Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

Version

OH12-1X-000001

Vuln IDs

V-221272
V-63153

Rule IDs

SV-221272r414501_rule
SV-77643

Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.

Checks: C-22987r414499_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ohs.plugins.nodemanager.properties file with an editor. 2. Search for the "mpm" property. 3. If the "mpm" property is omitted or commented out, this is a finding. 4. If the "mpm" property is not set to "worker", this is a finding.

Fix: F-22976r414500_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ohs.plugins.nodemanager.properties with an editor. 2. Set the "mpm" property to a value of "worker", add the property if it does not exist.

b

OHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests.

AC-10 - Medium - CCI-000054 - V-221273 - SV-221273r414504_rule

RMF Control

AC-10

Severity

M

CCI

Version

OH12-1X-000002

Vuln IDs

V-221273
V-64125

Rule IDs

SV-221273r414504_rule
SV-78615

Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.

Checks: C-22988r414502_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf file with an editor. 2. Search for the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. If this directive is found and not commented out, this is a finding.

Fix: F-22977r414503_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. Comment out the "<IfModule mpm_prefork_module>" directive and any directives that it contains.

b

OHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests.

AC-10 - Medium - CCI-000054 - V-221274 - SV-221274r414507_rule

RMF Control

AC-10

Severity

M

CCI

Version

OH12-1X-000003

Vuln IDs

V-221274
V-64127

Rule IDs

SV-221274r414507_rule
SV-78617

Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.

Checks: C-22989r414505_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf file with an editor. 2. Search for the "MaxClients" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. If "MaxClients" is omitted or set greater than "2000", this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value. If the site has this documentation, this should be marked as not a finding.

Fix: F-22978r414506_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "MaxClients" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Within the "<IfModule mpm_worker_module>" directive, set the "MaxClients" directive to "2000" or less, add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b

OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests.

AC-10 - Medium - CCI-000054 - V-221275 - SV-221275r414510_rule

RMF Control

AC-10

Severity

M

CCI

Version

OH12-1X-000004

Vuln IDs

V-221275
V-64129

Rule IDs

SV-221275r414510_rule
SV-78619

Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.

Checks: C-22990r414508_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf file with an editor. 2. Search for the "ThreadsPerChild" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. If "ThreadsPerChild" is omitted or set greater than "25", this is a finding. 4. Search for the "ThreadLimit" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 5. If "ThreadLimit" is omitted or set greater than "64", this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value. If the site has this documentation, this should be marked as not a finding.

Fix: F-22979r414509_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ThreadsPerChild" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Within the "<IfModule mpm_worker_module>" directive, set the "ThreadsPerChild" directive to "25", add the directive if it does not exist. 4. Search for the "ThreadLimit" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 5. Within the "<IfModule mpm_worker_module>" directive, set the "ThreadLimit" directive to "64", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b

OHS must limit the number of worker processes to limit the number of allowed simultaneous requests.

AC-10 - Medium - CCI-000054 - V-221276 - SV-221276r414513_rule

RMF Control

AC-10

Severity

M

CCI

Version

OH12-1X-000005

Vuln IDs

V-221276
V-64131

Rule IDs

SV-221276r414513_rule
SV-78621

Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.

Checks: C-22991r414511_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf file with an editor. 2. Search for the "ServerLimit" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. If "ServerLimit" is omitted or set greater than the maximum of "16" and the calculation of "MaxClients"/"ThreadsPerChild", this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value. If the site has this documentation, this should be marked as not a finding.

Fix: F-22980r414512_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ServerLimit" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Within the "<IfModule mpm_worker_module>" directive, set the "ServerLimit" directive to the maximum of "16" and the calculation of "MaxClients"/"ThreadsPerChild" immediately before the "MaxClients" directive, add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

c

OHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.

AC-17 - High - CCI-000068 - V-221277 - SV-221277r414516_rule

RMF Control

AC-17

Severity

H

CCI

Version

OH12-1X-000007

Vuln IDs

V-221277
V-64133

Rule IDs

SV-221277r414516_rule
SV-78623

The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.

Checks: C-22992r414514_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-22981r414515_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

c

OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.

AC-17 - High - CCI-000068 - V-221278 - SV-221278r414519_rule

RMF Control

AC-17

Severity

H

CCI

Version

OH12-1X-000008

Vuln IDs

V-221278
V-64135

Rule IDs

SV-221278r414519_rule
SV-78625

The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.

Checks: C-22993r414517_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22982r414518_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server.

AC-17 - Medium - CCI-000068 - V-221279 - SV-221279r414522_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000009

Vuln IDs

V-221279
V-64137

Rule IDs

SV-221279r414522_rule
SV-78627

The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.

Checks: C-22994r414520_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On" or "SSLProtocol" is not set to "TLS versions 1.1 and greater", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-22983r414521_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1", add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

c

OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.

AC-17 - High - CCI-000068 - V-221280 - SV-221280r414525_rule

RMF Control

AC-17

Severity

H

CCI

Version

OH12-1X-000010

Vuln IDs

V-221280
V-64139

Rule IDs

SV-221280r414525_rule
SV-78629

The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.

Checks: C-22995r414523_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-22984r414524_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be added or removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

c

OHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.

AC-17 - High - CCI-001453 - V-221281 - SV-221281r414528_rule

RMF Control

AC-17

Severity

H

CCI

Version

OH12-1X-000011

Vuln IDs

V-221281
V-64141

Rule IDs

SV-221281r414528_rule
SV-78631

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.

Checks: C-22996r414526_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-22985r414527_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

c

OHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.

AC-17 - High - CCI-001453 - V-221282 - SV-221282r414531_rule

RMF Control

AC-17

Severity

H

CCI

Version

OH12-1X-000012

Vuln IDs

V-221282
V-64143

Rule IDs

SV-221282r414531_rule
SV-78633

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.

Checks: C-22997r414529_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22986r414530_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

c

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.

AC-17 - High - CCI-001453 - V-221283 - SV-221283r414534_rule

RMF Control

AC-17

Severity

H

CCI

Version

OH12-1X-000013

Vuln IDs

V-221283
V-64145

Rule IDs

SV-221283r414534_rule
SV-78635

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.

Checks: C-22998r414532_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On" or "SSLProtocol" is not set to "TLS versions 1.1 and greater", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-22987r414533_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1", add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

c

OHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.

AC-17 - High - CCI-001453 - V-221284 - SV-221284r414537_rule

RMF Control

AC-17

Severity

H

CCI

Version

OH12-1X-000014

Vuln IDs

V-221284
V-64147

Rule IDs

SV-221284r414537_rule
SV-78637

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.

Checks: C-22999r414535_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-22988r414536_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b

OHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.

AC-17 - Medium - CCI-001453 - V-221285 - SV-221285r414540_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000015

Vuln IDs

V-221285
V-64149

Rule IDs

SV-221285r414540_rule
SV-78639

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.

Checks: C-23000r414538_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22989r414539_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "SecureProxy" directive to "On", add the directive if it does not exist.

b

OHS must have the WLSSLWallet directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.

AC-17 - Medium - CCI-001453 - V-221286 - SV-221286r414543_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000016

Vuln IDs

V-221286
V-64151

Rule IDs

SV-221286r414543_rule
SV-78641

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.

Checks: C-23001r414541_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to a folder containing a valid wallet, this is a finding.

Fix: F-22990r414542_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLSSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains the certificate chain served by the WebLogic host/port combination, add the directive if it does not exist.

b

OHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.

AC-17 - Medium - CCI-001453 - V-221287 - SV-221287r414546_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000017

Vuln IDs

V-221287
V-64153

Rule IDs

SV-221287r414546_rule
SV-78643

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.

Checks: C-23002r414544_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WebLogicSSLVersion" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "TLS versions 1.0 and greater", this is a finding.

Fix: F-22991r414545_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WebLogicSSLVersion" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WebLogicSSLVersion" directive to "TLSv1_2 TLSv1_1 TLSv1", add the directive if it does not exist.

b

OHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.

AC-17 - Medium - CCI-001453 - V-221288 - SV-221288r414549_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000018

Vuln IDs

V-221288
V-64155

Rule IDs

SV-221288r414549_rule
SV-78645

Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.

Checks: C-23003r414547_chk

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22992r414548_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLProxySSL" directive to "On", add the directive if it does not exist.

b

OHS must have the LoadModule log_config_module directive enabled to generate information to be used by external applications or entities to monitor and control remote access.

AC-17 - Medium - CCI-000067 - V-221289 - SV-221289r414552_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000019

Vuln IDs

V-221289
V-64157

Rule IDs

SV-221289r414552_rule
SV-78647

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.

Checks: C-23004r414550_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-22993r414551_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. Set the "LoadModule log_config_module" directive to ""${PRODUCT_HOME}/modules/mod_log_config.so"", add the directive if it does not exist.

b

OHS must have the OraLogMode set to Oracle Diagnostic Logging text mode to generate information to be used by external applications or entities to monitor and control remote access.

AC-17 - Medium - CCI-000067 - V-221290 - SV-221290r414555_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000020

Vuln IDs

V-221290
V-64159

Rule IDs

SV-221290r414555_rule
SV-78649

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.

Checks: C-23005r414553_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "odl-text", this is a finding.

Fix: F-22994r414554_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. Set the "OraLogMode" directive to "odl-text", add the directive if it does not exist.

b

OHS must have a log directory location defined to generate information for use by external applications or entities to monitor and control remote access.

AC-17 - Medium - CCI-000067 - V-221291 - SV-221291r414558_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000021

Vuln IDs

V-221291
V-64161

Rule IDs

SV-221291r414558_rule
SV-78651

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.

Checks: C-23006r414556_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-22995r414557_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. Set the "OraLogDir" directive to an appropriate, protected location on a partition with sufficient space that is different from the partition on which the OHS software is installed; add the directive if it does not exist.

b

OHS must have the OraLogSeverity directive defined to generate adequate information to be used by external applications or entities to monitor and control remote access.

AC-17 - Medium - CCI-000067 - V-221292 - SV-221292r414561_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000022

Vuln IDs

V-221292
V-64163

Rule IDs

SV-221292r414561_rule
SV-78653

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.

Checks: C-23007r414559_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "NOTIFICATION:32", this is a finding.

Fix: F-22996r414560_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. Set the "OraLogSeverity" directive to "NOTIFICATION:32", add the directive if it does not exist.

b

OHS must have the log rotation parameter set to allow generated information to be used by external applications or entities to monitor and control remote access.

AC-17 - Medium - CCI-000067 - V-221293 - SV-221293r414564_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000023

Vuln IDs

V-221293
V-64165

Rule IDs

SV-221293r414564_rule
SV-78655

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.

Checks: C-23008r414562_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-22997r414563_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. As required, set the "OraLogRotationParams" directive to satisfy the NIST 800-92 logging requirements, add the directive if it does not exist.

b

OHS must have a log format defined to generate adequate information to be used by external applications or entities to monitor and control remote access.

AC-17 - Medium - CCI-000067 - V-221294 - SV-221294r414567_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000024

Vuln IDs

V-221294
V-64167

Rule IDs

SV-221294r414567_rule
SV-78657

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.

Checks: C-23009r414565_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-22998r414566_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a SSL log format defined to allow generated information to be used by external applications or entities to monitor and control remote access in accordance with the categorization of data hosted by the web server.

AC-17 - Medium - CCI-000067 - V-221295 - SV-221295r414570_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000025

Vuln IDs

V-221295
V-64169

Rule IDs

SV-221295r414570_rule
SV-78659

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.

Checks: C-23010r414568_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-22999r414569_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log file defined for each site/virtual host to capture information to be used by external applications or entities to monitor and control remote access.

AC-17 - Medium - CCI-000067 - V-221296 - SV-221296r414573_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000026

Vuln IDs

V-221296
V-64171

Rule IDs

SV-221296r414573_rule
SV-78661

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.

Checks: C-23011r414571_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23000r414572_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.

AC-17 - Medium - CCI-002314 - V-221297 - SV-221297r414576_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000030

Vuln IDs

V-221297
V-64493

Rule IDs

SV-221297r414576_rule
SV-78983

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Examples of the web server enforcing a remote access policy are implementing IP filtering rules, using https instead of http for communication, implementing secure tokens, and validating users.

Checks: C-23012r414574_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Review the directives (e.g., "<VirtualHost>", "<Directory>", and "<Location>") at the OHS server and virtual host configuration scopes. 3. If these directives do not contain the appropriate access protection via secure authentication, SSL-associated directives, or "Order", "Deny", and "Allow" directives to secure access or prohibit access from nonsecure zones, this is a finding.

Fix: F-23001r414575_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Review the directives (e.g., "<VirtualHost>", "<Directory>", and "<Location>") at the OHS server and virtual host configuration scopes. 3. Configure the web server to require secure authentication as required, use SSL, and/or restrict access from nonsecure zones via "Order", "Deny", and "Allow" directives. Note: A product such as Oracle Access Manager may facilitate satisfying these requirements.

b

OHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones.

AC-17 - Medium - CCI-002314 - V-221298 - SV-221298r414579_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000031

Vuln IDs

V-221298
V-64495

Rule IDs

SV-221298r414579_rule
SV-78985

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.

Checks: C-23013r414577_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directive at the OHS server and virtual host configuration scopes. Note: This check does not apply to the root directory, i.e. the <Directory /> directive. 3. If the "<Directory>" directive does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access from nonsecure zones, this is a finding.

Fix: F-23002r414578_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directive at the OHS server and virtual host configuration scopes. Note: This fix does not apply to the root directory, i.e. the <Directory /> directive. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Set "Allow" directives to "from all" or to an IP range (e.g., "from 123.123"), add the directives if they do not exist. 5. Set "Deny" directives to an IP range (e.g., "from 123.123") to specify nonsecure zones, add the directives if they do not exist.

b

OHS must have the Order, Allow, and Deny directives set within the Files directives set to restrict inbound connections from nonsecure zones.

AC-17 - Medium - CCI-002314 - V-221299 - SV-221299r414582_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000032

Vuln IDs

V-221299
V-64497

Rule IDs

SV-221299r414582_rule
SV-78987

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.

Checks: C-23014r414580_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Files>" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the "<Files>" directive does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access from nonsecure zones, this is a finding.

Fix: F-23003r414581_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Files>" directive at the OHS server, virtual host, and directory configuration scopes. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Set "Allow" directives to "from all" or to an IP range (e.g., "from 123.123"), add the directives if they do not exist. 5. Set "Deny" directives to an IP range (e.g., "from 123.123") to specify nonsecure zones, add the directives if they do not exist.

b

OHS must have the Order, Allow, and Deny directives set within the Location directives set to restrict inbound connections from nonsecure zones.

AC-17 - Medium - CCI-002314 - V-221300 - SV-221300r414585_rule

RMF Control

AC-17

Severity

M

CCI

Version

OH12-1X-000033

Vuln IDs

V-221300
V-64499

Rule IDs

SV-221300r414585_rule
SV-78989

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.

Checks: C-23015r414583_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Location>" directive at the OHS server and virtual host configuration scopes. 3. If the "<Location>" directive does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access from nonsecure zones, this is a finding.

Fix: F-23004r414584_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Location>" directive at the OHS server and virtual host configuration scopes. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Set "Allow" directives to "from all" or to an IP range (e.g., "from 123.123"), add the directives if they do not exist. 5. Set "Deny" directives to an IP range (e.g., "from 123.123") to specify nonsecure zones, add the directives if they do not exist.

b

OHS must provide the capability to immediately disconnect or disable remote access to the hosted applications.

AC-17 - Medium - CCI-002322 - V-221301 - SV-221301r414588_rule

RMF Control

AC-17

Severity

M

CCI

CCI-002322

Version

OH12-1X-000034

Vuln IDs

V-221301
V-64501

Rule IDs

SV-221301r414588_rule
SV-78991

During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack. The web server must provide a capability to disconnect users to a hosted application without compromising other hosted applications unless deemed necessary to stop the attack. Methods to disconnect or disable connections are to stop the application service for a specified hosted application, stop the web server, or block all connections through web server access list. The web server capabilities used to disconnect or disable users from connecting to hosted applications and the web server must be documented to make certain that, during an attack, the proper action is taken to conserve connectivity to any other hosted application if possible and to make certain log data is conserved for later forensic analysis.

Checks: C-23016r414586_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>", "<Files>", or "<Location>" directive serving the application/content under attack at the OHS server, virtual host, or directory configuration scope. 3. If the "<Directory>", "<Files>", or "<Location>" directive serving the application/content under attack does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access, this is a finding.

Fix: F-23005r414587_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>", "<Files>", or "<Location>" directive serving the application/content under attack at the OHS server, virtual host, or directory configuration scope. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Comment out any "Allow" directives to prohibit access to the application/content under attack if it exists. 5. Set "Deny" directives to "from all" to prohibit access to the application/content under attack, add the directive if it does not exist. 6. Issue a "nmSoftRestart(serverName='componentName',serverType='OHS') from the WLST shell prompt.

b

Non-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account.

AC-6 - Medium - CCI-002235 - V-221302 - SV-221302r414591_rule

RMF Control

AC-6

Severity

M

CCI

CCI-002235

Version

OH12-1X-000035

Vuln IDs

V-221302
V-64503

Rule IDs

SV-221302r414591_rule
SV-78993

By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web server or on security-relevant information forces users to only operate as a web server administrator when necessary. Operating in this manner allows for better logging of changes and better forensic information and limits accidental changes to the web server.

Checks: C-23017r414589_chk

1. Check that sudo is properly configured for the account owning the OHS software. 2. If accounts other than the account that owns the OHS software can access the OHS software, this is a finding.

Fix: F-23006r414590_fix

1. Configure sudo such that only the account that owns the OHS software can access it from the hosting system.

b

OHS must have the client requests logging module loaded to generate log records for system startup and shutdown, system access, and system authentication logging.

AU-12 - Medium - CCI-000169 - V-221303 - SV-221303r414594_rule

RMF Control

AU-12

Severity

M

CCI

Version

OH12-1X-000040

Vuln IDs

V-221303
V-64173

Rule IDs

SV-221303r414594_rule
SV-78663

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.

Checks: C-23018r414592_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exist. If the file does not exist, this is a finding.

Fix: F-23007r414593_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. Set the "LoadModule log_config_module" directive to ""${PRODUCT_HOME}/modules/mod_log_config.so"", add the directive if it does not exist.

b

OHS must have OraLogMode set to Oracle Diagnostic Logging text mode to generate log records for system startup and shutdown, system access, and system authentication logging.

AU-12 - Medium - CCI-000169 - V-221304 - SV-221304r414597_rule

RMF Control

AU-12

Severity

M

CCI

Version

OH12-1X-000041

Vuln IDs

V-221304
V-64175

Rule IDs

SV-221304r414597_rule
SV-78665

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.

Checks: C-23019r414595_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "odl-text", this is a finding.

Fix: F-23008r414596_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. Set the "OraLogMode" directive to "odl-text", add the directive if it does not exist.

b

OHS must have a log directory location defined to generate log records for system startup and shutdown, system access, and system authentication logging.

AU-12 - Medium - CCI-000169 - V-221305 - SV-221305r414600_rule

RMF Control

AU-12

Severity

M

CCI

Version

OH12-1X-000042

Vuln IDs

V-221305
V-64177

Rule IDs

SV-221305r414600_rule
SV-78667

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.

Checks: C-23020r414598_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23009r414599_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. Set the "OraLogDir" directive to an appropriate, protected location on a partition with sufficient space that is different from the partition on which the OHS software is installed; add the directive if it does not exist.

b

OHS must have a log level severity defined to generate adequate log records for system startup and shutdown, system access, and system authentication events.

AU-12 - Medium - CCI-000169 - V-221306 - SV-221306r414603_rule

RMF Control

AU-12

Severity

M

CCI

Version

OH12-1X-000043

Vuln IDs

V-221306
V-64179

Rule IDs

SV-221306r414603_rule
SV-78669

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.

Checks: C-23021r414601_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "NOTIFICATION:32", this is a finding.

Fix: F-23010r414602_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. Set the "OraLogSeverity" directive to "NOTIFICATION:32", add the directive if it does not exist.

b

OHS must have the log rotation parameter set to allow for the generation log records for system startup and shutdown, system access, and system authentication events.

AU-12 - Medium - CCI-000169 - V-221307 - SV-221307r414606_rule

RMF Control

AU-12

Severity

M

CCI

Version

OH12-1X-000044

Vuln IDs

V-221307
V-64181

Rule IDs

SV-221307r414606_rule
SV-78671

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.

Checks: C-23022r414604_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23011r414605_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. As required, set the "OraLogRotationParams" directive to satisfy the NIST 800-92 logging requirements, add the directive if it does not exist.

b

OHS must have a log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.

