Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

  • Version/Release: V2R2
  • Published: 2022-12-09
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
b
OHS must have the mpm property set to use the worker Multi-Processing Module (MPM) as the preferred means to limit the number of allowed simultaneous requests.
AC-10 - Medium - CCI-000054 - V-221272 - SV-221272r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
OH12-1X-000001
Vuln IDs
  • V-221272
  • V-63153
Rule IDs
  • SV-221272r879511_rule
  • SV-77643
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
Checks: C-22987r414499_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ohs.plugins.nodemanager.properties file with an editor. 2. Search for the "mpm" property. 3. If the "mpm" property is omitted or commented out, this is a finding. 4. If the "mpm" property is not set to "worker", this is a finding.

Fix: F-22976r414500_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ohs.plugins.nodemanager.properties with an editor. 2. Set the "mpm" property to a value of "worker", add the property if it does not exist.

b
OHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests.
AC-10 - Medium - CCI-000054 - V-221273 - SV-221273r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
OH12-1X-000002
Vuln IDs
  • V-221273
  • V-64125
Rule IDs
  • SV-221273r879511_rule
  • SV-78615
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
Checks: C-22988r414502_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf file with an editor. 2. Search for the "&lt;IfModule mpm_prefork_module&gt;" directive at the OHS server configuration scope. 3. If this directive is found and not commented out, this is a finding.

Fix: F-22977r414503_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. Comment out the "<IfModule mpm_prefork_module>" directive and any directives that it contains.

b
OHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests.
AC-10 - Medium - CCI-000054 - V-221274 - SV-221274r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
OH12-1X-000003
Vuln IDs
  • V-221274
  • V-64127
Rule IDs
  • SV-221274r879511_rule
  • SV-78617
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
Checks: C-22989r414505_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf file with an editor. 2. Search for the "MaxClients" directive within "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 3. If "MaxClients" is omitted or set greater than "2000", this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value. If the site has this documentation, this should be marked as not a finding.

Fix: F-22978r414506_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "MaxClients" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Within the "<IfModule mpm_worker_module>" directive, set the "MaxClients" directive to "2000" or less, add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b
OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests.
AC-10 - Medium - CCI-000054 - V-221275 - SV-221275r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
OH12-1X-000004
Vuln IDs
  • V-221275
  • V-64129
Rule IDs
  • SV-221275r879511_rule
  • SV-78619
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
Checks: C-22990r414508_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf file with an editor. 2. Search for the "ThreadsPerChild" directive within "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 3. If "ThreadsPerChild" is omitted or set greater than "25", this is a finding. 4. Search for the "ThreadLimit" directive within "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 5. If "ThreadLimit" is omitted or set greater than "64", this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value. If the site has this documentation, this should be marked as not a finding.

Fix: F-22979r414509_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ThreadsPerChild" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Within the "<IfModule mpm_worker_module>" directive, set the "ThreadsPerChild" directive to "25", add the directive if it does not exist. 4. Search for the "ThreadLimit" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 5. Within the "<IfModule mpm_worker_module>" directive, set the "ThreadLimit" directive to "64", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b
OHS must limit the number of worker processes to limit the number of allowed simultaneous requests.
AC-10 - Medium - CCI-000054 - V-221276 - SV-221276r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
OH12-1X-000005
Vuln IDs
  • V-221276
  • V-64131
Rule IDs
  • SV-221276r879511_rule
  • SV-78621
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
Checks: C-22991r414511_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf file with an editor. 2. Search for the "ServerLimit" directive within "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 3. If "ServerLimit" is omitted or set greater than the maximum of "16" and the calculation of "MaxClients"/"ThreadsPerChild", this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value. If the site has this documentation, this should be marked as not a finding.

Fix: F-22980r414512_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ServerLimit" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Within the "<IfModule mpm_worker_module>" directive, set the "ServerLimit" directive to the maximum of "16" and the calculation of "MaxClients"/"ThreadsPerChild" immediately before the "MaxClients" directive, add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

c
OHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-000068 - V-221277 - SV-221277r879519_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
OH12-1X-000007
Vuln IDs
  • V-221277
  • V-64133
Rule IDs
  • SV-221277r879519_rule
  • SV-78623
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.
Checks: C-22992r414514_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-22981r414515_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

c
OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-000068 - V-221278 - SV-221278r879519_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
OH12-1X-000008
Vuln IDs
  • V-221278
  • V-64135
Rule IDs
  • SV-221278r879519_rule
  • SV-78625
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.
Checks: C-22993r414517_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22982r414518_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-000068 - V-221279 - SV-221279r881040_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
OH12-1X-000009
Vuln IDs
  • V-221279
  • V-64137
Rule IDs
  • SV-221279r881040_rule
  • SV-78627
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.
Checks: C-22994r881038_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-22983r881039_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

c
OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-000068 - V-221280 - SV-221280r879519_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
OH12-1X-000010
Vuln IDs
  • V-221280
  • V-64139
Rule IDs
  • SV-221280r879519_rule
  • SV-78629
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.
Checks: C-22995r414523_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-22984r414524_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be added or removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

