
    SV-221493r415164_rule OH12-1X-000260 CCI-000803 MEDIUM OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS
    SV-221494r415167_rule OH12-1X-000265 CCI-001166 MEDIUM OHS utilizing mobile code must meet DoD-defined mobile code requirements. Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid, as opposed to a static web page. The data presentation becomes more appealing to the user, is easier to analyze, and navigatio
    SV-221495r415170_rule OH12-1X-000266 CCI-001082 HIGH OHS accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts. As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also b
    SV-221496r415173_rule OH12-1X-000281 CCI-001084 MEDIUM OHS must have the DocumentRoot directive set to a separate partition from the OHS system files. A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major
    SV-221497r810872_rule OH12-1X-000282 CCI-001084 MEDIUM OHS must have the Directory directive accompanying the DocumentRoot directive set to a separate partition from the OHS system files. A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major
    SV-221498r415179_rule OH12-1X-000283 CCI-001094 MEDIUM OHS must have the Timeout directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-221499r415182_rule OH12-1X-000284 CCI-001094 MEDIUM OHS must have the KeepAlive directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-221500r415185_rule OH12-1X-000285 CCI-001094 MEDIUM OHS must have the KeepAliveTimeout properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-221501r415188_rule OH12-1X-000286 CCI-001094 MEDIUM OHS must have the MaxKeepAliveRequests directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-221502r415191_rule OH12-1X-000287 CCI-001094 MEDIUM OHS must have the ListenBacklog properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-221503r415194_rule OH12-1X-000288 CCI-001094 MEDIUM OHS must have the LimitRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-221504r415197_rule OH12-1X-000289 CCI-001094 MEDIUM OHS must have the LimitRequestFields directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-221505r415200_rule OH12-1X-000290 CCI-001094 MEDIUM OHS must have the LimitRequestFieldSize directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-221506r415203_rule OH12-1X-000291 CCI-001094 MEDIUM OHS must have the LimitRequestLine directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-221507r415206_rule OH12-1X-000292 CCI-001094 MEDIUM OHS must have the LimitXMLRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-221508r415209_rule OH12-1X-000293 CCI-001094 MEDIUM OHS must have the LimitInternalRecursion directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used t
    SV-221513r415220_rule OH12-1X-000298 CCI-002470 MEDIUM OHS must have the LoadModule ossl_module directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-221514r415223_rule OH12-1X-000299 CCI-002470 MEDIUM OHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-221515r415226_rule OH12-1X-000300 CCI-002470 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-221516r415229_rule OH12-1X-000301 CCI-002470 MEDIUM OHS must have the SSLCipherSuite directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-221517r415232_rule OH12-1X-000302 CCI-002470 MEDIUM OHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-221518r415235_rule OH12-1X-000303 CCI-002470 MEDIUM OHS must use wallets that have only DoD certificate authorities defined. Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security co
    SV-221519r415238_rule OH12-1X-000307 CCI-002385 MEDIUM OHS must be tuned to handle the operational requirements of the hosted application. A Denial of Service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a DoS condition even with expected traffic from users. To avoi
    SV-221520r415241_rule OH12-1X-000308 CCI-002418 HIGH OHS must have the LoadModule ossl_module directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-221521r415244_rule OH12-1X-000309 CCI-002418 HIGH OHS must have the SSLFIPS directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-221522r415247_rule OH12-1X-000310 CCI-002418 HIGH OHS must have the SSLEngine, SSLProtocol, SSLWallet directives enabled and configured to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-221523r415250_rule OH12-1X-000311 CCI-002418 HIGH OHS must have the SSLCipherSuite directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-221524r415253_rule OH12-1X-000312 CCI-002418 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-221525r415256_rule OH12-1X-000313 CCI-002418 MEDIUM OHS must have the WLSSLWallet directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-221526r415259_rule OH12-1X-000314 CCI-002418 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WebLogicSSLVersion directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-221527r415262_rule OH12-1X-000315 CCI-002418 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to prevent unauthorized disclosure of information during transmission. Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport L
    SV-221528r415265_rule OH12-1X-000320 CCI-002418 MEDIUM OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-221529r415268_rule OH12-1X-000321 CCI-002418 MEDIUM OHS must have the SSLFIPS directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-221530r415271_rule OH12-1X-000322 CCI-002418 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-221531r415274_rule OH12-1X-000323 CCI-002418 MEDIUM OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-221532r415277_rule OH12-1X-000324 CCI-002420 MEDIUM OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-221533r415280_rule OH12-1X-000325 CCI-002420 MEDIUM OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-221534r415283_rule OH12-1X-000326 CCI-002420 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-221535r415286_rule OH12-1X-000327 CCI-002420 MEDIUM OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-221536r415289_rule OH12-1X-000328 CCI-002420 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-221537r415292_rule OH12-1X-000329 CCI-002420 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-221538r415295_rule OH12-1X-000330 CCI-002420 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLSProxySSL directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-221539r415298_rule OH12-1X-000331 CCI-002422 MEDIUM OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-221540r415301_rule OH12-1X-000332 CCI-002422 MEDIUM OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-221541r415304_rule OH12-1X-000333 CCI-002422 MEDIUM OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-221542r415307_rule OH12-1X-000334 CCI-002422 MEDIUM OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-221543r415310_rule OH12-1X-000335 CCI-002422 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SSLSecureProxy directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-221544r415313_rule OH12-1X-000336 CCI-002422 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-221545r415316_rule OH12-1X-000337 CCI-002422 MEDIUM If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to maintain the confidentiality and integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications c
    SV-221546r415319_rule OH12-1X-000346 CCI-001312 LOW OHS must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this
    SV-221547r415322_rule OH12-1X-000347 CCI-001312 MEDIUM OHS must have the ServerSignature directive disabled. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-221548r415325_rule OH12-1X-000348 CCI-001312 LOW OHS must have the ServerTokens directive set to limit the response header. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-221549r415328_rule OH12-1X-000349 CCI-001312 MEDIUM OHS must have the Alias /error directive defined to reference the directory accompanying the ErrorDocument directives to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-221550r415331_rule OH12-1X-000350 CCI-001312 MEDIUM OHS must have the permissions set properly via the Directory directive accompanying the ErrorDocument directives to minimize improper access to the warning and error messages displayed to clients. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-221551r415334_rule OH12-1X-000351 CCI-001312 LOW OHS must have defined error pages for common error codes that minimize the identity of the web server, patches, loaded modules, and directory paths. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-221552r415337_rule OH12-1X-000352 CCI-001312 LOW OHS must have production information removed from error documents to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messa
    SV-221553r415340_rule OH12-1X-000353 CCI-001312 MEDIUM Debugging and trace information used to diagnose OHS must be disabled. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-252204r816508_rule OH12-1X-000049 CCI-000054 MEDIUM OHS must capture, record, and log all content related to a user session. A user session to a web server is in the context of a user accessing a hosted application that extends to any plug-ins/modules and services that may execute on behalf of the user. The web server must be capable of enabling a setting for troubleshooting,
    SV-252205r816509_rule OH12-1X-000294 CCI-000054 HIGH OHS must have the LoadModule ossl_module directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for prot
    SV-252546r816515_rule OH12-1X-000295 CCI-002450 HIGH OHS must have the SSLFIPS directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for prot