AU-12 - Medium - CCI-000169 - V-221308 - SV-221308r414609_rule

RMF Control

AU-12

Severity

M

CCI

Version

OH12-1X-000045

Vuln IDs

V-221308
V-64183

Rule IDs

SV-221308r414609_rule
SV-78673

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.

Checks: C-23023r414607_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23012r414608_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a SSL log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.

AU-12 - Medium - CCI-000169 - V-221309 - SV-221309r414612_rule

RMF Control

AU-12

Severity

M

CCI

Version

OH12-1X-000046

Vuln IDs

V-221309
V-64185

Rule IDs

SV-221309r414612_rule
SV-78675

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.

Checks: C-23024r414610_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23013r414611_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log file defined for each site/virtual host to capture logs generated by system startup and shutdown, system access, and system authentication events.

AU-12 - Medium - CCI-000169 - V-221310 - SV-221310r414615_rule

RMF Control

AU-12

Severity

M

CCI

Version

OH12-1X-000047

Vuln IDs

V-221310
V-64187

Rule IDs

SV-221310r414615_rule
SV-78677

Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.

Checks: C-23025r414613_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23014r414614_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log level severity defined to produce sufficient log records to establish what type of events occurred.

AU-3 - Medium - CCI-000130 - V-221312 - SV-221312r414621_rule

RMF Control

AU-3

Severity

M

CCI

Version

OH12-1X-000050

Vuln IDs

V-221312
V-64191

Rule IDs

SV-221312r414621_rule
SV-78681

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23027r414619_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "NOTIFICATION:32", this is a finding.

Fix: F-23016r414620_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. Set the "OraLogSeverity" directive to "NOTIFICATION:32", add the directive if it does not exist.

b

OHS must have a log format defined for log records generated to capture sufficient information to establish what type of events occurred.

AU-3 - Medium - CCI-000130 - V-221313 - SV-221313r414624_rule

RMF Control

AU-3

Severity

M

CCI

Version

OH12-1X-000051

Vuln IDs

V-221313
V-64193

Rule IDs

SV-221313r414624_rule
SV-78683

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23028r414622_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23017r414623_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a SSL log format defined for log records generated to capture sufficient information to establish what type of events occurred.

AU-3 - Medium - CCI-000130 - V-221314 - SV-221314r414627_rule

RMF Control

AU-3

Severity

M

CCI

Version

OH12-1X-000052

Vuln IDs

V-221314
V-64195

Rule IDs

SV-221314r414627_rule
SV-78685

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23029r414625_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23018r414626_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log file defined for each site/virtual host to capture sufficient information to establish what type of events occurred.

AU-3 - Medium - CCI-000130 - V-221315 - SV-221315r414630_rule

RMF Control

AU-3

Severity

M

CCI

Version

OH12-1X-000053

Vuln IDs

V-221315
V-64197

Rule IDs

SV-221315r414630_rule
SV-78687

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23030r414628_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23019r414629_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log format defined for log records generated to capture sufficient information to establish when an event occurred.

AU-3 - Medium - CCI-000131 - V-221316 - SV-221316r414633_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000131

Version

OH12-1X-000054

Vuln IDs

V-221316
V-64199

Rule IDs

SV-221316r414633_rule
SV-78689

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23031r414631_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23020r414632_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a SSL log format defined for log records generated to capture sufficient information to establish when an event occurred.

AU-3 - Medium - CCI-000131 - V-221317 - SV-221317r414636_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000131

Version

OH12-1X-000055

Vuln IDs

V-221317
V-64201

Rule IDs

SV-221317r414636_rule
SV-78691

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23032r414634_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23021r414635_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of when an event occurred.

AU-3 - Medium - CCI-000131 - V-221318 - SV-221318r414639_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000131

Version

OH12-1X-000056

Vuln IDs

V-221318
V-64203

Rule IDs

SV-221318r414639_rule
SV-78693

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23033r414637_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23022r414638_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log format defined for log records that allow the establishment of where within OHS the events occurred.

AU-3 - Medium - CCI-000132 - V-221319 - SV-221319r414642_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000132

Version

OH12-1X-000057

Vuln IDs

V-221319
V-64205

Rule IDs

SV-221319r414642_rule
SV-78695

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23034r414640_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23023r414641_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a SSL log format defined for log records that allow the establishment of where within OHS the events occurred.

AU-3 - Medium - CCI-000132 - V-221320 - SV-221320r414645_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000132

Version

OH12-1X-000058

Vuln IDs

V-221320
V-64207

Rule IDs

SV-221320r414645_rule
SV-78697

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23035r414643_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23024r414644_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of where within OHS the events occurred.

AU-3 - Medium - CCI-000132 - V-221321 - SV-221321r414648_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000132

Version

OH12-1X-000059

Vuln IDs

V-221321
V-64209

Rule IDs

SV-221321r414648_rule
SV-78699

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23036r414646_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23025r414647_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log format defined for log records that allow the establishment of the source of events.

AU-3 - Medium - CCI-000133 - V-221322 - SV-221322r414651_rule

RMF Control

AU-3

Severity

M

CCI

Version

OH12-1X-000060

Vuln IDs

V-221322
V-64211

Rule IDs

SV-221322r414651_rule
SV-78701

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23037r414649_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23026r414650_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a SSL log format defined for log records that allow the establishment of the source of events.

AU-3 - Medium - CCI-000133 - V-221323 - SV-221323r414654_rule

RMF Control

AU-3

Severity

M

CCI

Version

OH12-1X-000061

Vuln IDs

V-221323
V-64213

Rule IDs

SV-221323r414654_rule
SV-78703

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23038r414652_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23027r414653_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of the source of events.

AU-3 - Medium - CCI-000133 - V-221324 - SV-221324r414657_rule

RMF Control

AU-3

Severity

M

CCI

Version

OH12-1X-000062

Vuln IDs

V-221324
V-64215

Rule IDs

SV-221324r414657_rule
SV-78705

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23039r414655_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23028r414656_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

AU-3 - Medium - CCI-000133 - V-221325 - SV-221325r414660_rule

RMF Control

AU-3

Severity

M

CCI

Version

OH12-1X-000063

Vuln IDs

V-221325
V-64217

Rule IDs

SV-221325r414660_rule
SV-78707

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.

Checks: C-23040r414658_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23029r414659_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b

OHS, behind a load balancer or proxy server, must have the SSL log format set correctly to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

AU-3 - Medium - CCI-000133 - V-221326 - SV-221326r414663_rule

RMF Control

AU-3

Severity

M

CCI

Version

OH12-1X-000064

Vuln IDs

V-221326
V-64219

Rule IDs

SV-221326r414663_rule
SV-78709

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.

Checks: C-23041r414661_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23030r414662_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

AU-3 - Medium - CCI-000133 - V-221327 - SV-221327r539625_rule

RMF Control

AU-3

Severity

M

CCI

Version

OH12-1X-000065

Vuln IDs

V-221327
V-64221

Rule IDs

SV-221327r539625_rule
SV-78711

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.

Checks: C-23042r414664_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23031r414665_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.

AU-3 - Medium - CCI-000134 - V-221328 - SV-221328r414669_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000134

Version

OH12-1X-000066

Vuln IDs

V-221328
V-64223

Rule IDs

SV-221328r414669_rule
SV-78713

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23043r414667_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23032r414668_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a SSL log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.

AU-3 - Medium - CCI-000134 - V-221329 - SV-221329r414672_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000134

Version

OH12-1X-000067

Vuln IDs

V-221329
V-64225

Rule IDs

SV-221329r414672_rule
SV-78715

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23044r414670_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23033r414671_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log file defined for each site/virtual host to produce log records that contain sufficient information to establish the outcome (success or failure) of events.

AU-3 - Medium - CCI-000134 - V-221330 - SV-221330r414675_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000134

Version

OH12-1X-000068

Vuln IDs

V-221330
V-64227

Rule IDs

SV-221330r414675_rule
SV-78717

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.

Checks: C-23045r414673_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23034r414674_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

AU-3 - Medium - CCI-001487 - V-221331 - SV-221331r414678_rule

RMF Control

AU-3

Severity

M

CCI

CCI-001487

Version

OH12-1X-000069

Vuln IDs

V-221331
V-64229

Rule IDs

SV-221331r414678_rule
SV-78719

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.

Checks: C-23046r414676_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23035r414677_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

AU-3 - Medium - CCI-001487 - V-221332 - SV-221332r414681_rule

RMF Control

AU-3

Severity

M

CCI

CCI-001487

Version

OH12-1X-000070

Vuln IDs

V-221332
V-64231

Rule IDs

SV-221332r414681_rule
SV-78721

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.

Checks: C-23047r414679_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23036r414680_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS must have a log file defined for each site/virtual host to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

AU-3 - Medium - CCI-001487 - V-221333 - SV-221333r414684_rule

RMF Control

AU-3

Severity

M

CCI

CCI-001487

Version

OH12-1X-000071

Vuln IDs

V-221333
V-64233

Rule IDs

SV-221333r414684_rule
SV-78723

Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.

Checks: C-23048r414682_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23037r414683_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b

OHS log files must only be accessible by privileged users.

AU-9 - Medium - CCI-000162 - V-221334 - SV-221334r414687_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

OH12-1X-000074

Vuln IDs

V-221334
V-64235

Rule IDs

SV-221334r414687_rule
SV-78725

Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. The web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by non-privileged users.

Checks: C-23049r414685_chk

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Verify that each log file that was returned has the owner and group set to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Verify that each log file that was returned has the permissions on the log file set to "640" or more restrictive. If the owner, group or permissions are set incorrectly on any of the log files, this is a finding.

Fix: F-23038r414686_fix

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Set the owner and group to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Set the permissions on all the log files returned to "640".

b

The log information from OHS must be protected from unauthorized modification.

AU-9 - Medium - CCI-000163 - V-221335 - SV-221335r414690_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000163

Version

OH12-1X-000075

Vuln IDs

V-221335
V-64237

Rule IDs

SV-221335r414690_rule
SV-78727

Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of log records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized modification. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from modification by non-privileged users.

Checks: C-23050r414688_chk

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Verify that each log file that was returned has the owner and group set to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Verify that each log file that was returned has the permissions on the log file set to "640" or more restrictive. If the owner, group or permissions are set incorrectly on any of the log files, this is a finding.

Fix: F-23039r414689_fix

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Set the owner and group to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Set the permissions on all the log files returned to "640".

b

The log information from OHS must be protected from unauthorized deletion.

AU-9 - Medium - CCI-000164 - V-221336 - SV-221336r414693_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000164

Version

OH12-1X-000076

Vuln IDs

V-221336
V-64239

Rule IDs

SV-221336r414693_rule
SV-78729

Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of audit records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized deletion. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from deletion by non-privileged users.

Checks: C-23051r414691_chk

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Verify that each log file that was returned has the owner and group set to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Verify that each log file that was returned has the permissions on the log file set to "640" or more restrictive. If the owner, group or permissions are set incorrectly on any of the log files, this is a finding.

Fix: F-23040r414692_fix

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Set the owner and group to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Set the permissions on all the log files returned to "640".

b

The log data and records from OHS must be backed up onto a different system or media.

AU-9 - Medium - CCI-001348 - V-221337 - SV-221337r414696_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001348

Version

OH12-1X-000077

Vuln IDs

V-221337
V-64241

Rule IDs

SV-221337r414696_rule
SV-78731

Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.

Checks: C-23052r414694_chk

1. Verify that the System Administrator backs up the files located in the $DOMAIN_HOME/servers/<componentName>/logs directory. 2. If the files located in the $DOMAIN_HOME/servers/<componentName>/logs directory, this is a finding.

Fix: F-23041r414695_fix

Have the System Administrator back up the files located in the $DOMAIN_HOME/servers/<componentName>/logs directory.

b

OHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.

AU-4 - Medium - CCI-001851 - V-221338 - SV-221338r414699_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

OH12-1X-000081

Vuln IDs

V-221338
V-64505

Rule IDs

SV-221338r414699_rule
SV-78995

A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. Manual review of the web server logs may not occur in a timely manner, and each event logged is open to interpretation by a reviewer. By integrating the web server into an overall or organization-wide log review, a larger picture of events can be viewed, and analysis can be done in a timely and reliable manner.

Checks: C-23053r414697_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23042r414698_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. Set the "OraLogDir" directive to an appropriate, protected location on a partition with sufficient space that is different from the partition on which the OHS software is installed; add the directive if it does not exist.

b

OHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.

AU-4 - Medium - CCI-001851 - V-221339 - SV-221339r414702_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

OH12-1X-000082

Vuln IDs

V-221339
V-64507

Rule IDs

SV-221339r414702_rule
SV-78997

A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. Manual review of the web server logs may not occur in a timely manner, and each event logged is open to interpretation by a reviewer. By integrating the web server into an overall or organization-wide log review, a larger picture of events can be viewed, and analysis can be done in a timely and reliable manner.

Checks: C-23054r414700_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23043r414701_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope and reference a location where other tools can access the log files for diagnostic/forensic purposes. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope and reference a location where other tools can access the log files for diagnostic/forensic purposes.

b

OHS must have the LoadModule file_cache_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221340 - SV-221340r414705_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000093

Vuln IDs

V-221340
V-64243

Rule IDs

SV-221340r414705_rule
SV-78733

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23055r414703_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule file_cache_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23044r414704_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule file_cache_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule file_cache_module" directive if it exists.

a

OHS must have the LoadModule vhost_alias_module directive disabled.

CM-7 - Low - CCI-000381 - V-221341 - SV-221341r414708_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000094

Vuln IDs

V-221341
V-64245

Rule IDs

SV-221341r414708_rule
SV-78735

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23056r414706_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule vhost_alias_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23045r414707_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule vhost_alias_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule vhost_alias_module" directive if it exists.

b

OHS must have the LoadModule env_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221342 - SV-221342r414711_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000095

Vuln IDs

V-221342
V-64247

Rule IDs

SV-221342r414711_rule
SV-78737

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23057r414709_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule env_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23046r414710_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule env_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule env_module" directive if it exists.

a

OHS must have the LoadModule mime_magic_module directive disabled.

CM-7 - Low - CCI-000381 - V-221343 - SV-221343r414714_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000096

Vuln IDs

V-221343
V-64249

Rule IDs

SV-221343r414714_rule
SV-78739

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23058r414712_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule mime_magic_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23047r414713_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule mime_magic_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule mime_magic_module" directive if it exists.

a

OHS must have the LoadModule negotiation_module directive disabled.

CM-7 - Low - CCI-000381 - V-221344 - SV-221344r414717_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000097

Vuln IDs

V-221344
V-64251

Rule IDs

SV-221344r414717_rule
SV-78741

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23059r414715_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule negotiation_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23048r414716_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule negotiation_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule negotiation_module" directive if it exists.

a

OHS must not have the LanguagePriority directive enabled.

CM-7 - Low - CCI-000381 - V-221345 - SV-221345r414720_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000098

Vuln IDs

V-221345
V-64253

Rule IDs

SV-221345r414720_rule
SV-78743

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23060r414718_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "LanguagePriority" directive. 2. Search for the "LanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23049r414719_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "LanguagePriority" directive. 2. Search for the "LanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "LanguagePriority" directive if it exists.

a

OHS must not have the ForceLanguagePriority directive enabled.

CM-7 - Low - CCI-000381 - V-221346 - SV-221346r414723_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000099

Vuln IDs

V-221346
V-64255

Rule IDs

SV-221346r414723_rule
SV-78745

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23061r414721_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ForceLanguagePriority" directive. 2. Search for the "ForceLanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23050r414722_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ForceLanguagePriority" directive. 2. Search for the "ForceLanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "ForceLanguagePriority" directive if it exists.

b

OHS must have the LoadModule status_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221347 - SV-221347r414726_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000100

Vuln IDs

V-221347
V-64257

Rule IDs

SV-221347r414726_rule
SV-78747

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23062r414724_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule status_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23051r414725_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule status_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule status_module" directive if it exists.

b

OHS must have the LoadModule info_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221348 - SV-221348r414729_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000101

Vuln IDs

V-221348
V-64259

Rule IDs

SV-221348r414729_rule
SV-78749

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23063r414727_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule info_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23052r414728_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule info_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule info_module" directive if it exists.

b

OHS must have the LoadModule include_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221349 - SV-221349r414732_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000102

Vuln IDs

V-221349
V-64261

Rule IDs

SV-221349r414732_rule
SV-78751

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23064r414730_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule include_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23053r414731_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule include_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule include_module" directive if it exists.

b

OHS must have the LoadModule autoindex_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221350 - SV-221350r414735_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000103

Vuln IDs

V-221350
V-64263

Rule IDs

SV-221350r414735_rule
SV-78753

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23065r414733_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule autoindex_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23054r414734_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule autoindex_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule autoindex_module" directive if it exists.

b

OHS must have the IndexOptions directive disabled.

CM-7 - Medium - CCI-000381 - V-221351 - SV-221351r414738_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000104

Vuln IDs

V-221351
V-64265

Rule IDs

SV-221351r414738_rule
SV-78755

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23066r414736_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexOptions" directive. 2. Search for the "IndexOptions" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23055r414737_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexOptions" directive. 2. Search for the "IndexOptions" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "IndexOptions" directive if it exists.

b

OHS must have the AddIconByEncoding directive disabled.

CM-7 - Medium - CCI-000381 - V-221352 - SV-221352r414741_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000105

Vuln IDs

V-221352
V-64267

Rule IDs

SV-221352r414741_rule
SV-78757

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23067r414739_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByEncoding" directive. 2. Search for an "AddIconByEncoding" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23056r414740_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByEncoding" directive. 2. Search for an "AddIconByEncoding" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "AddIconByEncoding" directive if it exists.

b

OHS must have the AddIconByType directive disabled.

CM-7 - Medium - CCI-000381 - V-221353 - SV-221353r414744_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000106

Vuln IDs

V-221353
V-64269

Rule IDs

SV-221353r414744_rule
SV-78759

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23068r414742_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByType" directive. 2. Search for an "AddIconByType" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23057r414743_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByType" directive. 2. Search for an "AddIconByType" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "AddIconByType" directive if it exists.

b

OHS must have the AddIcon directive disabled.

CM-7 - Medium - CCI-000381 - V-221354 - SV-221354r414747_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000107

Vuln IDs

V-221354
V-64271

Rule IDs

SV-221354r414747_rule
SV-78761

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23069r414745_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIcon" directive. 2. Search for an "AddIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23058r414746_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIcon" directive. 2. Search for an "AddIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "AddIcon" directive if it exists.

b

OHS must have the DefaultIcon directive disabled.

CM-7 - Medium - CCI-000381 - V-221355 - SV-221355r414750_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000108

Vuln IDs

V-221355
V-64273

Rule IDs

SV-221355r414750_rule
SV-78763

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23070r414748_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DefaultIcon" directive. 2. Search for a "DefaultIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23059r414749_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DefaultIcon" directive. 2. Search for a "DefaultIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "DefaultIcon" directive if it exists.

b

OHS must have the ReadmeName directive disabled.

CM-7 - Medium - CCI-000381 - V-221356 - SV-221356r414753_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000109

Vuln IDs

V-221356
V-64275

Rule IDs

SV-221356r414753_rule
SV-78765

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23071r414751_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ReadmeName" directive. 2. Search for a "ReadmeName" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23060r414752_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ReadmeName" directive. 2. Search for a "ReadmeName" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "ReadmeName" directive if it exists.

b

OHS must have the HeaderName directive disabled.

CM-7 - Medium - CCI-000381 - V-221357 - SV-221357r414756_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000110

Vuln IDs

V-221357
V-64277

Rule IDs

SV-221357r414756_rule
SV-78767

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23072r414754_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "HeaderName" directive. 2. Search for a "HeaderName" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23061r414755_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "HeaderName" directive. 2. Search for a "HeaderName" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "HeaderName" directive if it exists.

b

OHS must have the IndexIgnore directive disabled.

CM-7 - Medium - CCI-000381 - V-221358 - SV-221358r414759_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000111

Vuln IDs

V-221358
V-64279

Rule IDs

SV-221358r414759_rule
SV-78769

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23073r414757_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexIgnore" directive. 2. Search for an "IndexIgnore" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23062r414758_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexIgnore" directive. 2. Search for an "IndexIgnore" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "IndexIgnore" directive if it exists.

a

OHS must have the LoadModule dir_module directive disabled.

CM-7 - Low - CCI-000381 - V-221359 - SV-221359r414762_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000112

Vuln IDs

V-221359
V-64281

Rule IDs

SV-221359r414762_rule
SV-78771

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23074r414760_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule dir_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23063r414761_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule dir_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule dir_module" directive if it exists.

a

OHS must have the DirectoryIndex directive disabled.