c
OHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-001453 - V-221281 - SV-221281r879520_rule
RMF Control
AC-17
Severity
High
CCI
CCI-001453
Version
OH12-1X-000011
Vuln IDs
  • V-221281
  • V-64141
Rule IDs
  • SV-221281r879520_rule
  • SV-78631
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-22996r414526_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-22985r414527_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

c
OHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-001453 - V-221282 - SV-221282r879520_rule
RMF Control
AC-17
Severity
High
CCI
CCI-001453
Version
OH12-1X-000012
Vuln IDs
  • V-221282
  • V-64143
Rule IDs
  • SV-221282r879520_rule
  • SV-78633
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-22997r414529_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22986r414530_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

c
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-001453 - V-221283 - SV-221283r881043_rule
RMF Control
AC-17
Severity
High
CCI
CCI-001453
Version
OH12-1X-000013
Vuln IDs
  • V-221283
  • V-64145
Rule IDs
  • SV-221283r881043_rule
  • SV-78635
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-22998r881041_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-22987r881042_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

c
OHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-001453 - V-221284 - SV-221284r879520_rule
RMF Control
AC-17
Severity
High
CCI
CCI-001453
Version
OH12-1X-000014
Vuln IDs
  • V-221284
  • V-64147
Rule IDs
  • SV-221284r879520_rule
  • SV-78637
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-22999r414535_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-22988r414536_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b
OHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-001453 - V-221285 - SV-221285r879520_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
OH12-1X-000015
Vuln IDs
  • V-221285
  • V-64149
Rule IDs
  • SV-221285r879520_rule
  • SV-78639
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-23000r414538_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SecureProxy" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22989r414539_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "SecureProxy" directive to "On", add the directive if it does not exist.

b
OHS must have the WLSSLWallet directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-001453 - V-221286 - SV-221286r879520_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
OH12-1X-000016
Vuln IDs
  • V-221286
  • V-64151
Rule IDs
  • SV-221286r879520_rule
  • SV-78641
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-23001r414541_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WLSSLWallet" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to a folder containing a valid wallet, this is a finding.

Fix: F-22990r414542_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLSSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains the certificate chain served by the WebLogic host/port combination, add the directive if it does not exist.

b
OHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-001453 - V-221287 - SV-221287r881046_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
OH12-1X-000017
Vuln IDs
  • V-221287
  • V-64153
Rule IDs
  • SV-221287r881046_rule
  • SV-78643
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-23002r881044_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WebLogicSSLVersion" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "TLSv1.2", this is a finding.

Fix: F-22991r881045_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WebLogicSSLVersion" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WebLogicSSLVersion" directive to "TLSv1_2", add the directive if it does not exist.

b
OHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-001453 - V-221288 - SV-221288r879520_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
OH12-1X-000018
Vuln IDs
  • V-221288
  • V-64155
Rule IDs
  • SV-221288r879520_rule
  • SV-78645
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-23003r414547_chk

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WLProxySSL" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22992r414548_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLProxySSL" directive to "On", add the directive if it does not exist.

b
OHS must have the LoadModule log_config_module directive enabled to generate information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221289 - SV-221289r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
OH12-1X-000019
Vuln IDs
  • V-221289
  • V-64157
Rule IDs
  • SV-221289r879521_rule
  • SV-78647
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23004r414550_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-22993r414551_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. Set the "LoadModule log_config_module" directive to ""${PRODUCT_HOME}/modules/mod_log_config.so"", add the directive if it does not exist.

b
OHS must have the OraLogMode set to Oracle Diagnostic Logging text mode to generate information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221290 - SV-221290r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
OH12-1X-000020
Vuln IDs
  • V-221290
  • V-64159
Rule IDs
  • SV-221290r879521_rule
  • SV-78649
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23005r414553_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "odl-text", this is a finding.

Fix: F-22994r414554_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. Set the "OraLogMode" directive to "odl-text", add the directive if it does not exist.

b
OHS must have a log directory location defined to generate information for use by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221291 - SV-221291r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
OH12-1X-000021
Vuln IDs
  • V-221291
  • V-64161
Rule IDs
  • SV-221291r879521_rule
  • SV-78651
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23006r414556_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-22995r414557_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. Set the "OraLogDir" directive to an appropriate, protected location on a partition with sufficient space that is different from the partition on which the OHS software is installed; add the directive if it does not exist.

b
OHS must have the OraLogSeverity directive defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221292 - SV-221292r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
OH12-1X-000022
Vuln IDs
  • V-221292
  • V-64163
Rule IDs
  • SV-221292r879521_rule
  • SV-78653
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23007r414559_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "NOTIFICATION:32", this is a finding.