CM-7 - Low - CCI-000381 - V-221360 - SV-221360r414765_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000113

Vuln IDs

V-221360
V-64283

Rule IDs

SV-221360r414765_rule
SV-78773

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23075r414763_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DirectoryIndex" directive. 2. Search for the "DirectoryIndex" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive and any surrounding "<IfModule dir_module>" directive exist and are not commented out, this is a finding.

Fix: F-23064r414764_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DirectoryIndex" directive. 2. Search for the "DirectoryIndex" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "DirectoryIndex" directive and any surrounding "<IfModule dir_module>" directive if they exist.

b

OHS must have the LoadModule cgi_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221361 - SV-221361r414768_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000114

Vuln IDs

V-221361
V-64285

Rule IDs

SV-221361r414768_rule
SV-78775

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23076r414766_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. If the directive and its surrounding "<IfModule mpm_prefork_module>" directive exist and are not commented out, this is a finding.

Fix: F-23065r414767_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_prefork_module>" directives if they exist.

b

OHS must have the LoadModule fastcgi_module disabled.

CM-7 - Medium - CCI-000381 - V-221362 - SV-221362r414771_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000115

Vuln IDs

V-221362
V-64287

Rule IDs

SV-221362r414771_rule
SV-78777

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23077r414769_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule fastcgi_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23066r414770_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule fastcgi_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule fastcgi_module" directive if it exists.

b

OHS must have the LoadModule cgid_module directive disabled for mpm workers.

CM-7 - Medium - CCI-000381 - V-221363 - SV-221363r414774_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000116

Vuln IDs

V-221363
V-64289

Rule IDs

SV-221363r414774_rule
SV-78779

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23078r414772_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. If the directive and its surrounding "<IfModule mpm_worker_module>" directive exist and are not commented out, this is a finding.

Fix: F-23067r414773_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgid_module" directive and surrounding "<IfModule mpm_worker_module>" directives if they exist.

a

OHS must have the IfModule cgid_module directive disabled.

CM-7 - Low - CCI-000381 - V-221364 - SV-221364r414777_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000117

Vuln IDs

V-221364
V-64291

Rule IDs

SV-221364r414777_rule
SV-78781

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23079r414775_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<IfModule cgid_module>" directive. 2. Search for the "<IfModule cgid_module>" directive at the OHS server, virtual host, and directory configuration scope. 3. If the directive and any directives that it may contain exist and are not commented out, this is a finding.

Fix: F-23068r414776_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<IfModule cgid_module>" directive. 2. Search for the "<IfModule cgid_module>" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "<IfModule cgid_module>" directive and any directives it may contain.

a

OHS must have the LoadModule mpm_winnt_module directive disabled.

CM-7 - Low - CCI-000381 - V-221365 - SV-221365r414780_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000118

Vuln IDs

V-221365
V-64293

Rule IDs

SV-221365r414780_rule
SV-78783

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23080r414778_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. If the directive and its surrounding "<IfModule mpm_winnt_module>" directive exist and are not commented out, this is a finding.

Fix: F-23069r414779_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_winnt_module>" directives if they exist.

b

OHS must have the ScriptAlias directive for CGI scripts disabled.

CM-7 - Medium - CCI-000381 - V-221366 - SV-221366r414783_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000119

Vuln IDs

V-221366
V-64295

Rule IDs

SV-221366r414783_rule
SV-78785

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23081r414781_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "<IfModule alias_module>" directive at the OHS server configuration scope. 3. If the directive and its surrounding "<IfModule alias_module>" directive exist and are not commented out, this is a finding.

Fix: F-23070r414782_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "<IfModule alias_module>" directive at the OHS server configuration scope. 3. Comment out the "ScriptAlias /cgi-bin/" directive and its surrounding "<IfModule alias_module>" directive if they exist.

b

OHS must have the ScriptSock directive disabled.

CM-7 - Medium - CCI-000381 - V-221367 - SV-221367r414786_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000120

Vuln IDs

V-221367
V-64297

Rule IDs

SV-221367r414786_rule
SV-78787

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23082r414784_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "<IfModule cgid_module>" directive at the OHS server configuration scope. Note: “ScriptSock” may appear as “Scriptsock” within the httpd.conf file. 3. If the directive and its surrounding "<IfModule cgid_module>" directive exist and are not commented out, this is a finding.

Fix: F-23071r414785_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "<IfModule cgid_module>" directive at the OHS server configuration scope. Note: “ScriptSock” may appear as “Scriptsock” within the httpd.conf file. 3. Comment out the "ScriptSock" directive and its surrounding "<IfModule cgid_module>" directive if they exist.

b

OHS must have the cgi-bin directory disabled.

CM-7 - Medium - CCI-000381 - V-221368 - SV-221368r414789_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000121

Vuln IDs

V-221368
V-64299

Rule IDs

SV-221368r414789_rule
SV-78789

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23083r414787_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive at the OHS server and virtual host configuration scopes. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23072r414788_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive at the OHS server and virtual host configuration scopes. 3. Comment out the "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive and any directives it contains if they exist.

b

OHS must have directives pertaining to certain scripting languages removed from virtual hosts.

CM-7 - Medium - CCI-000381 - V-221369 - SV-221369r414792_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000122

Vuln IDs

V-221369
V-64301

Rule IDs

SV-221369r414792_rule
SV-78791

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23084r414790_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive at the virtual host configuration scope. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23073r414791_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive at the OHS server configuration scope. 3. Comment out the "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive and any directives it contains if they exist.

a

OHS must have the LoadModule asis_module directive disabled.

CM-7 - Low - CCI-000381 - V-221370 - SV-221370r414795_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000123

Vuln IDs

V-221370
V-64303

Rule IDs

SV-221370r414795_rule
SV-78793

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23085r414793_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule asis_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23074r414794_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule asis_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule asis_module" directive if it exists.

a

OHS must have the LoadModule imagemap_module directive disabled.

CM-7 - Low - CCI-000381 - V-221371 - SV-221371r414798_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000124

Vuln IDs

V-221371
V-64305

Rule IDs

SV-221371r414798_rule
SV-78795

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23086r414796_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule imagemap_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23075r414797_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule imagemap_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule imagemap_module" directive if it exists.

b

OHS must have the LoadModule actions_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221372 - SV-221372r414801_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000125

Vuln IDs

V-221372
V-64307

Rule IDs

SV-221372r414801_rule
SV-78797

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23087r414799_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule actions_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23076r414800_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule actions_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule actions_module" directive if it exists.

a

OHS must have the LoadModule speling_module directive disabled.

CM-7 - Low - CCI-000381 - V-221373 - SV-221373r414804_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000126

Vuln IDs

V-221373
V-64309

Rule IDs

SV-221373r414804_rule
SV-78799

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23088r414802_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule speling_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23077r414803_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule speling_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule speling_module" directive if it exists.

b

OHS must have the LoadModule userdir_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221374 - SV-221374r414807_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000127

Vuln IDs

V-221374
V-64311

Rule IDs

SV-221374r414807_rule
SV-78801

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23089r414805_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule userdir_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23078r414806_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule userdir_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule userdir_module" directive if it exists.

b

OHS must have the AliasMatch directive pertaining to the OHS manuals disabled.

CM-7 - Medium - CCI-000381 - V-221375 - SV-221375r414810_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000128

Vuln IDs

V-221375
V-64313

Rule IDs

SV-221375r414810_rule
SV-78803

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23090r414808_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23079r414809_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for an "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. Comment out the "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive if it exists.

b

OHS must have the Directory directive pointing to the OHS manuals disabled.

CM-7 - Medium - CCI-000381 - V-221376 - SV-221376r414813_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000129

Vuln IDs

V-221376
V-64315

Rule IDs

SV-221376r414813_rule
SV-78805

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23091r414811_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/manual">" directive at the OHS server configuration scope. 3. If the directive and the directives it contains exists and is not commented out, this is a finding.

Fix: F-23080r414812_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/manual">" directive at the OHS server configuration scope. 3. Comment out the "<Directory "${PRODUCT_HOME}/manual">" directive and any directives it contains if they exist.

b

OHS must have the LoadModule auth_basic_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221377 - SV-221377r414816_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000130

Vuln IDs

V-221377
V-64317

Rule IDs

SV-221377r414816_rule
SV-78807

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23092r414814_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule auth_basic_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23081r414815_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule auth_basic_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule auth_basic_module" directive if it exists.

b

OHS must have the LoadModule authz_user_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221378 - SV-221378r539627_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000131

Vuln IDs

V-221378
V-64319

Rule IDs

SV-221378r539627_rule
SV-78809

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance. This module provides authorization capabilities so authenticated users can be allowed or denied access to portions of the web site. This requirement is meant to disable an unneeded service; it is not intended to restrict the use of authorization when data access restrictions specify the use of authorization. Refer to the system security plan to determine if authorization is required based on data access requirements.

Checks: C-23093r539626_chk

If the AO approved system security plan for web server configuration specifies using the OHS authz_user_module in order to meet application architecture requirements, this requirement can be marked NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authz_user_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23082r457166_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authz_user_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule authz_user_module" directive if it exists.

b

OHS must have the LoadModule authn_file_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221379 - SV-221379r414822_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000132

Vuln IDs

V-221379
V-64321

Rule IDs

SV-221379r414822_rule
SV-78811

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23094r414820_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authn_file_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23083r414821_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authn_file_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule authn_file_module" directive if it exists.

b

OHS must have the LoadModule authn_anon_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221380 - SV-221380r414825_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000133

Vuln IDs

V-221380
V-64323

Rule IDs

SV-221380r414825_rule
SV-78813

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23095r414823_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authn_anon_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23084r414824_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authn_anon_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule authn_anon_module" directive if it exists.

b

OHS must have the LoadModule proxy_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221381 - SV-221381r457170_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000134

Vuln IDs

V-221381
V-64325

Rule IDs

SV-221381r457170_rule
SV-78815

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23096r457168_chk

If the AO-approved system security plan for web server configuration specifies using the proxy_module directive in order to meet application architecture requirements and authentication is enforced, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23085r457169_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_module" directive if it exists.

b

OHS must have the LoadModule proxy_http_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221382 - SV-221382r539629_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000135

Vuln IDs

V-221382
V-64327

Rule IDs

SV-221382r539629_rule
SV-78817

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance. The proxy_http_module requires the service of mod_proxy. It provides the features used for proxying HTTP and HTTPS requests. If proxy services are required, the proxy configuration must be approved by the AO.

Checks: C-23097r539628_chk

If the AO approved system security plan for the web server configuration specifies using the proxy_http_module directive in order to meet application architecture requirements and authentication is enforced, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23086r457157_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_http_module" directive if it exists.

b

OHS must have the LoadModule proxy_ftp_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221383 - SV-221383r414834_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000136

Vuln IDs

V-221383
V-64329

Rule IDs

SV-221383r414834_rule
SV-78819

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23098r414832_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23087r414833_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_ftp_module" directive if it exists.

b

OHS must have the LoadModule proxy_connect_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221384 - SV-221384r414837_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000137

Vuln IDs

V-221384
V-64331

Rule IDs

SV-221384r414837_rule
SV-78821

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23099r414835_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23088r414836_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_connnect_module" directive if it exists.

b

OHS must have the LoadModule proxy_balancer_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221385 - SV-221385r414840_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000138

Vuln IDs

V-221385
V-64333

Rule IDs

SV-221385r414840_rule
SV-78823

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23100r414838_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23089r414839_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_balancer_module" directive if it exists.

a

OHS must have the LoadModule cern_meta_module directive disabled.

CM-7 - Low - CCI-000381 - V-221386 - SV-221386r414843_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000139

Vuln IDs

V-221386
V-64335

Rule IDs

SV-221386r414843_rule
SV-78825

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23101r414841_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cern_meta_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23090r414842_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cern_meta_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cern_meta_module" directive if it exists.

a

OHS must have the LoadModule expires_module directive disabled.

CM-7 - Low - CCI-000381 - V-221387 - SV-221387r414846_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000140

Vuln IDs

V-221387
V-64337

Rule IDs

SV-221387r414846_rule
SV-78827

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23102r414844_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule expires_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23091r414845_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule expires_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule expires_module" directive if it exists.

a

OHS must have the LoadModule usertrack_module directive disabled.

CM-7 - Low - CCI-000381 - V-221388 - SV-221388r414849_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000141

Vuln IDs

V-221388
V-64339

Rule IDs

SV-221388r414849_rule
SV-78829

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23103r414847_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule usertrack_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23092r414848_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule usertrack_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule usertrack_module" directive if it exists.

a

OHS must have the LoadModule uniqueid_module directive disabled.

CM-7 - Low - CCI-000381 - V-221389 - SV-221389r414852_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000142

Vuln IDs

V-221389
V-64341

Rule IDs

SV-221389r414852_rule
SV-78831

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23104r414850_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule unique_id_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23093r414851_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule unique_id_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule unique_id_module" directive if it exists.

b

OHS must have the LoadModule setenvif_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221390 - SV-221390r414855_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000143

Vuln IDs

V-221390
V-64343

Rule IDs

SV-221390r414855_rule
SV-78833

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23105r414853_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule setenvif_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23094r414854_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule setenvif_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule setenvif_module" directive if it exists.

b

OHS must have the BrowserMatch directive disabled.

CM-7 - Medium - CCI-000381 - V-221391 - SV-221391r414858_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000144

Vuln IDs

V-221391
V-64345

Rule IDs

SV-221391r414858_rule
SV-78835

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23106r414856_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "BrowserMatch" directive. 2. Search for the "BrowserMatch" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive and any surrounding "BrowserMatch" directive exist and are not commented out, this is a finding.

Fix: F-23095r414857_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "BrowserMatch" directive. 2. Search for the "BrowserMatch" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "BrowserMatch" directive and any surrounding "<IfModule dir_module>" directive if they exist.

b

OHS must have the LoadModule dumpio_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221392 - SV-221392r414861_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000145

Vuln IDs

V-221392
V-64347

Rule IDs

SV-221392r414861_rule
SV-78837

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23107r414859_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule dumpio_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23096r414860_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule dumpio_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule dumpio_module" directive if it exists.

a

OHS must have the IfModule dumpio_module directive disabled.

CM-7 - Low - CCI-000381 - V-221393 - SV-221393r414864_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000146

Vuln IDs

V-221393
V-64349

Rule IDs

SV-221393r414864_rule
SV-78839

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23108r414862_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<IfModule dumpio_module>" directive at the OHS server configuration scope. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23097r414863_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<IfModule dumpio_module>" directive at the OHS server configuration scope. 3. Comment out the "<IfModule dumpio_module>" directive and any directives it contains if they exist.

b

OHS must have the Alias /icons/ directive disabled.

CM-7 - Medium - CCI-000381 - V-221394 - SV-221394r414867_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000147

Vuln IDs

V-221394
V-64351

Rule IDs

SV-221394r414867_rule
SV-78841

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23109r414865_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for an "Alias /icons/" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23098r414866_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for an "Alias /icons/" directive at the OHS server configuration scope. 3. Comment out the "Alias /icons/" directive if it exists.

b

OHS must have the path to the icons directory disabled.

CM-7 - Medium - CCI-000381 - V-221395 - SV-221395r414870_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000148

Vuln IDs

V-221395
V-64353

Rule IDs

SV-221395r414870_rule
SV-78843

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23110r414868_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/icons">" directive at the OHS server configuration scope. 3. If the directive exists and any directives that it contains are not commented out, this is a finding.

Fix: F-23099r414869_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/icons">" directive at the OHS server configuration scope. 3. Comment out the "<Directory "$PRODUCT_HOME}/icons">" directive and any directives that it contains if they exist.

a

OHS must have the IfModule mpm_winnt_module directive disabled.

CM-7 - Low - CCI-000381 - V-221396 - SV-221396r414873_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000149

Vuln IDs

V-221396
V-64355

Rule IDs

SV-221396r414873_rule
SV-78845

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23111r414871_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. If the directive and any directives it contains exist and are not commented out, this is a finding.

Fix: F-23100r414872_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. Comment out the "<IfModule mpm_winnt_module>" directive and any directives it contains if they exist.

b

OHS must have the LoadModule proxy_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221397 - SV-221397r539631_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000150

Vuln IDs

V-221397
V-64361

Rule IDs

SV-221397r539631_rule
SV-78851

A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.

Checks: C-23112r539630_chk

If the AO-approved system security plan for the web server configuration specifies using proxy_module directive in order to meet application architecture requirements, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23101r457160_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_module" directive if it exists.

b

OHS must have the LoadModule proxy_http_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221398 - SV-221398r539633_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000151

Vuln IDs

V-221398
V-64363

Rule IDs

SV-221398r539633_rule
SV-78853

A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.

Checks: C-23113r539632_chk

If the AO-approved system security plan for the web server configuration specifies using the proxy_http_module directive in order to meet application architecture requirements, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23102r457163_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_http_module" directive if it exists.

b

OHS must have the LoadModule proxy_ftp_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221399 - SV-221399r414882_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000152

Vuln IDs

V-221399
V-64365

Rule IDs

SV-221399r414882_rule
SV-78855

A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.

Checks: C-23114r414880_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23103r414881_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_ftp_module" directive if it exists.

b

OHS must have the LoadModule proxy_connect_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221400 - SV-221400r414885_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000153

Vuln IDs

V-221400
V-64375

Rule IDs

SV-221400r414885_rule
SV-78865

A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.

Checks: C-23115r414883_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23104r414884_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_connnect_module" directive if it exists.

b

OHS must have the LoadModule proxy_balancer_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221401 - SV-221401r414888_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000154

Vuln IDs

V-221401
V-64377

Rule IDs

SV-221401r414888_rule
SV-78867

A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.

Checks: C-23116r414886_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23105r414887_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_balancer_module" directive if it exists.

a

OHS must disable the directive pointing to the directory containing the OHS manuals.

CM-7 - Low - CCI-000381 - V-221402 - SV-221402r414891_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000156

Vuln IDs

V-221402
V-64379

Rule IDs

SV-221402r414891_rule
SV-78869

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.

Checks: C-23117r414889_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/manual">" directive at the OHS server configuration scope. 3. If the directive and the directives it contains exists and is not commented out, this is a finding.

Fix: F-23106r414890_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/manual">" directive at the OHS server configuration scope. 3. Comment out the "<Directory "${PRODUCT_HOME}/manual">" directive and any directives it contains if they exist.

b

OHS must have the AliasMatch directive disabled for the OHS manuals.

CM-7 - Medium - CCI-000381 - V-221403 - SV-221403r414894_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000157

Vuln IDs

V-221403
V-64381

Rule IDs

SV-221403r414894_rule
SV-78871

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.

Checks: C-23118r414892_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23107r414893_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for an "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. Comment out the "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive if it exists.

b

OHS must have the AddHandler directive disabled.

CM-7 - Medium - CCI-000381 - V-221404 - SV-221404r414897_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000160

Vuln IDs

V-221404
V-64383

Rule IDs

SV-221404r414897_rule
SV-78873

Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A shell is a program that serves as the basic interface between the user and the operating system, so hosted application users must not have access to these programs. Shell programs may execute shell escapes and can then perform unauthorized activities that could damage the security posture of the web server.

Checks: C-23119r414895_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "AddHandler" directives at the OHS server, virtual host, and directory configuration scopes. 3. If an "AddHandler" directive exists, this is a finding.

Fix: F-23108r414896_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "AddHandler" directives at the OHS server, virtual host, and directory configuration scopes. 3. If an "AddHandler" directive exists, remove it.

b

OHS must have the LoadModule cgi_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221405 - SV-221405r414900_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000161

Vuln IDs

V-221405
V-64385

Rule IDs

SV-221405r414900_rule
SV-78875

Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.

Checks: C-23120r414898_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. If the directive and its surrounding "<IfModule mpm_prefork_module>" directive exist and are not commented out, this is a finding.

Fix: F-23109r414899_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_prefork_module>" directives if they exist.

b

OHS must have the LoadModule cgid_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221406 - SV-221406r414903_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000162

Vuln IDs

V-221406
V-64387

Rule IDs

SV-221406r414903_rule
SV-78877

Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.

Checks: C-23121r414901_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. If the directive and its surrounding "<IfModule mpm_worker_module>" directive exist and are not commented out, this is a finding.

Fix: F-23110r414902_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgid_module" directive and surrounding "<IfModule mpm_worker_module>" directives if they exist.

b

OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration.

CM-7 - Medium - CCI-000381 - V-221407 - SV-221407r414906_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000163

Vuln IDs

V-221407
V-64389

Rule IDs

SV-221407r414906_rule
SV-78879

Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.

Checks: C-23122r414904_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<IfModule cgid_module>" directive. 2. Search for the "<IfModule cgid_module>" directive at the OHS server, virtual host, and directory configuration scope. 3. If the directive and any directives that it may contain exist and are not commented out, this is a finding.

Fix: F-23111r414905_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<IfModule cgid_module>" directive. 2. Search for the "<IfModule cgid_module>" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "<IfModule cgid_module>" directive and any directives it may contain.

a

OHS must have the LoadModule cgi_module directive disabled within the IfModule mpm_winnt_module directive.

CM-7 - Low - CCI-000381 - V-221408 - SV-221408r414909_rule

RMF Control

CM-7

Severity

L

CCI

Version

OH12-1X-000164

Vuln IDs

V-221408
V-64391

Rule IDs

SV-221408r414909_rule
SV-78881

Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.

Checks: C-23123r414907_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. If the directive and its surrounding "<IfModule mpm_winnt_module>" directive exist and are not commented out, this is a finding.

Fix: F-23112r414908_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_winnt_module>" directives if they exist.

b

OHS must have the ScriptAlias /cgi-bin/ directive within a IfModule alias_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221409 - SV-221409r414912_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000165

Vuln IDs

V-221409
V-64393

Rule IDs

SV-221409r414912_rule
SV-78883

Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.

Checks: C-23124r414910_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "<IfModule alias_module>" directive at the OHS server configuration scope. 3. If the directive and its surrounding "<IfModule alias_module>" directive exist and are not commented out, this is a finding.

Fix: F-23113r414911_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "<IfModule alias_module>" directive at the OHS server configuration scope. 3. Comment out the "ScriptAlias /cgi-bin/" directive and its surrounding "<IfModule alias_module>" directive if they exist.

b

OHS must have the ScriptSock directive within a IfModule cgid_module directive disabled.

CM-7 - Medium - CCI-000381 - V-221410 - SV-221410r414915_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000166

Vuln IDs

V-221410
V-64395

Rule IDs

SV-221410r414915_rule
SV-78885

Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.

Checks: C-23125r414913_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "<IfModule cgid_module>" directive at the OHS server configuration scope. 3. If the directive and its surrounding "<IfModule cgid_module>" directive exist and are not commented out, this is a finding.

Fix: F-23114r414914_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "<IfModule cgid_module>" directive at the OHS server configuration scope. 3. Comment out the "ScriptSock" directive and its surrounding "<IfModule cgid_module>" directive if they exist.

b

OHS must have the cgi-bin directory disabled.

CM-7 - Medium - CCI-000381 - V-221411 - SV-221411r810869_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000167

Vuln IDs

V-221411
V-64397

Rule IDs

SV-221411r810869_rule
SV-78887

Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.

Checks: C-23126r810867_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive at the OHS server and virtual host configuration scopes. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23115r810868_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive at the OHS server and virtual host configuration scopes. 3. Comment out the "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive and any directives it contains if they exist.

b

OHS must have directives pertaining to certain scripting languages removed from virtual hosts.

CM-7 - Medium - CCI-000381 - V-221412 - SV-221412r414921_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000168

Vuln IDs

V-221412
V-64399

Rule IDs

SV-221412r414921_rule
SV-78889

Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.

Checks: C-23127r414919_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive at the virtual host configuration scope. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23116r414920_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive at the OHS server configuration scope. 3. Comment out the "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive and any directives it contains if they exist.

b

OHS must have resource mappings set to disable the serving of certain file types.

CM-7 - Medium - CCI-000381 - V-221413 - SV-221413r414924_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000169

Vuln IDs

V-221413
V-64401

Rule IDs

SV-221413r414924_rule
SV-78891

Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. The web server must only allow hosted application file types to be served to a user and all other types must be disabled.

Checks: C-23128r414922_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "<FilesMatch>" directives beyond the "<FilesMatch"^\.ht">" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the "<FilesMatch>" directive is omitted or it and/or any directives it contains are set improperly, this is a finding.

Fix: F-23117r414923_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "<FilesMatch>" directives beyond the "<FilesMatch"^\.ht">" directive at the OHS server, virtual host, and directory configuration scopes. 3. Set the "<FilesMatch>" directive to ""^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$"" or other value appropriate for the server/site to prevent inappropriate file access, add the directive if it does not exist. 4a. Within the "<FilesMatch "^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$">" directive, set the "Order" directive to "allow,deny", add the directive if it does not exist. 4b. Within the "<FilesMatch "^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$">" directive, set the "Deny" directive to "from all", add the directive if it does not exist. 4c. Within the "<FilesMatch "^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$">" directive, set the "Satisfy" directive to "All", add the directive if it does not exist.

b

Users and scripts running on behalf of users must be contained to the document root or home directory tree of OHS.

CM-7 - Medium - CCI-000381 - V-221414 - SV-221414r414927_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000172

Vuln IDs

V-221414
V-64403

Rule IDs

SV-221414r414927_rule
SV-78893

A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and applications guarantees that the user is not accessing information protected outside the application's realm. The web server must also prohibit users from jumping outside the hosted application directory tree through access to the user's home directory, symbolic links or shortcuts, or through search paths for missing files.

Checks: C-23129r414925_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directive at OHS server and virtual host configuration scopes. 3. If the "Options" directive within the "<Directory>" directive is omitted or is set improperly, this is a finding.

Fix: F-23118r414926_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directive at OHS server and virtual host configuration scopes. 3. Set the "Options" directive within the "<Directory>" directive to "None", add the directive if it does not exist.

b

OHS must be configured to use a specified IP address, port, and protocol.

CM-7 - Medium - CCI-000382 - V-221415 - SV-221415r414930_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

OH12-1X-000173

Vuln IDs

V-221415
V-64405

Rule IDs

SV-221415r414930_rule
SV-78895

The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.

Checks: C-23130r414928_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "Listen" directive at the OHS server configuration scope. 3. If the directive is set without an IP address, port, and protocol specified, this is a finding.

Fix: F-23119r414929_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "Listen" directive at the OHS server configuration scope. 3. Set the "Listen" directive to a value containing an IP address, port, and protocol (e.g., "Listen 123.123.123.123:80 http" or "Listen 456.456.456.456:443 https").

b

The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc.

CM-6 - Medium - CCI-000366 - V-221416 - SV-221416r414933_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000176

Vuln IDs

V-221416
V-64593

Rule IDs

SV-221416r414933_rule
SV-79083

During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user community. The first things an attacker will try when presented with a login screen are the default user identifiers with default passwords. Installed applications may also install accounts with no password, making the login even easier. Once the web server is installed, the passwords for any created accounts should be changed and documented. The new passwords must meet the requirements for all passwords, i.e., upper/lower characters, numbers, special characters, time until change, reuse policy, etc. Service accounts or system accounts that have no login capability do not need to have passwords set or changed.

Checks: C-23131r414931_chk

1. If the password for Node Manager does not meet DoD requirements for password complexity, this is a finding. 2. Open $DOMAIN_HOME/config/nodemanager/nm_password.properties with an editor. 3. If the "username" property and value are still present, this is a finding. 4. If the "password" property and value are still present, this is a finding.

Fix: F-23120r414932_fix

1. Open $DOMAIN_HOME/config/nodemanager/nm_password.properties with an editor. 2. Remove the "hashed" property and value. 3. Set the "username" property to the account name to use for Node Manager, add the property if it does not exist. 4. Set the "password" property to a password compliant with DoD requirements for password complexity to use for Node Manager, add the property if it does not exist. 5. Start/Restart Node Manager so that the password contained within $DOMAIN_HOME/config/nodemanager/nm_password.properties is encrypted. 6. Remove the "username" and "password" properties and along with their values from within $DOMAIN_HOME/config/nodemanager/nm_password.properties, but leave the new "hashed" property and value.

b

OHS must have Entity tags (ETags) disabled.

CM-6 - Medium - CCI-000366 - V-221417 - SV-221417r414936_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000178

Vuln IDs

V-221417
V-64595

Rule IDs

SV-221417r414936_rule
SV-79085

Entity tags (ETags) are used for cache management to save network bandwidth by not sending a web page to the requesting client if the cached version on the client is current. When the client only has the ETag information, the client will make a request to the server with the ETag. The server will then determine if the client can use the client cached version of the web page or if a new version is required. As part of the ETag information, the server sends to the client the index node (inode) information for the file being requested. The inode information gives an attacker sensitive information like inode number, multipart MIME boundaries and makes certain NFS attacks much simpler to execute.

Checks: C-23132r414934_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Header" and "FileETag" directives at the OHS server, virtual host, or directory configuration scope. 3. If the "Header" and "FileETag" directives are omitted or set improperly, this is a finding.

Fix: F-23121r414935_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Header" and "FileETag" directives at the OHS server, virtual host, or directory configuration scopes. 3a. Set the "Header" directive to "unset ETag", add the directive if it does not exist. 3b. Set the "FileETag" directive to "none", add the directive if it does not exist.

b

The SecureListener property of the Node Manager configured to support OHS must be enabled for secure communication.

CM-6 - Medium - CCI-000366 - V-221418 - SV-221418r414939_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000179

Vuln IDs

V-221418
V-64597

Rule IDs

SV-221418r414939_rule
SV-79087

Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. To protect the information being sent between WebLogic Scripting Tool and Node Manager, the Node Manager listening address must be secured.

Checks: C-23133r414937_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "SecureListener" property. 3. If the property is not set to "True", this is a finding.

Fix: F-23122r414938_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "SecureListener" property. 3. Set the "SecureListener" property to "True".

b

The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager.

CM-6 - Medium - CCI-000366 - V-221419 - SV-221419r414942_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000180

Vuln IDs

V-221419
V-64599

Rule IDs

SV-221419r414942_rule
SV-79089

Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. For connections to be made to the Node Manager, it must listen on an assigned address. When this parameter is not set, the Node Manager will listen on all available addresses on the server. This may lead to the Node Manager listening on networks, i.e., public network space, where Node Manager may become susceptible to attack instead of being limited to listening for connections on a controlled and secure management network. It is also important that the address specified matches the CN of the Node Manager.

Checks: C-23134r414940_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "ListenAddress" property. 3. If the property does not exist or is not set to the CN of the Node Manager certificate, this is a finding.

Fix: F-23123r414941_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "ListenAddress" property. 3. Set the "ListenAddress" property to the CN of the Node Manager certificate, add the property if it does not exist.

b

The AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication.

CM-6 - Medium - CCI-000366 - V-221420 - SV-221420r414945_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000181

Vuln IDs

V-221420
V-64601

Rule IDs

SV-221420r414945_rule
SV-79091

Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. To accept connections from the WebLogic Scripting Tool, the Node Manager can be setup to authenticate the connections or not. If connections are not authenticated, a hacker could connect to the Node Manager and initiate commands to OHS to gain further access, cause a DoS, or view protected information. To protect against unauthenticated connections, the "AuthenticationEnabled" directive must be set to "true".

Checks: C-23135r414943_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "AuthenticationEnabled" property. 3. If the property does not exist or is not set "True", this is a finding.

Fix: F-23124r414944_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "AuthenticationEnabled" property. 3. Set the "AuthenticationEnabled" property "True", add the property if it does not exist.

b

The KeyStores property of the Node Manager configured to support OHS must be configured for secure communication.

CM-6 - Medium - CCI-000366 - V-221421 - SV-221421r414948_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000182

Vuln IDs

V-221421
V-64603

Rule IDs

SV-221421r414948_rule
SV-79093

Oracle Node Manager is a utility that can be used to perform common operational tasks across Managed Servers. These servers can be distributed across multiple machines and geographical locations. The "KeyStores" property is used to configure the keystore configuration that will be used by Node Manager to locate its identity (private key and digital certificate) and trust (trusted CA certificates). The property must be set to "CustomIdentityAndCustomTrust", which causes Node Manager to use an identity and trust keystore created by the SA.

Checks: C-23136r414946_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "KeyStores" property. 3. If the property does not exist or is not set to "CustomIdentityAndCustomTrust", this is a finding.

Fix: F-23125r414947_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "KeyStores" property. 3. Set the "KeyStores" property to "CustomIdentityAndCustomTrust", add the property if it does not exist.

b

The CustomIdentityKeyStoreFileName property of the Node Manager configured to support OHS must be configured for secure communication.

CM-6 - Medium - CCI-000366 - V-221422 - SV-221422r414951_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000183

Vuln IDs

V-221422
V-64605

Rule IDs

SV-221422r414951_rule
SV-79095

Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityKeyStoreFileName" property specifies the file name of the identity keystore. This property is required when the "KeyStores" property is set to "CustomIdentityAndCustomTrust". Without specifying the "CustomIdentityKeyStoreFileName" property, the Node Manager will not operate properly and may cause the system to fail into an unsecure state.

Checks: C-23137r414949_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStoreFileName" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23126r414950_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStoreFileName" property. 3. Set the "CustomIdentityKeyStoreFileName" property to a keystore location that contains a valid DoD certificate for the Node Manager identity, add the property if it does not exist.

b

The CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.

CM-6 - Medium - CCI-000366 - V-221423 - SV-221423r414954_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000184

Vuln IDs

V-221423
V-64607

Rule IDs

SV-221423r414954_rule
SV-79097

Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityKeyStorePassPhrase" property is used to protect the data within the keystore. Without protection, the data within the keystore could be compromised allowing an attacker to use the certificates to gain trusted access to other systems or processes.

Checks: C-23138r414952_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStorePassPhrase" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23127r414953_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStorePassPhrase" property. 3. Set the "CustomIdentityKeyStorePassPhrase" property to the password of the keystore that contains a valid DoD certificate for the Node Manager identity, add the property if it does not exist.

b

The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication.

CM-6 - Medium - CCI-000366 - V-221424 - SV-221424r414957_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000185

Vuln IDs

V-221424
V-64609

Rule IDs

SV-221424r414957_rule
SV-79099

Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityAlias" specifies the alias when loading the private key into the keystore. This property is required when the "KeyStores" property is set to "CustomIdentityAndCustomTrust". Without specifying the "CustomIdentityKeyStoreFileName" property, the Node Manager will not operate properly and may cause the system to fail into an unsecure state.

Checks: C-23139r414955_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityAlias" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23128r414956_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityAlias" property. 3. Set the "CustomIdentityAlias" property to the alias of the keystore PrivateKeyEntry containing the Node Manager identity, add the property if it does not exist.

b

The CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.

CM-6 - Medium - CCI-000366 - V-221425 - SV-221425r414960_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000186

Vuln IDs

V-221425
V-64611

Rule IDs

SV-221425r414960_rule
SV-79101

Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityPrivateKeyPassPhrase" is the password that protects the private key when creating certificates. If a password is not used, the private key is not protected and can be used by any user or attacker that can get access to the private key.

Checks: C-23140r414958_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityPrivateKeyPassPhrase" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23129r414959_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityPrivateKeyPassPhrase" property. 3. Set the "CustomIdentityPrivateKeyPassPhrase" property to the password protecting the Private Key of the Node Manager identity, add the property if it does not exist.

b

The listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication.

CM-6 - Medium - CCI-000366 - V-221426 - SV-221426r414963_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000187

Vuln IDs

V-221426
V-64613

Rule IDs

SV-221426r414963_rule
SV-79103

Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml file to setup the communication to the Node Manager. If the IP address to be used for communication is not specified, the WebLogic Scripting tool will not be able to setup a secure connection to Node Manager.

Checks: C-23141r414961_chk

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "<listen-address>" element within the "<node-manager>" element. 3. If the element does not exist or is not set to the CN of the Node Manager certificate, this is a finding.

Fix: F-23130r414962_fix

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "<listen-address>" element within the "<node-manager>" element. 3. Set the "<listen-address>" element to the CN of the Node Manager certificate, add the element if it does not exist.

b

The listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication.

CM-6 - Medium - CCI-000366 - V-221427 - SV-221427r414966_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000188

Vuln IDs

V-221427
V-64615

Rule IDs

SV-221427r414966_rule
SV-79105

Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml file to setup the communication to the Node Manager. If the port to be used for communication is not specified, the WebLogic Scripting tool will not be able to setup a secure connection to Node Manager.

Checks: C-23142r414964_chk

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "<listen-port>" element within the "<node-manager>" element. 3. If the element does not exist or is not set to the same value as the "ListenPort" property found in $DOMAIN_HOME/nodemanager/nodemanager.properties, this is a finding.

Fix: F-23131r414965_fix

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "<listen-port>" element within the "<node-manager>" element. 3. Set the "<listen-port>" element to same value as the "ListenPort" property found in $DOMAIN_HOME/nodemanager/nodemanager.properties, add the element if it does not exist.

b

The WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.

CM-6 - Medium - CCI-000366 - V-221428 - SV-221428r414969_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000189

Vuln IDs

V-221428
V-64617

Rule IDs

SV-221428r414969_rule
SV-79107

Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "OHS" WebLogic Scripting Tool needs to trust the certificate presented by the Node Manager in order to setup secure communication with it. If the "OHS" WLST does not trust the certificate presented by Node Manager, the "OHS" WebLogic Scripting tool will not be able to setup a secure connection to it.

Checks: C-23143r414967_chk

1. Check for the existence of $ORACLE_HOME/ohs/common/bin/setWlstEnv.sh. 2a. If the setWlstEnv.sh does not exist or does not contain the "WLST_PROPERTIES" environment variable set to a valid trust keystore containing the Certificate Authority and Chain of the Node Manager identity, this is a finding. 2b. If the setWlstenv.sh file does not exist, this is a finding. 2c. If the setWlstenv.sh file has permissions more permissive than 750, this is a finding.

Fix: F-23132r414968_fix

1. Open $ORACLE_HOME/ohs/common/bin/setWlstEnv.sh. with an editor. If the file does not exist, create the file. 2. Set "WLST_PROPERTIES" environment variable to a valid trust keystore containing the Certificate Authority and Chain of Node Manager identity, add the property if it does not exist. 3. Issue a "chmod 750 $ORACLE_HOME/ohs/common/bin/setWlstEnv.sh' to modify the permissions of the script.

b

The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.

CM-6 - Medium - CCI-000366 - V-221429 - SV-221429r414972_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000190

Vuln IDs

V-221429
V-64619

Rule IDs

SV-221429r414972_rule
SV-79109

Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "Fusion Middleware" WebLogic Scripting Tool needs to trust the certificate presented by the Node Manager in order to setup secure communication with it. If the "Fusion Middleware" WLST does not trust the certificate presented by Node Manager, the "Fusion Middleware" WebLogic Scripting tool will not be able to setup a secure connection to it.

Checks: C-23144r414970_chk

1. Check for the existence of $ORACLE_HOME/oracle_common/common/bin/setWlstEnv.sh. 2a. If the setWlstEnv.sh does not exist or does not contain the "WLST_PROPERTIES" environment variable set to a valid trust keystore containing the Certificate Authority and Chain of the Node Manager identity, this is a finding. 2b. If the setWlstenv.sh file does not exist, this is a finding. 2c. If the setWlstenv.sh file has permissions more permissive than 750, this is a finding.

Fix: F-23133r414971_fix

1. Open $ORACLE_HOME/oracle_common/common/bin/setWlstEnv.sh. with an editor. If the file does not exist, create the file. 2. Set "WLST_PROPERTIES" environment variable to a valid trust keystore containing the Certificate Authority and Chain of Node Manager identity, add the property if it does not exist. 3. Issue a "chmod 750 $ORACLE_HOME/oracle_common/common/bin/setWlstEnv.sh' to modify the permissions of the script.

b

OHS must limit access to the Dynamic Monitoring Service (DMS).

CM-6 - Medium - CCI-000366 - V-221430 - SV-221430r414975_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000192

Vuln IDs

V-221430
V-64623

Rule IDs

SV-221430r414975_rule
SV-79113

The Oracle Dynamic Monitoring Service (DMS) enables application developers, support analysts, system administrators, and others to measure application specific performance information. If OHS allows any machine to connect and monitor performance, an attacker could connect and gather information that could be used to cause a DoS for OHS. Information that is shared could also be used to further an attack to other servers and devices through trusted relationships.

Checks: C-23145r414973_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/admin.conf in it with an editor. 2. Search for the "Allow" directive within the "<Location /dms/>" directive at the virtual host configuration scope. 3. If the "Allow" directive is set to "from all", this is a finding.

Fix: F-23134r414974_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/admin.conf with an editor. 2. Search for the "Allow" directive within the "<Location /dms/>" virtual host configuration scope. 3. Set the "Allow" directive to "from 127.0.0.1".

b

OHS must have the AllowOverride directive set properly.

CM-6 - Medium - CCI-000366 - V-221431 - SV-221431r414978_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000193

Vuln IDs

V-221431
V-64625

Rule IDs

SV-221431r414978_rule
SV-79115

The property "AllowOverride" is used to allow directives to be set differently than those set for the overall architecture. When the property is not set to "None", OHS will check for directives in the htaccess files at each directory level until the requested resource is found for each URL request. Allowing parameters to be overridden at different levels of an application becomes a security risk as the overall security of the hosted application can change dependencies on the URL being accessed. Security management also becomes difficult as a misconfiguration can be mistakenly made.

Checks: C-23146r414976_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "AllowOverride" directive at the directory configuration scope. 3. If the "AllowOverride" directive is omitted or is not set to "None", this is a finding.

Fix: F-23135r414977_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "AllowOverride" directive at the directory configuration scope. 3. Set the "AllowOverride" directive to "None", add the directive if it does not exist.

b

OHS must be set to evaluate deny directives first when considering whether to serve a file.

CM-6 - Medium - CCI-000366 - V-221432 - SV-221432r414981_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000194

Vuln IDs

V-221432
V-64627

Rule IDs

SV-221432r414981_rule
SV-79117

Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the evaluation is reversed. By ordering the access as first deny and then allow, OHS will deny all access first and then look at the allow clauses to see who may access the server. By structuring the evaluation in this manner, a misconfiguration will more likely deny a valid user than allow an illegitimate user that may compromise the system.

Checks: C-23147r414979_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "<Directory />" directive within the OHS server configuration scope. 3. If the "Order" directive within the "<Directory />" directive is omitted or is set improperly, this is a finding.

Fix: F-23136r414980_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "<Directory />" directive within the OHS server configuration scope. 3. Set the "Order" directive within the "<Directory />" directive to "deny,allow", add the directive if it does not exist.

b

OHS must deny all access by default when considering whether to serve a file.

CM-6 - Medium - CCI-000366 - V-221433 - SV-221433r414984_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000195

Vuln IDs

V-221433
V-64629

Rule IDs

SV-221433r414984_rule
SV-79119

Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the evaluation is reversed. By ordering the access as first deny and then allow, OHS will deny all access first and then look at the allow clauses to see who may access the server. By structuring the evaluation in this manner, a misconfiguration will more likely deny a valid user than allow an illegitimate user that may compromise the system.

Checks: C-23148r414982_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "<Directory />" directive within the OHS server configuration scope. 3. If the "Deny" directive within the "<Directory />" directive is omitted or is set improperly, this is a finding.

Fix: F-23137r414983_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "<Directory />" directive within the OHS server configuration scope. 3. Set the "Deny" directive within the "<Directory />" directive to "from all", add the directive if it does not exist.

b

The OHS instance installation must not contain an .htaccess file.

CM-6 - Medium - CCI-000366 - V-221434 - SV-221434r414987_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000196

Vuln IDs

V-221434
V-64631

Rule IDs

SV-221434r414987_rule
SV-79121

.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .htaccess files, the hosted application security posture and overall OHS posture could change dependent on the URL being accessed. Allowing the override of parameters in .htaccess files makes it difficult to truly know the security posture of the system and it also makes it difficult to understand what the security posture may have been if an attack is successful. To thwart the overriding of parameters, .htaccess files must not be used and the "AllowOverride" parameter must be set to "none".

Checks: C-23149r414985_chk

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS 2. find . -name .htaccess -print 3. If any .htaccess files are found, this is a finding.

Fix: F-23138r414986_fix

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS 2. find . -name .htaccess -exec rm {} \;

b

The OHS instance configuration must not reference directories that contain an .htaccess file.

CM-6 - Medium - CCI-000366 - V-221435 - SV-221435r414990_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000197

Vuln IDs

V-221435
V-64633

Rule IDs

SV-221435r414990_rule
SV-79123

.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .htaccess files, the hosted application security posture and overall OHS posture could change dependent on the URL being accessed. Allowing the override of parameters in .htaccess files makes it difficult to truly know the security posture of the system and it also makes it difficult to understand what the security posture may have been if an attack is successful. To thwart the overriding of parameters, .htaccess files must not be used and the "AllowOverride" parameter must be set to "none".

Checks: C-23150r414988_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "<Directory>" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs). 4. Check for the existence of any .htaccess files in the aforementioned locations (e.g., find . -name .htaccess -print). 5. If any .htaccess files are found, this is a finding.

Fix: F-23139r414989_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "<Directory>" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs). 4. find . -name .htaccess -exec rm {} \;

a

OHS must have the HostnameLookups directive enabled.

CM-6 - Low - CCI-000366 - V-221436 - SV-221436r414993_rule

RMF Control

CM-6

Severity

L

CCI

Version

OH12-1X-000198

Vuln IDs

V-221436
V-64635

Rule IDs

SV-221436r414993_rule
SV-79125

Setting the "HostnameLookups" to "On" allows for more information to be logged in the event of an attack and subsequent investigation. This information can be added to other information gathered to narrow the attacker location. The DNS name can also be used for filtering access to the OHS hosted applications by denying particular types of hostnames.

Checks: C-23151r414991_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "HostnameLookups" directive at the server, virtual host, and directory configuration scopes. 3. If the "HostnameLookups" directive is omitted or is not set to "On", this is a finding.

Fix: F-23140r414992_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "HostnameLookups" directive at the server, virtual host, and directory configuration scopes. 3. Set the "HostnameLookups" directive to "On", add the directive if it does not exist.

b

OHS must have the ServerAdmin directive set properly.

CM-6 - Medium - CCI-000366 - V-221437 - SV-221437r414996_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000199

Vuln IDs

V-221437
V-64637

Rule IDs

SV-221437r414996_rule
SV-79127

Making sure that information is given to the system administrator in a timely fashion is important. This information can be system status, warnings that may need attention before system failure or actual failure notification. Having this information sent to the system administrator when the issue arises allows for the system administrator to quickly take action and avoid potential DoS for customers.

Checks: C-23152r414994_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "ServerAdmin" directive at the server and virtual host configuration scopes. 3. If the "ServerAdmin" directive is omitted or is set improperly, this is a finding.

Fix: F-23141r414995_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "ServerAdmin" directive at the virtual host and directory configuration scopes. 3. Set the "ServerAdmin" directive to an appropriate service-based email address for the organization, add the directive if it does not exist.

b

OHS must restrict access methods.

CM-6 - Medium - CCI-000366 - V-221438 - SV-221438r414999_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000200

Vuln IDs

V-221438
V-64639

Rule IDs

SV-221438r414999_rule
SV-79129

The directive "" allows the system administrator to restrict what users may use which methods. An example of methods would be GET, POST and DELETE. These three are the most common used by applications and should be allowed. Methods such as TRACE, if allowed, give an attacker a way to map the system so that vulnerabilities to the system can be researched and developed.

Checks: C-23153r414997_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<LimitExcept>" directive at the directory configuration scope. 3. If the "<LimitExcept>" directive is omitted (with the exception of the "<Directory />" directive) or is set improperly, this is a finding.

Fix: F-23142r414998_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<LimitExcept>" directive at the directory configuration scope. 3. Set the "<LimitExcept>" directive to "GET POST", add the directive if it does not exist. 4. Within the "<LimitExcept GET POST>" directives, add the directive "Deny" and set it to "from all".

b

The OHS htdocs directory must not contain any default files.

CM-6 - Medium - CCI-000366 - V-221439 - SV-221439r415002_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000201

Vuln IDs

V-221439
V-64641

Rule IDs

SV-221439r415002_rule
SV-79131

Default files from the OHS installation should not be part of the htdocs directory. These files are not always patched or supported and may become an attacker vector in the future.

Checks: C-23154r415000_chk

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs 2. Check for the existence of the OracleHTTPServer12c_files directory (e.g., ls). 3. If there is an OracleHTTPServer12c_files directory exists, this is a finding.

Fix: F-23143r415001_fix

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs 2. rm –rf OracleHTTPServer12c_files.

b

OHS must have the SSLSessionCacheTimeout directive set properly.

CM-6 - Medium - CCI-000366 - V-221440 - SV-221440r415005_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000202

Vuln IDs

V-221440
V-64643

Rule IDs

SV-221440r415005_rule
SV-79133

During an SSL session, information about the session is stored in the global/inter-process SSL Session Cache, the OpenSSL internal memory cache and for sessions resumed by TLS session resumption (RFC 5077). This information must not be allowed to live forever, but expire and become invalid so that an attacker cannot hijack the session if not closed by the hosted application properly.

Checks: C-23155r415003_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLSessionCacheTimeout" directive at the OHS server configuration scope. 3. If the directive is omitted or is set greater than 60, this is a finding.

Fix: F-23144r415004_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLSessionCacheTimeout" directive at the OHS server configuration scope. 3. Set the "SSLSessionCacheTimeout" directive to "60", add the directive if it does not exist.

a

OHS must have the RewriteEngine directive enabled.

CM-6 - Low - CCI-000366 - V-221441 - SV-221441r415008_rule

RMF Control

CM-6

Severity

L

CCI

Version

OH12-1X-000203

Vuln IDs

V-221441
V-64645

Rule IDs

SV-221441r415008_rule
SV-79135

The rewrite engine is used to evaluate URL requests and modify the requests on the fly. Enabling this engine gives the system administrator the capability to trap potential attacks before reaching the hosted applications or to modify the URL to fix issues in the request before forwarding to the applications. The rewrite engine becomes a pre-filtering tool to fix data issues before reaching the hosted applications where the URL format or data within the URL could cause buffer overflows, redirection or mobile code snippets that could become an issue if not filtered.

Checks: C-23156r415006_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteEngine" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "On", this is a finding unless inherited from a larger scope.

Fix: F-23145r415007_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteEngine" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteEngine" directive to "On", add the directive if it does not exist unless inherited from a larger scope.

a

OHS must have the RewriteOptions directive set properly.

CM-6 - Low - CCI-000366 - V-221442 - SV-221442r415011_rule

RMF Control

CM-6

Severity

L

CCI

Version

OH12-1X-000204

Vuln IDs

V-221442
V-64647

Rule IDs

SV-221442r415011_rule
SV-79137

The rules for the rewrite engine can be configured to inherit those from the parent and build upon that set of rules, to copy the rules from the parent if there are none defined or to only process the rules if the input is a URL. Of these, the most secure is to inherit from the parent because of how this implemented. The rules for the current configuration, process or directory, are loaded and then the parent are overlaid. This means that the parent rule will always override the child rule. This gives the server a more consistent security configuration.

Checks: C-23157r415009_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteOptions" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "inherit", this is a finding unless inherited from a larger scope.

Fix: F-23146r415010_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteOptions" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteOptions" directive to "inherit", add the directive if it does not exist unless inherited from a larger scope.

a

OHS must have the RewriteLogLevel directive set to the proper log level.

CM-6 - Low - CCI-000366 - V-221443 - SV-221443r415014_rule

RMF Control

CM-6

Severity

L

CCI

Version

OH12-1X-000205

Vuln IDs

V-221443
V-64649

Rule IDs

SV-221443r415014_rule
SV-79139

Logging must not contain sensitive information or more information necessary than that needed to administer the system. The log levels from the rewrite engine range from 0 to 9 where 0 is no logging and 9 being the most verbose. A log level that gives enough information for an investigation if an attack occurs of enough information to troubleshoot issues should be selected. Too much information makes the system vulnerable and may give attacker information to other resources or data within the hosted applications.

Checks: C-23158r415012_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteLogLevel" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "3", this is a finding unless inherited from a larger scope.

Fix: F-23147r415013_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteLogLevel" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteLogLevel" directive to "3"; add the directive if it does not exist unless inherited from a larger scope.

a

OHS must have the RewriteLog directive set properly.

CM-6 - Low - CCI-000366 - V-221444 - SV-221444r415017_rule

RMF Control

CM-6

Severity

L

CCI

Version

OH12-1X-000206

Vuln IDs

V-221444
V-64651

Rule IDs

SV-221444r415017_rule
SV-79141

Specifying where the log files are written gives the system administrator the capability to store the files in a location other than the default, with system files or in a globally accessible location. The system administrator can also specify a location that is accessible by any enterprise tools that may use the logged data to give a picture of the overall enterprise security posture. If a file is not specified, OHS will still generate the log data, but it is not written and therefore, cannot be used to monitor the system or for forensic analysis.

Checks: C-23159r415015_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23148r415016_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteLog" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteLog" directive to the same location as the "CustomLog" directive; add the directive if it does not exist unless inherited from a larger scope.

b

All accounts installed with the web server software and tools must have passwords assigned and default passwords changed.

CM-6 - Medium - CCI-000366 - V-221445 - SV-221445r415020_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000207

Vuln IDs

V-221445
V-64653

Rule IDs

SV-221445r415020_rule
SV-79143

During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user community. The first things an attacker will try when presented with a login screen are the default user identifiers with default passwords. Installed applications may also install accounts with no password, making the login even easier. Once the web server is installed, the passwords for any created accounts should be changed and documented. The new passwords must meet the requirements for all passwords, i.e., upper/lower characters, numbers, special characters, time until change, reuse policy, etc. Normally, a service account is established for OHS. This is because a privileged account is not desirable and the server is designed to run for long uninterrupted periods of time. The SA or Web Manager will need password access to OHS to restart the service in the event of an emergency as OHS is not to restart automatically after an unscheduled interruption. If the password is not entrusted to an SA or web manager the ability to ensure the availability of OHS is compromised. Service accounts or system accounts that have no login capability do not need to have passwords set or changed.

Checks: C-23160r415018_chk

NOTE: Service accounts or system accounts that have no login capability do not need to have passwords set or changed. Review the web server documentation and deployment configuration to determine what non-service/system accounts were installed by the web server installation process. Verify the passwords for these accounts have been set and/or changed from the default passwords. Verify the SA/Web manager are notified of the changed password. If these accounts still have no password or have default passwords, this is a finding. If the SA/web manager does not know the changed password, this is a finding.

Fix: F-23149r415019_fix

Inform the OHS Administrator as to what the password is for the OS account that owns the OHS Software.

b

A production OHS Installation must prohibit the installation of a compiler.

CM-6 - Medium - CCI-000366 - V-221446 - SV-221446r415023_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000208

Vuln IDs

V-221446
V-64655

Rule IDs

SV-221446r415023_rule
SV-79145

The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker’s code can be uploaded and compiled on the server under attack.

Checks: C-23161r415021_chk

1. Ask the System Administrator if a compiler is installed on the system. 2. If it is, this is a finding.

Fix: F-23150r415022_fix

Ask the System Administrator to remove any compilers installed on the system.

b

A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.

CM-6 - Medium - CCI-000366 - V-221447 - SV-221447r415026_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000209

Vuln IDs

V-221447
V-64657

Rule IDs

SV-221447r415026_rule
SV-79147

To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from publically based sources, such as the public Internet. Once compromised, a public web server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DoD DMZ Extension, if hosted on the NIPRNet, with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources.

Checks: C-23162r415024_chk

1. As required, confirm with the OHS Administrator that OHS is installed in a DMZ and isolated from internal systems. 2. If not, this is a finding.

Fix: F-23151r415025_fix

1. Relocate the OHS server to be in a DMZ, isolated from internal systems. 2. Confirm that the OHS server only has connections to supporting Application and Database Servers.

b

A private OHS installation must be located on a separate controlled access subnet.

CM-6 - Medium - CCI-000366 - V-221448 - SV-221448r415029_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000210

Vuln IDs

V-221448
V-64659

Rule IDs

SV-221448r415029_rule
SV-79149

Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but, in either case, can cause a disruption in service of the web server. To protect the private web server from these threats, it must be located on a separate controlled access subnet and must not be a part of the public DMZ that houses the public web servers. It also cannot be located inside the enclave as part of the local general population LAN.

Checks: C-23163r415027_chk

1. As required, confirm with the OHS Administrator that OHS is installed on a separately controlled access subnet, not part of any DMZ. 2. Confirm that the OHS server is isolated from access by the LAN's general population. 3. If not, this is a finding.

Fix: F-23152r415028_fix

1. Relocate the OHS server to be on a local subnet, isolated from the DMZ. 2. Remove access to the OHS server from the LAN's general population.

c

The version of the OHS installation must be vendor-supported.

CM-6 - High - CCI-000366 - V-221449 - SV-221449r415032_rule

RMF Control

CM-6

Severity

H

CCI

Version

OH12-1X-000211

Vuln IDs

V-221449
V-64661

Rule IDs

SV-221449r415032_rule
SV-79151

Many vulnerabilities are associated with older versions of software. As hot fixes and patches are issued, these solutions are included in the next version of the server software. Maintaining OHS at a current version makes the efforts of a malicious user to exploit the web service more difficult.

Checks: C-23164r415030_chk

1. Obtain the version of the OHS 12c software (e.g., grep Oracle-HTTP-Server-12c $DOMAIN_HOME/servers/<componentName>/logs/ohs1.log). Confirm it is 12.1.3. 2. Refer to the support date schedule for "Fusion Middleware 12c (12.1.x)" at http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf. Confirm that support remains available and that the organization is current with respect to payments. 3. If not, this is a finding.

Fix: F-23153r415031_fix

1. Install or upgrade to a version of OHS that is within the support timeframes for "Fusion Middleware 12c" at http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf. 2. Confirm that the organization is current with respect to support payments.

b

OHS must be certified with accompanying Fusion Middleware products.

CM-6 - Medium - CCI-000366 - V-221450 - SV-221450r415035_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000212

Vuln IDs

V-221450
V-64663

Rule IDs

SV-221450r415035_rule
SV-79153

OHS is capable of being used with other Oracle products. For the products to work properly and not introduce vulnerabilities or errors, Oracle certifies which versions work with each other. Insisting that the certified versions be installed together in a production environment reduces the possibility of successful attacks, DoS through software system downtime and easier patch management for the SA.

Checks: C-23165r415033_chk

1. If OHS is used with other Fusion Middleware products, check to see if the combination is certified per http://www.oracle.com/technetwork/middleware/fusion-middleware/documentation/fmw-1213certmatrix-2226694.xls. 2. If not a certified configuration, this is a finding.

Fix: F-23154r415034_fix

Upgrade or patch OHS or other Oracle Fusion Middleware products to achieve a certified configuration per http://www.oracle.com/technetwork/middleware/fusion-middleware/documentation/fmw-1213certmatrix-2226694.xls.

b

OHS tools must be restricted to the web manager and the web managers designees.

CM-6 - Medium - CCI-000366 - V-221451 - SV-221451r415038_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000214

Vuln IDs

V-221451
V-64665

Rule IDs

SV-221451r415038_rule
SV-79155

All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or damage that may ultimately compromise the mission. Adequate protection ensures that server administration operates with less risk of losses or operations outages. The key web service administrative and configuration tools must be accessible only by the authorized web server administrators. All users granted this authority must be documented and approved by the ISSO. Access to OHS must be limited to authorized users and administrators.

Checks: C-23166r415036_chk

1. Determine whether anyone other than the System Administrator or the OHS Administrator has inappropriate access to modify the OHS configuration. This includes the ability to use the OS account that owns OHS, root, or a tool with OHS management or monitoring capability such as Oracle Enterprise Manager (OEM). 2. If so, this is a finding.

Fix: F-23155r415037_fix

Restrict access to the OS account that owns OHS, root, or tool with OHS management or monitoring capability such as Oracle Enterprise Manager (OEM).

a

All utility programs, not necessary for operations, must be removed or disabled.

CM-6 - Low - CCI-000366 - V-221452 - SV-221452r415041_rule

RMF Control

CM-6

Severity

L

CCI

Version

OH12-1X-000215

Vuln IDs

V-221452
V-64667

Rule IDs

SV-221452r415041_rule
SV-79157

Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and graphical editors are examples of such programs that are troublesome. Individual productivity tools have no legitimate place or use on an enterprise, production web server and they are also prone to their own security risks.

Checks: C-23167r415039_chk

1. Check the server for software that is unnecessary for OHS operation. 2. If the software is unnecessary for OHS, other organization requirements, or is not appropriately patched or supported, this is a finding.

Fix: F-23156r415040_fix

Remove any software that is unnecessary for OHS operation, other organization requirements, or is not appropriately patched or supported.

b

The OHS htpasswd files (if present) must reflect proper ownership and permissions.

CM-6 - Medium - CCI-000366 - V-221453 - SV-221453r415044_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000216

Vuln IDs

V-221453
V-64669

Rule IDs

SV-221453r415044_rule
SV-79159

In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition to allowing or denying all access rights, a rule can be specified that allows or denies partial access rights. For example, users can be given read-only access rights to files, to view the information but not change the files. This check verifies that the htpasswd file is only accessible by system administrators or web managers, with the account running the web service having group permissions of read and execute. Htpasswd is a utility used by OHS to provide for password access to designated web sites.

Checks: C-23168r415042_chk

1. Check the permissions of the htpasswd file. (e.g., ls -l $ORACLE_HOME/ohs/bin/htpasswd). 2. If the file has permissions beyond "-rwxr-----" (i.e., 740), this is a finding.

Fix: F-23157r415043_fix

Set permissions on htpasswd to 740 (i.e., chmod 740 $ORACLE_HOME/ohs/bin/htpasswd).

b

A public OHS installation must limit email to outbound only.

CM-6 - Medium - CCI-000366 - V-221454 - SV-221454r415047_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000217

Vuln IDs

V-221454
V-64671

Rule IDs

SV-221454r415047_rule
SV-79161

Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, Email represents the main use of the Internet. It is specialized application that requires the dedication of server resources. To combine this type of transaction processing function with the file serving role of the web server creates an inherent conflict. Supporting mail services on a web server opens the server to the risk of abuse as an email relay. This check verifies, by checking the OS, that incoming e-mail is not supported.

Checks: C-23169r415045_chk

1. Check whether the OHS server is configured to accept SMTP connections. (e.g., telnet localhost 25). 2. If it is, this is a finding.

Fix: F-23158r415046_fix

Configure the server to disallow inbound SMTP connections.

a

OHS content and configuration files must be part of a routine backup program.

CM-6 - Low - CCI-000366 - V-221455 - SV-221455r415050_rule

RMF Control

CM-6

Severity

L

CCI

Version

OH12-1X-000218

Vuln IDs

V-221455
V-64673

Rule IDs

SV-221455r415050_rule
SV-79163

Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to determine and recover from subsequent unauthorized changes to the software and data. A tested and verifiable backup strategy will be implemented for web server software as well as all web server data files. Backup and recovery procedures will be documented and the Web Manager or SA for the specific application will be responsible for the design, test, and implementation of the procedures. The site will have a contingency processing plan/disaster recovery plan that includes web servers. The contingency plan will be periodically tested in accordance with DoDI 8500.2 requirements. The site will identify an off-site storage facility in accordance with DoDI 8500.2 requirements. Off-site backups will be updated on a regular basis and the frequency will be documented in the contingency plan.

Checks: C-23170r415048_chk

1. Check that the following files and directories are backed up on a regular basis: a) /etc/oraInst.loc b) Directory identified by inventory_loc parameter within /etc/oraInst.loc c) /etc/cap.ora d) $MW_HOME 2. Confirm the ability to restore the above files and directories successfully. 3. Confirm the successful operation of OHS upon a successful restoration of the files and directories. 4. If the files aren't backed up on a regular schedule or the backups haven't been tested, this is a finding.

Fix: F-23159r415049_fix

1. Backup the following files on a regular basis: a) /etc/oraInst.loc b) Directory identified by inventory_loc parameter within /etc/oraInst.loc c) /etc/cap.ora d) $MW_HOME 2. Perform a restore and start the restored OHS server on a test machine. 3. Test the functionality of the restored OHS software on the test machine.

b

OHS must be segregated from other services.

CM-6 - Medium - CCI-000366 - V-221456 - SV-221456r415053_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000219

Vuln IDs

V-221456
V-64675

Rule IDs

SV-221456r415053_rule
SV-79165

The web server installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server that is providing the web publishing service. By separating these services, physically or logically, additional defensive layers are established between the web service and the applicable application should either be compromised. Disallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system that supports a web server will not provide other services (e.g., domain controller, e-mail server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements.

Checks: C-23171r415051_chk

1. Obtain a copy of the OHS installation and configuration plan. 2. Ask the System Administrator whether any additional services (e.g., database, DNS, mail, application server, etc.) are installed with OHS that do not directly support operation or management of OHS. Separation of services may be physical or logical. 3. If so, this is a finding.

Fix: F-23160r415052_fix

Move any software from the OHS installation that is not required for the operation or management of the OHS server to another physical or logical server.

b

OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM).

CM-6 - Medium - CCI-000366 - V-221457 - SV-221457r415056_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000220

Vuln IDs

V-221457
V-64677

Rule IDs

SV-221457r415056_rule
SV-79167

The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services available to notify users of known security threats. The site needs to be aware of these fixes and make determinations based on local policy and what software features are installed, if these patches need to be applied. In some cases, patches also apply to middleware and database systems. Maintaining the security of web servers requires frequent reviews of security notices. Many security notices mandate the installation of a software patch to overcome security vulnerabilities. SAs and ISSOs should regularly check the vendor support web site for patches and information related to the web server software. All applicable security patches will be applied to the operating system and to the web server software. Security patches are deemed applicable if the product is installed, even if it is not used or is disabled.

Checks: C-23172r415054_chk

1. Obtain the list of patches that have been applied to OHS (e.g., $ORACLE_HOME/OPatch/opatch lsinventory). 2. In reviewing the list, also review the latest Oracle CPU at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates. Specifically, review the My Oracle Support note specified for Oracle Fusion Middleware to see whether there are patches available for Oracle HTTP Server 12.1.3. 3. If there are patches listed for Oracle HTTP Server 12.1.3 in the support note and they do not show in the list from Step 1 above, this is a finding.

Fix: F-23161r415055_fix

1. Obtain the latest Fusion Middleware Patches applicable for Oracle HTTP Server from the My Oracle Support note associated with the latest Oracle CPU at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates. 2. Follow the instructions associated with each patch to successfully apply.

b

A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.

CM-6 - Medium - CCI-000366 - V-221458 - SV-221458r415059_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000221

Vuln IDs

V-221458
V-64679

Rule IDs

SV-221458r415059_rule
SV-79169

A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity. Most web browsers perform server authentication automatically; the user is notified only if the authentication fails. The authentication process between the server and the client is performed using the SSL/TLS protocol. Digital certificates are authenticated, issued, and managed by a trusted Certification Authority (CA). The use of a trusted certificate validation hierarchy is crucial to the ability to control access to the server and prevent unauthorized access. This hierarchy needs to lead to the DoD PKI Root CA or to an approved External Certificate Authority (ECA) or are required for the server to function.

Checks: C-23173r415057_chk

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet <wallet_directory>". b) Confirm that only the appropriate DoD Certificate Authorities are listed as Trusted Certificates and that the Identity Certificate has been issued by a DoD Certificate authority. 3. If any of the Trusted Certificates are not appropriate DoD Certificate Authorities or the Identity Certificate has not been issued by a DoD Certificate authority, this is a finding.

Fix: F-23162r415058_fix

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet <wallet_directory>". b) Remove the Identity Certificate if it was not issued by a DoD Certificate authority. c) Remove each Trusted Certificate from the wallet that is not an appropriate DoD Certificate Authority with the command "$ORACLE_HOME/oracle_common/bin/orapki wallet remove -wallet <wallet_directory> -dn <dn_of_the_trusted_certificate> -trusted_cert".

b

OHS must have the ScoreBoardFile directive disabled.

CM-6 - Medium - CCI-000366 - V-221459 - SV-221459r415062_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000222

Vuln IDs

V-221459
V-64681

Rule IDs

SV-221459r415062_rule
SV-79171

The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apache processes. If the directive is specified, then Apache will use the configured file for the inter-process communication. Therefore if it is specified it needs to be located in a secure directory. If the ScoreBoard file is placed in openly writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a file with the same name, and or users could monitor and disrupt the communication between the processes by reading and writing to the file.

Checks: C-23174r415060_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ScoreBoardFile" directive at the server configuration scope. 3. If the "ScoreBoardFile" directive exists, this is a finding.

Fix: F-23163r415061_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ScoreBoardFile" directive at the server configuration scope. 3. Remove the "ScoreBoardFile" directive.

b

The OHS document root directory must not be on a network share.

CM-6 - Medium - CCI-000366 - V-221460 - SV-221460r415065_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000223

Vuln IDs

V-221460
V-64683

Rule IDs

SV-221460r415065_rule
SV-79173

Sharing of web server content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their contents to unnecessary access. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web content or cause web server performance problems.

Checks: C-23175r415063_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directive value is used as a network share (e.g., ps -ef | grep nfs, ps -ef | grep smb, etc.), this is a finding.

Fix: F-23164r415064_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Remove the shares that are associated with any directory specified as a value for the "DocumentRoot" directives.

b

The OHS server root directory must not be on a network share.

CM-6 - Medium - CCI-000366 - V-221461 - SV-221461r415068_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000224

Vuln IDs

V-221461
V-64685

Rule IDs

SV-221461r415068_rule
SV-79175

Sharing of the web server directory where the executables are stored is a security risk when a web server is involved. Users that have access to the share may not be administrative users. These users could make changes to the web server without going through proper change control or the users could inadvertently delete executables that are key to the proper operation of the web server. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web server or cause web server performance problems.

Checks: C-23176r415066_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf. 2. Search for the "ServerRoot" directive at the OHS server configuration scope. 3. If the directive value is used as a network share (e.g., ps -ef | grep nfs, ps -ef | grep smb, etc.), this is a finding.

Fix: F-23165r415067_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf. 2. Search for the "ServerRoot" directive at the OHS server configuration scope. 3. Remove the share that is associated with the directory specified as a value for the "ServerRoot" directive.

c

Symbolic links must not be used in the web content directory tree.

CM-6 - High - CCI-000366 - V-221462 - SV-221462r415071_rule

RMF Control

CM-6

Severity

H

CCI

Version

OH12-1X-000225

Vuln IDs

V-221462
V-64687

Rule IDs

SV-221462r415071_rule
SV-79177

A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory.

Checks: C-23177r415069_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Within the directory specified by each "DocumentRoot" directive, check recursively for any symbolic links (e.g., find . -type l -exec ls -ald {} \;). 4. If any symbolic links are found, this is a finding.

Fix: F-23166r415070_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Within the directory specified by each "DocumentRoot" directive, check recursively for any symbolic links (e.g., find . -type l -exec ls -ald {} \;). 4. Remove any symbolic links found in the "DocumentRoot" directory tree.

c

OHS administration must be performed over a secure path or at the local console.

CM-6 - High - CCI-000366 - V-221463 - SV-221463r415074_rule

RMF Control

CM-6

Severity

H

CCI

Version

OH12-1X-000226

Vuln IDs

V-221463
V-64689

Rule IDs

SV-221463r415074_rule
SV-79179

Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used. An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server.

Checks: C-23178r415072_chk

1. Check that if server administration is performed remotely, it will only be performed securely by system administrators. 2. Check that if OHS administration has been delegated, those users will be documented and approved by the ISSO. 3. Check that remote administration is in compliance with any requirements contained within the Unix Server STIGs and any applicable network STIGs. 4. Check that remote administration of any kind will be restricted to documented and authorized personnel and that all users performing remote administration are authenticated. 5. Check that all remote sessions will be encrypted and utilize FIPS 140-2 approved protocols. 6. If any of the above conditions are not met, this is a finding.

Fix: F-23167r415073_fix

Ensure that both system and OHS administration are done through a secure path.

b

OHS must not contain any robots.txt files.

CM-6 - Medium - CCI-000366 - V-221464 - SV-221464r415077_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000227

Vuln IDs

V-221464
V-64691

Rule IDs

SV-221464r415077_rule
SV-79181

Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user. To request that a well behaved search engine not crawl and catalog a server, the web server may contain a file called robots.txt for each web site hosted. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker’s time searching and traversing the web site to find files that might be relevant. If information on hosted web sites needs to be protected from search engines and public view, other methods must be used.

Checks: C-23179r415075_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directive value specifies a directory containing a robots.txt file, this is a finding.

Fix: F-23168r415076_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Remove any robots.txt files from the directories specified in the "DocumentRoot" directives.

b

OHS must prohibit anonymous FTP user access to interactive scripts.

CM-6 - Medium - CCI-000366 - V-221465 - SV-221465r415080_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000228

Vuln IDs

V-221465
V-64693

Rule IDs

SV-221465r415080_rule
SV-79183

The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.

Checks: C-23180r415078_chk

1. Check that all ftp access is authenticated, authorized, and secure. 2. If not, this is a finding.

Fix: F-23169r415079_fix

Ensure that all file transfers to the server are authenticated, authorized, and secure.

b

The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory.

CM-6 - Medium - CCI-000366 - V-221466 - SV-221466r415083_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000229

Vuln IDs

V-221466
V-64695

Rule IDs

SV-221466r415083_rule
SV-79185

Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion.

Checks: C-23181r415081_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Search for the "ServerRoot" directive at the OHS server configuration scope. 4. If the "DocumentRoot" directive value specifies a directory on the same partition as the directory specified in the "ServerRoot" directive, this is a finding.

Fix: F-23170r415082_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Search for the "ServerRoot" directive at the OHS server configuration scope. 4. Move the directory associated with the "DocumentRoot" directive to a partition different from the partition associated with the directory specified by the "ServerRoot" directive.

b

The OHS DocumentRoot directory must be on a separate partition from OS root partition.

CM-6 - Medium - CCI-000366 - V-221467 - SV-221467r415086_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000230

Vuln IDs

V-221467
V-64697

Rule IDs

SV-221467r415086_rule
SV-79187

Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion.

Checks: C-23182r415084_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directory associated with the "DocumentRoot" directive is associated with the root partition, this is a finding.

Fix: F-23171r415085_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Move the directory associated with the "DocumentRoot" directive to a partition different from root partition.

b

Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.

CM-6 - Medium - CCI-000366 - V-221468 - SV-221468r415089_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000231

Vuln IDs

V-221468
V-64699

Rule IDs

SV-221468r415089_rule
SV-79189

Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code. A remote web user whose agency has a Memorandum of Agreement (MOA) with the hosting agency and has submitted a DoD form 2875 (System Authorization Access Request (SAAR)) or an equivalent document will be allowed to post files to a temporary location on the server. All posted files to this temporary location will be scanned for viruses and content checked for malicious or mobile code. Only files free of viruses and malicious or mobile code will be posted to the appropriate Document Root directory.

Checks: C-23183r415087_chk

1. Check that any files uploaded to the OHS environment are checked for viruses, malicious code, and mobile code. 2. If there is not anti-virus software on the system with auto-protect enabled or if there is not a process in place to ensure all files being posted to the OHS sites are being scanned, this is a finding.

Fix: F-23172r415088_fix

Install anti-virus software on the OHS server and configure it to automatically scan for any viruses, malicious code, and mobile code.

b

A public OHS server must use TLS if authentication is required to host web sites.

CM-6 - Medium - CCI-000366 - V-221469 - SV-221469r415092_rule

RMF Control

CM-6

Severity

M

CCI

Version

OH12-1X-000232

Vuln IDs

V-221469
V-64701

Rule IDs

SV-221469r415092_rule
SV-79191

Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.

Checks: C-23184r415090_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On" or "SSLProtocol" is not set to "TLS versions 1.1 and greater", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23173r415091_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1", add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

a

OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines.

CM-6 - Low - CCI-000366 - V-221470 - SV-221470r415095_rule

RMF Control

CM-6

Severity

L

CCI

Version

OH12-1X-000233

Vuln IDs

V-221470
V-64703

Rule IDs

SV-221470r415095_rule
SV-79193

Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the automated information system (AIS). The ISSM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List.

Checks: C-23185r415093_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Listen" directive at the OHS server configuration scope. 3. If the "Listen" directive port specified is not "80" or "443", this is a finding.

Fix: F-23174r415094_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Listen" directive at the OHS server configuration scope. 3. Set the "Listen" directive to "80" for http ports and "443" for https ports.

c

OHS must not have the directive PlsqlDatabasePassword set in clear text.

CM-6 - High - CCI-000366 - V-221471 - SV-221471r415098_rule

RMF Control

CM-6

Severity

H

CCI

Version

OH12-1X-000234

Vuln IDs

V-221471
V-64621

Rule IDs

SV-221471r415098_rule
SV-79111

OHS supports the use of the module mod_plsql, which allows applications to be hosted that are PL/SQL-based. To access the database, the module must have a valid username, password and database name. To keep the password from an attacker, the password must not be stored in plain text, but instead, obfuscated.

Checks: C-23186r415096_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., dads.conf) included in it with an editor. 2. Search for the "PlsqlDatabasePassword" directive. 3. If the directive is set in clear text, this is a finding.

Fix: F-23175r415097_fix

1. At shell prompt, set "ORACLE_HOME" environment variable to $ORACLE_HOME location and export the variable. 2. At shell prompt, set "PATH" environment variable to "$ORACLE_HOME/ohs/bin:$ORACLE_HOME/bin:$ORACLE_HOME/perl/bin:$PATH" and export the variable. 3a. If AIX OS, at shell prompt, set "LIBPATH" environment variable to "$ORACLE_HOME/lib:$LIBPATH" and export the variable. 3b. If HP-UX OS, at shell prompt, set "SHLIB_PATH" environment variable to "$ORACLE_HOME/lib:$SHLIB_PATH" and export the variable. 3c. If Solaris OS, at shell prompt, set "LD_LIBRARY_PATH" environment variable to "$ORACLE_HOME/lib32:$LD_LIBRARY_PATH" and export the variable. 3d. If Linux or Other Unix OS, at shell prompt, set "LD_LIBRARY_PATH" environment variable to "$ORACLE_HOME/lib:$LD_LIBRARY_PATH" and export the variable. 4. Change the present working directory to "$ORACLE_HOME/ohs/bin" (e.g., cd $ORACLE_HOME/ohs/bin). 5. For each .conf file found to be at fault, execute dadTool.pl script (e.g., "perl dadTool.pl -f $DOMAIN_HOME/config/fmwconfig/compoennts/OHS/<componentName>/mod_plsql/dads.conf").

b

If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level.

CM-7 - Medium - CCI-000381 - V-221472 - SV-221472r415101_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000235

Vuln IDs

V-221472
V-64357

Rule IDs

SV-221472r415101_rule
SV-78847

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23187r415099_chk

If not using the WebLogic Web Server Proxy Plugin: 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "include mod_wl_ohs.conf" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23176r415100_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "include mod_wl_ohs.conf" directive at the OHS server configuration scope. 3. Comment out the "include mod_wl_ohs.conf" directive if it exists.

b

If mod_plsql is not in use with OHS, OHS must have the include moduleconf/* directive disabled.

CM-7 - Medium - CCI-000381 - V-221473 - SV-221473r415104_rule

RMF Control

CM-7

Severity

M

CCI

Version

OH12-1X-000236

Vuln IDs

V-221473
V-64359

Rule IDs

SV-221473r415104_rule
SV-78849

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Checks: C-23188r415102_chk

If not using mod_plsql: 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "include moduleconf/*" directive at the OHS server configuration scope. Note: The complete line may be "include moduleconf/*.conf*". 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23177r415103_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "include moduleconf/*" directive at the OHS server configuration scope. Note: The complete line may be "include moduleconf/*.conf*". 3. Comment out the "include moduleconf/*" directive if it exists.

c

OHS must have the LoadModule ossl_module directive enabled to encrypt passwords during transmission.

IA-5 - High - CCI-000197 - V-221474 - SV-221474r415107_rule

RMF Control

IA-5

Severity

H

CCI

Version

OH12-1X-000240

Vuln IDs

V-221474
V-64407

Rule IDs

SV-221474r415107_rule
SV-78897

Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update.

Checks: C-23189r415105_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23178r415106_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

c

OHS must use FIPS modules to encrypt passwords during transmission.

IA-5 - High - CCI-000197 - V-221475 - SV-221475r415110_rule

RMF Control

IA-5

Severity

H

CCI

Version

OH12-1X-000241

Vuln IDs

V-221475
V-64409

Rule IDs

SV-221475r415110_rule
SV-78899

Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update.

Checks: C-23190r415108_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23179r415109_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

c

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt passwords during transmission.

IA-5 - High - CCI-000197 - V-221476 - SV-221476r415113_rule

RMF Control

IA-5

Severity

H

CCI

Version

OH12-1X-000242

Vuln IDs

V-221476
V-64411

Rule IDs

SV-221476r415113_rule
SV-78901

Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update.

Checks: C-23191r415111_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On" or "SSLProtocol" is not set to "TLS versions 1.1 and greater", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23180r415112_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1", add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

c

OHS must have the SSLCipherSuite directive enabled to encrypt passwords during transmission.

IA-5 - High - CCI-000197 - V-221477 - SV-221477r415116_rule

RMF Control

IA-5

Severity

H

CCI

Version

OH12-1X-000243

Vuln IDs

V-221477
V-64413

Rule IDs

SV-221477r415116_rule
SV-78903

Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update.

Checks: C-23192r415114_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23181r415115_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b

OHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation.

IA-5 - Medium - CCI-000185 - V-221478 - SV-221478r415119_rule

RMF Control

IA-5

Severity

M

CCI

Version

OH12-1X-000244

Vuln IDs

V-221478
V-64415

Rule IDs

SV-221478r415119_rule
SV-78905

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Checks: C-23193r415117_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23182r415118_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b

OHS must use FIPS modules to perform RFC 5280-compliant certification path validation.

IA-5 - Medium - CCI-000185 - V-221479 - SV-221479r415122_rule

RMF Control

IA-5

Severity

M

CCI

Version

OH12-1X-000245

Vuln IDs

V-221479
V-64417

Rule IDs

SV-221479r415122_rule
SV-78907

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Checks: C-23194r415120_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23183r415121_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation.

IA-5 - Medium - CCI-000185 - V-221480 - SV-221480r415125_rule

RMF Control

IA-5

Severity

M

CCI

Version

OH12-1X-000246

Vuln IDs

V-221480
V-64419

Rule IDs

SV-221480r415125_rule
SV-78909

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Checks: C-23195r415123_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On" or "SSLProtocol" is not set to "TLS versions 1.1 and greater", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23184r415124_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1", add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities; add the directive if it does not exist.

b

OHS must have the SSLCipherSuite directive enabled to perform RFC 5280-compliant certification path validation.

IA-5 - Medium - CCI-000185 - V-221481 - SV-221481r415128_rule

RMF Control

IA-5

Severity

M

CCI

Version

OH12-1X-000247

Vuln IDs

V-221481
V-64421

Rule IDs

SV-221481r415128_rule
SV-78911

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Checks: C-23196r415126_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23185r415127_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b

OHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation.

IA-5 - Medium - CCI-000185 - V-221482 - SV-221482r415131_rule

RMF Control

IA-5

Severity

M

CCI

Version

OH12-1X-000248

Vuln IDs

V-221482
V-64423

Rule IDs

SV-221482r415131_rule
SV-78913

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Checks: C-23197r415129_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLVerifyClient" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If this directive is omitted or set improperly, this is a finding.

Fix: F-23186r415130_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLVerifyClient" directive at the OHS server, virtual host, and/or directory configuration scope. 3. Set the "SSLVerifyClient" directive to "require", add the directive if it does not exist.

b

OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation.

IA-5 - Medium - CCI-000185 - V-221483 - SV-221483r415134_rule

RMF Control

IA-5

Severity

M

CCI

Version

OH12-1X-000249

Vuln IDs

V-221483
V-64425

Rule IDs

SV-221483r415134_rule
SV-78915

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Checks: C-23198r415132_chk

1. If using a single, certification revocation list file for revocation checks that is < 1 MB in size, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCARevocationFile" and "SSLCRLCheck" directives at the OHS server and virtual host configuration scopes. 3. If these directives are omitted or set improperly, this is a finding.

Fix: F-23187r415133_fix

1. Place the certificate revocation list file within the wallet directory (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores). 2. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 3. Search for the "SSLCARevocationFile" directive at the OHS server and virtual host configuration scopes. 4. Set the "SSLCARevocationFile" directive to the location (i.e., file within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the combined .crl file issued by the DoD CAs, add the directive if it does not exist. 5. Set the "SSLCRLCheck" directive to "On", add the directive if it does not exist.

b

OHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation.

IA-5 - Medium - CCI-000185 - V-221484 - SV-221484r415137_rule

RMF Control

IA-5

Severity

M

CCI

Version

OH12-1X-000250

Vuln IDs

V-221484
V-64427

Rule IDs

SV-221484r415137_rule
SV-78917

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Checks: C-23199r415135_chk

1. If using multiple certificate revocation list files for revocation checks, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCARevocationPath" and "SSLCRLCheck" directives at the OHS server and virtual host configuration scopes. 3. If these directives are omitted or set improperly, this is a finding.

Fix: F-23188r415136_fix

1. Place the certificate revocation list files within the wallet directory (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores). 2. After confirming that the Certificate Authorities that signed the certificate revocation list files are in the Oracle wallet, create the hash symbolic link files for each of the certificate revocation list files (e.g., $ORACLE_HOME/oracle_common/bin/orapki crl hash -crl $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores/wallet/<my_base64.crl> -symlink $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores/wallet -wallet $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores/wallet). 3. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 4. Search for the "SSLCARevocationPath" directive at the OHS server and virtual host configuration scopes. 5. Set the "SSLCARevocationPath" directive to the path (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) that contains the hash symbolic links that point to the certificate revocation list files issued by the DoD CAs that are in Base64 format; add the directive if it does not exist. 6. Set the "SSLCRLCheck" directive to "On", add the directive if it does not exist.

b

OHS must be integrated with a tool such as Oracle Access Manager to enforce a client-side certificate revocation check through the OCSP protocol.

IA-5 - Medium - CCI-000185 - V-221485 - SV-221485r415140_rule

RMF Control

IA-5

Severity

M

CCI

Version

OH12-1X-000251

Vuln IDs

V-221485
V-64429

Rule IDs

SV-221485r415140_rule
SV-78919

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Checks: C-23200r415138_chk

1. Check to see if a product such as Oracle Access Manager that could be used for authentication, could also provide OCSP validation. 2. If not, this is a finding.

Fix: F-23189r415139_fix

1. Use a product such as Oracle Access Manager for authentication. 2. Implement OCSP validation within that product.

b

OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.

IA-7 - Medium - CCI-000803 - V-221486 - SV-221486r415143_rule

RMF Control

IA-7

Severity

M

CCI

Version

OH12-1X-000253

Vuln IDs

V-221486
V-64431

Rule IDs

SV-221486r415143_rule
SV-78921

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.

Checks: C-23201r415141_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23190r415142_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b

OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.

IA-7 - Medium - CCI-000803 - V-221487 - SV-221487r415146_rule

RMF Control

IA-7

Severity

M

CCI

Version

OH12-1X-000254

Vuln IDs

V-221487
V-64433

Rule IDs

SV-221487r415146_rule
SV-78923

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.

Checks: C-23202r415144_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23191r415145_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.

IA-7 - Medium - CCI-000803 - V-221488 - SV-221488r415149_rule

RMF Control

IA-7

Severity

M

CCI

Version

OH12-1X-000255

Vuln IDs

V-221488
V-64435

Rule IDs

SV-221488r415149_rule
SV-78925

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.

Checks: C-23203r415147_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On" or "SSLProtocol" is not set to "TLS versions 1.1 and greater", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23192r415148_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1”, add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

b

OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.

IA-7 - Medium - CCI-000803 - V-221489 - SV-221489r415152_rule

RMF Control

IA-7

Severity

M

CCI

Version

OH12-1X-000256

Vuln IDs

V-221489
V-64437

Rule IDs

SV-221489r415152_rule
SV-78927

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.

Checks: C-23204r415150_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23193r415151_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b

OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

IA-7 - Medium - CCI-000803 - V-221490 - SV-221490r415155_rule

RMF Control

IA-7

Severity

M

CCI

Version

OH12-1X-000257

Vuln IDs

V-221490
V-64439

Rule IDs

SV-221490r415155_rule
SV-78929

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when authenticating users and processes.

Checks: C-23205r415153_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23194r415154_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b

OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

IA-7 - Medium - CCI-000803 - V-221491 - SV-221491r415158_rule

RMF Control

IA-7

Severity

M

CCI

Version

OH12-1X-000258

Vuln IDs

V-221491
V-64441

Rule IDs

SV-221491r415158_rule
SV-78931

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when authenticating users and processes.

Checks: C-23206r415156_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23195r415157_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

IA-7 - Medium - CCI-000803 - V-221492 - SV-221492r415161_rule

RMF Control

IA-7

Severity

M

CCI

Version

OH12-1X-000259

Vuln IDs

V-221492
V-64443

Rule IDs

SV-221492r415161_rule
SV-78933

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when authenticating users and processes.

Checks: C-23207r415159_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On" or "SSLProtocol" is not set to "TLS versions 1.1 and greater", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23196r415160_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities; add the directive if it does not exist.

b

OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

IA-7 - Medium - CCI-000803 - V-221493 - SV-221493r415164_rule

RMF Control

IA-7

Severity

M

CCI

Version

OH12-1X-000260

Vuln IDs

V-221493
V-64445

Rule IDs

SV-221493r415164_rule
SV-78935

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when authenticating users and processes.

Checks: C-23208r415162_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23197r415163_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b

OHS utilizing mobile code must meet DoD-defined mobile code requirements.

SC-18 - Medium - CCI-001166 - V-221494 - SV-221494r415167_rule

RMF Control

SC-18

Severity

M

CCI

CCI-001166

Version

OH12-1X-000265

Vuln IDs

V-221494
V-64447

Rule IDs

SV-221494r415167_rule
SV-78937

Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid, as opposed to a static web page. The data presentation becomes more appealing to the user, is easier to analyze, and navigation through the hosted application and data is much less complicated. Some mobile code technologies in use in today's applications are: Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. The DoD has created policies that define the usage of mobile code on DoD systems. The usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. The web server may host applications that contain mobile code and therefore, must meet the DoD-defined requirements regarding the deployment and/or use of mobile code. This includes digitally signing applets in order to provide a means for the client to establish application authenticity.

Checks: C-23209r415165_chk

1. Check to see whether OHS is hosting any applications that use mobile code. 2. If so, check that the mobile code follows DoD policies regarding the acquisition, development, and/or use of mobile code. 3. If not, this is a finding.

Fix: F-23198r415166_fix

Ensure that any mobile code used by any of the applications hosted on OHS follow DoD policies regarding the acquisition, development, and/or use.

c

OHS accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.

SC-2 - High - CCI-001082 - V-221495 - SV-221495r415170_rule

RMF Control

SC-2

Severity

H

CCI

CCI-001082

Version

OH12-1X-000266

Vuln IDs

V-221495
V-64449

Rule IDs

SV-221495r415170_rule
SV-78939

As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files.

Checks: C-23210r415168_chk

1. Get list of OS accounts, with associated privileges, from System Administrator. 2. Confirm that all accounts and privileges are needed and documented. 3. If not, this is a finding.

Fix: F-23199r415169_fix

Remove any accounts and privileges that are unnecessary for OHS to run or for other functionality provided by the server.

b

OHS must have the DocumentRoot directive set to a separate partition from the OHS system files.

SC-3 - Medium - CCI-001084 - V-221496 - SV-221496r415173_rule

RMF Control

SC-3

Severity

M

CCI

CCI-001084

Version

OH12-1X-000281

Vuln IDs

V-221496
V-64451

Rule IDs

SV-221496r415173_rule
SV-78941

A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.

Checks: C-23211r415171_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding. 4. Validate that the directory specified exists. If the directory does not exist, this is a finding.

Fix: F-23200r415172_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Set the "DocumentRoot" directive to a location that is on a separate drive from the $ORACLE_HOME and $DOMAIN_HOME directories.

b

OHS must have the Directory directive accompanying the DocumentRoot directive set to a separate partition from the OHS system files.

SC-3 - Medium - CCI-001084 - V-221497 - SV-221497r810872_rule

RMF Control

SC-3

Severity

M

CCI

CCI-001084

Version

OH12-1X-000282

Vuln IDs

V-221497
V-64453

Rule IDs

SV-221497r810872_rule
SV-78943

A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.

Checks: C-23212r810870_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for a "<Directory ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/htdocs">" directive or "<Directory>" directive pointing to the location of the directory specified in the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding. 4. Validate that the directory specified exists. If the directory does not exist, this is a finding.

Fix: F-23201r810871_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for a "<Directory ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/htdocs">" directive or "<Directory>" directive pointing to the location of the directory specified in the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Set the "<Directory>" directive to the location specified in the "DocumentRoot" directive; add the directive along with appropriate enclosed directives if it does not exist.

b

OHS must have the Timeout directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

SC-5 - Medium - CCI-001094 - V-221498 - SV-221498r415179_rule

RMF Control

SC-5

Severity

M

CCI

Version

OH12-1X-000283

Vuln IDs

V-221498
V-64455

Rule IDs

SV-221498r415179_rule
SV-78945

A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.

Checks: C-23213r415177_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Timeout" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set greater than 30, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23202r415178_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Timeout" directive at the OHS server and virtual host configuration scopes. 3. Set the "Timeout" directive to a value of "30", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b

OHS must have the KeepAlive directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

SC-5 - Medium - CCI-001094 - V-221499 - SV-221499r415182_rule

RMF Control

SC-5

Severity

M

CCI

Version

OH12-1X-000284

Vuln IDs

V-221499
V-64457

Rule IDs

SV-221499r415182_rule
SV-78947

A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.

Checks: C-23214r415180_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "KeepAlive" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23203r415181_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "KeepAlive" directive at the OHS server and virtual host configuration scopes. 3. Set the "KeepAlive" directive to a value of "On", add the directive if it does not exist.

b

OHS must have the KeepAliveTimeout properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

SC-5 - Medium - CCI-001094 - V-221500 - SV-221500r415185_rule

RMF Control

SC-5

Severity

M

CCI

Version

OH12-1X-000285

Vuln IDs

V-221500
V-64459

Rule IDs

SV-221500r415185_rule
SV-78949

A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.

Checks: C-23215r415183_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "KeepAliveTimeout" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 5, this is a finding.

Fix: F-23204r415184_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "KeepAliveTimeout" directive at the OHS server and virtual host configuration scopes. 3. Set the "KeepAliveTimeout" directive to a value of "5", add the directive if it does not exist.

b

OHS must have the MaxKeepAliveRequests directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

SC-5 - Medium - CCI-001094 - V-221501 - SV-221501r415188_rule

RMF Control

SC-5

Severity

M

CCI

Version

OH12-1X-000286

Vuln IDs

V-221501
V-64461

Rule IDs

SV-221501r415188_rule
SV-78951

A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.

Checks: C-23216r415186_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "MaxKeepAliveRequests" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 500, this is a finding.

Fix: F-23205r415187_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "MaxKeepAliveRequests" directive at the OHS server and virtual host configuration scopes. 3. Set the "MaxKeepAliveRequests" directive to a value of "500", add the directive if it does not exist.

b

OHS must have the ListenBacklog properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

SC-5 - Medium - CCI-001094 - V-221502 - SV-221502r415191_rule

RMF Control

SC-5

Severity

M

CCI

Version

OH12-1X-000287

Vuln IDs

V-221502
V-64463

Rule IDs

SV-221502r415191_rule
SV-78953

A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.

Checks: C-23217r415189_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ListenBacklog" directive at the OHS server configuration scope. 3. If the directive is omitted or set less than the value of the Maximum Syn Connection Backlog network parameter of the OS, this is a finding.

Fix: F-23206r415190_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ListenBacklog" directive at the OHS server configuration scope. 3. Set the "ListenBacklog" directive to a value equal to the Maximum Syn Connection Backlog network parameter of the OS; add the directive if it does not exist.

b

OHS must have the LimitRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

SC-5 - Medium - CCI-001094 - V-221503 - SV-221503r415194_rule

RMF Control

SC-5

Severity

M

CCI

Version

OH12-1X-000288

Vuln IDs

V-221503
V-64465

Rule IDs

SV-221503r415194_rule
SV-78955

A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.

Checks: C-23218r415192_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestBody" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive is omitted or is set greater than 10240, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23207r415193_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestBody" directive at the OHS server, virtual host, and directory configuration scopes. 3. Set the "LimitRequestBody" directive to a value of "10240", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b

OHS must have the LimitRequestFields directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

SC-5 - Medium - CCI-001094 - V-221504 - SV-221504r415197_rule

RMF Control

SC-5

Severity

M

CCI

Version

OH12-1X-000289

Vuln IDs

V-221504
V-64467

Rule IDs

SV-221504r415197_rule
SV-78957

A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.

Checks: C-23219r415195_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestFields" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 40, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23208r415196_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestFields" directive at the OHS server and virtual host configuration scopes. 3. Set the "LimitRequestFields" directive to a value of "40", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b

OHS must have the LimitRequestFieldSize directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

SC-5 - Medium - CCI-001094 - V-221505 - SV-221505r415200_rule

RMF Control

SC-5

Severity

M

CCI

Version

OH12-1X-000290

Vuln IDs

V-221505
V-64469

Rule IDs

SV-221505r415200_rule
SV-78959

A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.

Checks: C-23220r415198_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestFieldSize" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 1024, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23209r415199_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestFieldSize" directive at the OHS server and virtual host configuration scopes. 3. Set the "LimitRequestFieldSize" directive to a value of "1024", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b

OHS must have the LimitRequestLine directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

SC-5 - Medium - CCI-001094 - V-221506 - SV-221506r415203_rule

RMF Control

SC-5

Severity

M

CCI

Version

OH12-1X-000291

Vuln IDs

V-221506
V-64471

Rule IDs

SV-221506r415203_rule
SV-78961

A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.

Checks: C-23221r415201_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestLine" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 512, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23210r415202_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestLine" directive at the OHS server and virtual host configuration scopes. 3. Set the "LimitRequestLine" directive to a value of "512", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b

OHS must have the LimitXMLRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

SC-5 - Medium - CCI-001094 - V-221507 - SV-221507r415206_rule

RMF Control

SC-5

Severity

M

CCI

Version

OH12-1X-000292

Vuln IDs

V-221507
V-64473

Rule IDs

SV-221507r415206_rule
SV-78963

A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.

Checks: C-23222r415204_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitXMLRequestBody" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 10240, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23211r415205_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitXMLRequestBody" directive at the OHS server and virtual host configuration scopes. 3. Set the "LimitXMLRequestBody" directive to a value of "10240", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b

OHS must have the LimitInternalRecursion directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

SC-5 - Medium - CCI-001094 - V-221508 - SV-221508r415209_rule

RMF Control

SC-5

Severity

M

CCI

Version

OH12-1X-000293

Vuln IDs

V-221508
V-64475

Rule IDs

SV-221508r415209_rule
SV-78965

A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.

Checks: C-23223r415207_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitInternalRecursion" directive at the server, virtual host, and directory configuration scopes. 3. If the "LimitInternalRecursion" directive is omitted or is set greater than 55, this is a finding.

Fix: F-23212r415208_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitInternalRecursion" directive at the server and virtual host configuration scopes. 3. Set the "LimitInternalRecursion" directive to "55", add the directive if it does not exist.

b

OHS must have the LoadModule ossl_module directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

SC-23 - Medium - CCI-002470 - V-221513 - SV-221513r415220_rule

RMF Control

SC-23

Severity

M

CCI

Version

OH12-1X-000298

Vuln IDs

V-221513
V-64517

Rule IDs

SV-221513r415220_rule
SV-79007

Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.

Checks: C-23228r415218_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23217r415219_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b

OHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

SC-23 - Medium - CCI-002470 - V-221514 - SV-221514r415223_rule

RMF Control

SC-23

Severity

M

CCI

Version

OH12-1X-000299

Vuln IDs

V-221514
V-64519

Rule IDs

SV-221514r415223_rule
SV-79009

Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.

Checks: C-23229r415221_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23218r415222_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

SC-23 - Medium - CCI-002470 - V-221515 - SV-221515r415226_rule

RMF Control

SC-23

Severity

M

CCI

Version

OH12-1X-000300

Vuln IDs

V-221515
V-64521

Rule IDs

SV-221515r415226_rule
SV-79011

Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.

Checks: C-23230r415224_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to on or "SSLProtocol" is not set to TLS versions 1.1 and greater, this is a finding.5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23219r415225_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1", add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

b

OHS must have the SSLCipherSuite directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

SC-23 - Medium - CCI-002470 - V-221516 - SV-221516r415229_rule

RMF Control

SC-23

Severity

M

CCI

Version

OH12-1X-000301

Vuln IDs

V-221516
V-64523

Rule IDs

SV-221516r415229_rule
SV-79013

Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.

Checks: C-23231r415227_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23220r415228_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b

OHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

SC-23 - Medium - CCI-002470 - V-221517 - SV-221517r415232_rule

RMF Control

SC-23

Severity

M

CCI

Version

OH12-1X-000302

Vuln IDs

V-221517
V-64525

Rule IDs

SV-221517r415232_rule
SV-79015

Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.

Checks: C-23232r415230_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLVerifyClient" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If this directive is omitted or is not set to "require", this is a finding.

Fix: F-23221r415231_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLVerifyClient" directive at the OHS server, virtual host, and/or directory configuration scope. 3. Set the "SSLVerifyClient" directive to "require", add the directive if it does not exist.

b

OHS must use wallets that have only DoD certificate authorities defined.

SC-23 - Medium - CCI-002470 - V-221518 - SV-221518r415235_rule

RMF Control

SC-23

Severity

M

CCI

Version

OH12-1X-000303

Vuln IDs

V-221518
V-64527

Rule IDs

SV-221518r415235_rule
SV-79017

Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.

Checks: C-23233r415233_chk

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet <wallet_directory>". b) Confirm that only the appropriate DoD Certificate Authorities are listed as Trusted Certificates. 3. If any of the Trusted Certificates are not appropriate DoD Certificate Authorities, this is a finding.

Fix: F-23222r415234_fix

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet <wallet_directory>". b) Remove each Trusted Certificate from the wallet that is not an appropriate DoD Certificate Authority with the command "$ORACLE_HOME/oracle_common/bin/orapki wallet remove -wallet <wallet_directory> -dn <dn_of_the_trusted_certificate> -trusted_cert".

b

OHS must be tuned to handle the operational requirements of the hosted application.

SC-5 - Medium - CCI-002385 - V-221519 - SV-221519r415238_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

OH12-1X-000307

Vuln IDs

V-221519
V-64529

Rule IDs

SV-221519r415238_rule
SV-79019

A Denial of Service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a DoS condition even with expected traffic from users. To avoid a DoS, the web server must be tuned to handle the expected traffic for the hosted applications.

Checks: C-23234r415236_chk

1. Check to see if the following directives have been set appropriately for the server and application: MaxClients MPM Module -worker (StartServers, MinSpareThreads, MaxSpareThreads, ThreadsPerChild) Timeout KeepAlive KeepAliveTimeout MaxKeepAliveRequests ListenBacklog LimitRequestBody LimitRequestFields LimitRequestFieldSize LimitRequestLine LimitXMLRequestBody LimitInternalRecursion 2. If the above directives have not been set to address the specific needs of the web server and applications, this is a finding.

Fix: F-23223r415237_fix

Set the following directives appropriately for the server and application: MaxClients MPM Module -worker (StartServers, MinSpareThreads, MaxSpareThreads, ThreadsPerChild) Timeout KeepAlive KeepAliveTimeout MaxKeepAliveRequests ListenBacklog LimitRequestBody LimitRequestFields LimitRequestFieldSize LimitRequestLine LimitXMLRequestBody LimitInternalRecursion

c

OHS must have the LoadModule ossl_module directive enabled to prevent unauthorized disclosure of information during transmission.

SC-8 - High - CCI-002418 - V-221520 - SV-221520r415241_rule

RMF Control

SC-8

Severity

H

CCI

Version

OH12-1X-000308

Vuln IDs

V-221520
V-64541

Rule IDs

SV-221520r415241_rule
SV-79031

Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.

Checks: C-23235r415239_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23224r415240_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

c

OHS must have the SSLFIPS directive enabled to prevent unauthorized disclosure of information during transmission.

SC-8 - High - CCI-002418 - V-221521 - SV-221521r415244_rule

RMF Control

SC-8

Severity

H

CCI

Version

OH12-1X-000309

Vuln IDs

V-221521
V-64543

Rule IDs

SV-221521r415244_rule
SV-79033

Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.

Checks: C-23236r415242_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23225r415243_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

c

OHS must have the SSLEngine, SSLProtocol, SSLWallet directives enabled and configured to prevent unauthorized disclosure of information during transmission.

SC-8 - High - CCI-002418 - V-221522 - SV-221522r415247_rule

RMF Control

SC-8

Severity

H

CCI

Version

OH12-1X-000310

Vuln IDs

V-221522
V-64545

Rule IDs

SV-221522r415247_rule
SV-79035

Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.

Checks: C-23237r415245_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On" or "SSLProtocol" is not set to "TLS versions 1.1 and greater", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23226r415246_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1", add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

c

OHS must have the SSLCipherSuite directive enabled to prevent unauthorized disclosure of information during transmission.

SC-8 - High - CCI-002418 - V-221523 - SV-221523r415250_rule

RMF Control

SC-8

Severity

H

CCI

Version

OH12-1X-000311

Vuln IDs

V-221523
V-64547

Rule IDs

SV-221523r415250_rule
SV-79037

Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.

Checks: C-23238r415248_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23227r415249_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to prevent unauthorized disclosure of information during transmission.

SC-8 - Medium - CCI-002418 - V-221524 - SV-221524r415253_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000312

Vuln IDs

V-221524
V-64549

Rule IDs

SV-221524r415253_rule
SV-79039

Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.

Checks: C-23239r415251_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23228r415252_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "SecureProxy" directive to "On", add the directive if it does not exist.

b

OHS must have the WLSSLWallet directive enabled to prevent unauthorized disclosure of information during transmission.

SC-8 - Medium - CCI-002418 - V-221525 - SV-221525r415256_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000313

Vuln IDs

V-221525
V-64551

Rule IDs

SV-221525r415256_rule
SV-79041

Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.

Checks: C-23240r415254_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to a valid wallet folder, this is a finding.

Fix: F-23229r415255_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLSSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains the certificate chain served by the WebLogic host/port combination, add the directive if it does not exist.

b

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WebLogicSSLVersion directive enabled to prevent unauthorized disclosure of information during transmission.

SC-8 - Medium - CCI-002418 - V-221526 - SV-221526r415259_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000314

Vuln IDs

V-221526
V-64553

Rule IDs

SV-221526r415259_rule
SV-79043

Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.

Checks: C-23241r415257_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WebLogicSSLVersion" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "TLS versions 1.0 and greater", this is a finding.

Fix: F-23230r415258_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WebLogicSSLVersion" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WebLogicSSLVersion" directive to "TLSv1_2 TLSv1_1 TLSv1", add the directive if it does not exist.

b

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to prevent unauthorized disclosure of information during transmission.

SC-8 - Medium - CCI-002418 - V-221527 - SV-221527r415262_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000315

Vuln IDs

V-221527
V-64555

Rule IDs

SV-221527r415262_rule
SV-79045

Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.

Checks: C-23242r415260_chk

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23231r415261_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLProxySSL" directive to "On", add the directive if it does not exist.

b

OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

SC-8 - Medium - CCI-002418 - V-221528 - SV-221528r415265_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000320

Vuln IDs

V-221528
V-64557

Rule IDs

SV-221528r415265_rule
SV-79047

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications.

Checks: C-23243r415263_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23232r415264_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b

OHS must have the SSLFIPS directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

SC-8 - Medium - CCI-002418 - V-221529 - SV-221529r415268_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000321

Vuln IDs

V-221529
V-64559

Rule IDs

SV-221529r415268_rule
SV-79049

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications.

Checks: C-23244r415266_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23233r415267_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

SC-8 - Medium - CCI-002418 - V-221530 - SV-221530r415271_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000322

Vuln IDs

V-221530
V-64561

Rule IDs

SV-221530r415271_rule
SV-79051

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications.

Checks: C-23245r415269_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On" or "SSLProtocol" is not set to "TLS versions 1.1 and greater", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23234r415270_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1", add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

b

OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

SC-8 - Medium - CCI-002418 - V-221531 - SV-221531r415274_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000323

Vuln IDs

V-221531
V-64563

Rule IDs

SV-221531r415274_rule
SV-79053

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications.

Checks: C-23246r415272_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23235r415273_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b

OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.

SC-8 - Medium - CCI-002420 - V-221532 - SV-221532r415277_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000324

Vuln IDs

V-221532
V-64565

Rule IDs

SV-221532r415277_rule
SV-79055

Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.

Checks: C-23247r415275_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23236r415276_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b

OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.

SC-8 - Medium - CCI-002420 - V-221533 - SV-221533r415280_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000325

Vuln IDs

V-221533
V-64567

Rule IDs

SV-221533r415280_rule
SV-79057

Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.

Checks: C-23248r415278_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23237r415279_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during preparation for transmission.

SC-8 - Medium - CCI-002420 - V-221534 - SV-221534r415283_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000326

Vuln IDs

V-221534
V-64569

Rule IDs

SV-221534r415283_rule
SV-79059

Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.

Checks: C-23249r415281_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On" or "SSLProtocol" is not set to "TLS versions 1.1 and greater", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23238r415282_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1", add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

b

OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.

SC-8 - Medium - CCI-002420 - V-221535 - SV-221535r415286_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000327

Vuln IDs

V-221535
V-64571

Rule IDs

SV-221535r415286_rule
SV-79061

Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.

Checks: C-23250r415284_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23239r415285_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.

SC-8 - Medium - CCI-002420 - V-221536 - SV-221536r415289_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000328

Vuln IDs

V-221536
V-64573

Rule IDs

SV-221536r415289_rule
SV-79063

Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.

Checks: C-23251r415287_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23240r415288_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "SecureProxy" directive to "On", add the directive if it does not exist.

b

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.

SC-8 - Medium - CCI-002420 - V-221537 - SV-221537r415292_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000329

Vuln IDs

V-221537
V-64575

Rule IDs

SV-221537r415292_rule
SV-79065

Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.

Checks: C-23252r415290_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to a valid wallet folder, this is a finding.

Fix: F-23241r415291_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLSSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains the certificate chain served by the WebLogic host/port combination, add the directive if it does not exist.

b

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLSProxySSL directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.

SC-8 - Medium - CCI-002420 - V-221538 - SV-221538r415295_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000330

Vuln IDs

V-221538
V-64577

Rule IDs

SV-221538r415295_rule
SV-79067

Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.

Checks: C-23253r415293_chk

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23242r415294_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLProxySSL" directive to "On", add the directive if it does not exist.

b

OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during reception.

SC-8 - Medium - CCI-002422 - V-221539 - SV-221539r415298_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000331

Vuln IDs

V-221539
V-64579

Rule IDs

SV-221539r415298_rule
SV-79069

Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.

Checks: C-23254r415296_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23243r415297_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b

OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during reception.

SC-8 - Medium - CCI-002422 - V-221540 - SV-221540r415301_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000332

Vuln IDs

V-221540
V-64581

Rule IDs

SV-221540r415301_rule
SV-79071

Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.

Checks: C-23255r415299_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23244r415300_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during reception.

SC-8 - Medium - CCI-002422 - V-221541 - SV-221541r415304_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000333

Vuln IDs

V-221541
V-64583

Rule IDs

SV-221541r415304_rule
SV-79073

Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.

Checks: C-23256r415302_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On" or "SSLProtocol" is not set to "TLS versions 1.1 and greater", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23245r415303_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2 TLSv1.1", add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

b

OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during reception.

SC-8 - Medium - CCI-002422 - V-221542 - SV-221542r415307_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000334

Vuln IDs

V-221542
V-64585

Rule IDs

SV-221542r415307_rule
SV-79075

Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.

Checks: C-23257r415305_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23246r415306_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SSLSecureProxy directive enabled to maintain the confidentiality and integrity of information during reception.

SC-8 - Medium - CCI-002422 - V-221543 - SV-221543r415310_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000335

Vuln IDs

V-221543
V-64587

Rule IDs

SV-221543r415310_rule
SV-79077

Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.

Checks: C-23258r415308_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23247r415309_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "SecureProxy" directive to "On", add the directive if it does not exist.

b

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during reception.

SC-8 - Medium - CCI-002422 - V-221544 - SV-221544r415313_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000336

Vuln IDs

V-221544
V-64589

Rule IDs

SV-221544r415313_rule
SV-79079

Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.

Checks: C-23259r415311_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to a valid wallet folder, this is a finding.

Fix: F-23248r415312_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLSSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains the certificate chain served by the WebLogic host/port combination, add the directive if it does not exist.

b

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to maintain the confidentiality and integrity of information during reception.

SC-8 - Medium - CCI-002422 - V-221545 - SV-221545r415316_rule

RMF Control

SC-8

Severity

M

CCI

Version

OH12-1X-000337

Vuln IDs

V-221545
V-64591

Rule IDs

SV-221545r415316_rule
SV-79081

Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.

Checks: C-23260r415314_chk

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23249r415315_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLProxySSL" directive to "On", add the directive if it does not exist.

a

OHS must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.

SI-11 - Low - CCI-001312 - V-221546 - SV-221546r415319_rule

RMF Control

SI-11

Severity

L

CCI

Version

OH12-1X-000346

Vuln IDs

V-221546
V-64477

Rule IDs

SV-221546r415319_rule
SV-78967

The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version.

Checks: C-23261r415317_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "DocumentRoot" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "DocumentRoot" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs). 4. Check for the existence of any index.html file in the directory specified as the "DocumentRoot" and its subdirectories (e.g., find . -type d, find . -type f -name index.html, cat index.html). 5. If an index.html files is not found or there is content in the file that is irrelevant to the website, this is a finding.

Fix: F-23250r415318_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "DocumentRoot" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "DocumentRoot" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs) and its subdirectories. 4. Create a standard or empty index.html file (e.g., echo > index.html) in the directory specified for "DocumentRoot" and any subdirectories it may have.

b

OHS must have the ServerSignature directive disabled.

SI-11 - Medium - CCI-001312 - V-221547 - SV-221547r415322_rule

RMF Control

SI-11

Severity

M

CCI

Version

OH12-1X-000347

Vuln IDs

V-221547
V-64479

Rule IDs

SV-221547r415322_rule
SV-78969

Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.

Checks: C-23262r415320_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "ServerSignature" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive is omitted or is not set to "Off", this is a finding.

Fix: F-23251r415321_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "ServerSignature" directive at the OHS server, virtual host, and directory configuration scopes. 3. Set the "ServerSignature" directive to a value of "Off", add the directive if it does not exist.

a

OHS must have the ServerTokens directive set to limit the response header.

SI-11 - Low - CCI-001312 - V-221548 - SV-221548r415325_rule

RMF Control

SI-11

Severity

L

CCI

Version

OH12-1X-000348

Vuln IDs

V-221548
V-64481

Rule IDs

SV-221548r415325_rule
SV-78971

Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.

Checks: C-23263r415323_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ServerTokens" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "Custom DoD-Web-Server", this is a finding.

Fix: F-23252r415324_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ServerTokens" directive at the OHS server configuration scope. 3. Set the "ServerTokens" directive to a value of "Custom DoD-Web-Server", add the directive if it does not exist.

b

OHS must have the Alias /error directive defined to reference the directory accompanying the ErrorDocument directives to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.

SI-11 - Medium - CCI-001312 - V-221549 - SV-221549r415328_rule

RMF Control

SI-11

Severity

M

CCI

Version

OH12-1X-000349

Vuln IDs

V-221549
V-64483

Rule IDs

SV-221549r415328_rule
SV-78973

Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.

Checks: C-23264r415326_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Alias /error/ "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error/"" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted, this is a finding. 4. Validate that the folder where the directive is pointing is valid. If the folder is not valid, this is a finding.

Fix: F-23253r415327_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Alias /error/ "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error/"" directive at the OHS server and virtual host configuration scopes. 3. Set the "Alias" directive to "/error/ "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error/"", add the directive if it does not exist.

b

OHS must have the permissions set properly via the Directory directive accompanying the ErrorDocument directives to minimize improper access to the warning and error messages displayed to clients.

SI-11 - Medium - CCI-001312 - V-221550 - SV-221550r415331_rule

RMF Control

SI-11

Severity

M

CCI

Version

OH12-1X-000350

Vuln IDs

V-221550
V-64485

Rule IDs

SV-221550r415331_rule
SV-78975

Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.

Checks: C-23265r415329_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every.conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted, this is a finding. 4. Validate that the folder where the directive is pointing is valid. If the folder is not valid, this is a finding.

Fix: F-23254r415330_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every.conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive at the OHS server and virtual host configuration scopes. 3. Set the "<Directory>" directive to "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"", add the directive if it does not exist. 4a. Within the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive, set the "AllowOverride" directive to "None", add the directive if it does not exist. 4b. Within the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive, set the "Options" directive to "None", add the directive if it does not exist. 4c. Within the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive, set the "Order" directive to "allow, deny", add the directive if it does not exist. 4d. Within the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive, set the "Allow" directive to "from all", add the directive if it does not exist. 4e. Within the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive, set the "<LimitExcept>" directive to "GET POST", add the directive if it does not exist. 4e1. Within the "<LimitExcept GET POST>" directive, set the "Deny" directive to "from all", add the directive if it does not exist.

a

OHS must have defined error pages for common error codes that minimize the identity of the web server, patches, loaded modules, and directory paths.

SI-11 - Low - CCI-001312 - V-221551 - SV-221551r415334_rule

RMF Control

SI-11

Severity

L

CCI

Version

OH12-1X-000351

Vuln IDs

V-221551
V-64487

Rule IDs

SV-221551r415334_rule
SV-78977

Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.

Checks: C-23266r415332_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "ErrorDocument" directives at the OHS server, virtual host, and directory configuration scopes. 3. If the directives are omitted or set improperly for HTTP errors 400, 401, 403 - 405, 408, 410 - 415, 500 - 503, or 506, this is a finding. 4. Validate that the folder and files where the "ErrorDocument" directive are pointing are valid. If the folder or file is not valid, this is a finding.

Fix: F-23255r415333_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "ErrorDocument" directives at the OHS server, virtual host, and directory configuration scopes. 3. Set the "ErrorDocument" directives for HTTP errors 400, 401, 403 - 405, 408, 410 - 415, 500 - 503, and 506 (e.g., ErrorDocument 400 HTTP_BAD_REQUEST_en.html) to files that minimize the identity of the web server, patches, loaded modules, and directory paths, add the directive if it does not exist.

a

OHS must have production information removed from error documents to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.

SI-11 - Low - CCI-001312 - V-221552 - SV-221552r415337_rule

RMF Control

SI-11

Severity

L

CCI

Version

OH12-1X-000352

Vuln IDs

V-221552
V-64489

Rule IDs

SV-221552r415337_rule
SV-78979

Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.

Checks: C-23267r415335_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Alias /error/ "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error/"", "Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/{COMPONENT_NAME}/error"", and "ErrorDocument" directives at the OHS server, virtual host, and directory configuration scopes. 3. For every file specified by an "ErrorDocument" directive, check the file exists and its contents to determine whether any OHS product information is present. 4. If OHS product information is present in the file(s), this is a finding.

Fix: F-23256r415336_fix

1. Go to the directory specified by the "Alias /error/" directive in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf. (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/error). 2. Change the extension of each file located in $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/error from .html.var to .html (e.g., mv HTTP_NOT_FOUND.hmtl.var HTTP_NOT_FOUND_en.html). 3. Modify the content of each file to be static such that mod_include and mod_negotiation are not needed and that no OHS product information is discernable by a user encountering the error. 4. Set the appropriate "ErrorDocument" directives in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf to reference the appropriate file in $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/httpd.conf, add the directives if they do not exist.

b

Debugging and trace information used to diagnose OHS must be disabled.

SI-11 - Medium - CCI-001312 - V-221553 - SV-221553r415340_rule

RMF Control

SI-11

Severity

M

CCI

Version

OH12-1X-000353

Vuln IDs

V-221553
V-64491

Rule IDs

SV-221553r415340_rule
SV-78981

Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information.

Checks: C-23268r415338_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "TraceEnable" directive at the OHS server and virtual host configuration scopes. 3. If the directive not set to "Off", this is a finding.

Fix: F-23257r415339_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "TraceEnable" directive at the OHS server and virtual host configuration scopes. 3. Set the "TraceEnable" directive to a value of "Off", add the directive if it does not exist.

b

OHS must capture, record, and log all content related to a user session.

AC-10 - Medium - CCI-000054 - V-252204 - SV-252204r816508_rule

RMF Control

AC-10

Severity

M

CCI

Version

OH12-1X-000049

Vuln IDs

V-252204
V-63153

Rule IDs

SV-252204r816508_rule
SV-77643

A user session to a web server is in the context of a user accessing a hosted application that extends to any plug-ins/modules and services that may execute on behalf of the user. The web server must be capable of enabling a setting for troubleshooting, debugging, or forensic gathering purposes which will log all user session information related to the hosted application session. Without the capability to capture, record, and log all content related to a user session, investigations into suspicious user activity would be hampered.

Checks: C-55660r816502_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with nicknames of "dod" and "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If either of these directives is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-55610r816503_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with nicknames of "dod" and "dod_ssl" at the OHS server and virtual host configuration scopes. 3a. If the session id is contained within a cookie, modify the "LogFormat" directive with nicknames of "dod" and "dod_ssl" to include "sess:%{JSESSIONID}C", add the directive if it does not exist unless inherited from a larger scope. 3b. If the session id is contained within a header variable, modify the "LogFormat" directives with nicknames of "dod" and "dod_ssl" to include "sess:%{X-JSESSIONID}o" dod", add the directive if it does not exist unless inherited from a larger scope.

c

OHS must have the LoadModule ossl_module directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.

AC-10 - High - CCI-000054 - V-252205 - SV-252205r816509_rule

RMF Control

AC-10

Severity

H

CCI