Fix: F-22996r414560_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. Set the "OraLogSeverity" directive to "NOTIFICATION:32", add the directive if it does not exist.

b
OHS must have the log rotation parameter set to allow generated information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221293 - SV-221293r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
OH12-1X-000023
Vuln IDs
  • V-221293
  • V-64165
Rule IDs
  • SV-221293r879521_rule
  • SV-78655
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23008r414562_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-22997r414563_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. As required, set the "OraLogRotationParams" directive to satisfy the NIST 800-92 logging requirements, add the directive if it does not exist.

b
OHS must have a log format defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221294 - SV-221294r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
OH12-1X-000024
Vuln IDs
  • V-221294
  • V-64167
Rule IDs
  • SV-221294r879521_rule
  • SV-78657
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23009r414565_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-22998r414566_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined to allow generated information to be used by external applications or entities to monitor and control remote access in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-000067 - V-221295 - SV-221295r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
OH12-1X-000025
Vuln IDs
  • V-221295
  • V-64169
Rule IDs
  • SV-221295r879521_rule
  • SV-78659
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23010r414568_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-22999r414569_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221296 - SV-221296r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
OH12-1X-000026
Vuln IDs
  • V-221296
  • V-64171
Rule IDs
  • SV-221296r879521_rule
  • SV-78661
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23011r414571_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23000r414572_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.
AC-17 - Medium - CCI-002314 - V-221297 - SV-221297r879692_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
OH12-1X-000030
Vuln IDs
  • V-221297
  • V-64493
Rule IDs
  • SV-221297r879692_rule
  • SV-78983
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Examples of the web server enforcing a remote access policy are implementing IP filtering rules, using https instead of http for communication, implementing secure tokens, and validating users.
Checks: C-23012r414574_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Review the directives (e.g., "&lt;VirtualHost&gt;", "&lt;Directory&gt;", and "&lt;Location&gt;") at the OHS server and virtual host configuration scopes. 3. If these directives do not contain the appropriate access protection via secure authentication, SSL-associated directives, or "Order", "Deny", and "Allow" directives to secure access or prohibit access from nonsecure zones, this is a finding.

Fix: F-23001r414575_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Review the directives (e.g., "<VirtualHost>", "<Directory>", and "<Location>") at the OHS server and virtual host configuration scopes. 3. Configure the web server to require secure authentication as required, use SSL, and/or restrict access from nonsecure zones via "Order", "Deny", and "Allow" directives. Note: A product such as Oracle Access Manager may facilitate satisfying these requirements.

b
OHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones.
AC-17 - Medium - CCI-002314 - V-221298 - SV-221298r879692_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
OH12-1X-000031
Vuln IDs
  • V-221298
  • V-64495
Rule IDs
  • SV-221298r879692_rule
  • SV-78985
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.
Checks: C-23013r414577_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Directory&gt;" directive at the OHS server and virtual host configuration scopes. Note: This check does not apply to the root directory, i.e. the &lt;Directory /&gt; directive. 3. If the "&lt;Directory&gt;" directive does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access from nonsecure zones, this is a finding.

Fix: F-23002r414578_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directive at the OHS server and virtual host configuration scopes. Note: This fix does not apply to the root directory, i.e. the <Directory /> directive. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Set "Allow" directives to "from all" or to an IP range (e.g., "from 123.123"), add the directives if they do not exist. 5. Set "Deny" directives to an IP range (e.g., "from 123.123") to specify nonsecure zones, add the directives if they do not exist.

b
OHS must have the Order, Allow, and Deny directives set within the Files directives set to restrict inbound connections from nonsecure zones.
AC-17 - Medium - CCI-002314 - V-221299 - SV-221299r879692_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
OH12-1X-000032
Vuln IDs
  • V-221299
  • V-64497
Rule IDs
  • SV-221299r879692_rule
  • SV-78987
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.
Checks: C-23014r414580_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Files&gt;" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the "&lt;Files&gt;" directive does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access from nonsecure zones, this is a finding.

Fix: F-23003r414581_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Files>" directive at the OHS server, virtual host, and directory configuration scopes. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Set "Allow" directives to "from all" or to an IP range (e.g., "from 123.123"), add the directives if they do not exist. 5. Set "Deny" directives to an IP range (e.g., "from 123.123") to specify nonsecure zones, add the directives if they do not exist.

b
OHS must have the Order, Allow, and Deny directives set within the Location directives set to restrict inbound connections from nonsecure zones.
AC-17 - Medium - CCI-002314 - V-221300 - SV-221300r879692_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
OH12-1X-000033
Vuln IDs
  • V-221300
  • V-64499
Rule IDs
  • SV-221300r879692_rule
  • SV-78989
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.
Checks: C-23015r414583_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Location&gt;" directive at the OHS server and virtual host configuration scopes. 3. If the "&lt;Location&gt;" directive does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access from nonsecure zones, this is a finding.

Fix: F-23004r414584_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Location>" directive at the OHS server and virtual host configuration scopes. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Set "Allow" directives to "from all" or to an IP range (e.g., "from 123.123"), add the directives if they do not exist. 5. Set "Deny" directives to an IP range (e.g., "from 123.123") to specify nonsecure zones, add the directives if they do not exist.

b
OHS must provide the capability to immediately disconnect or disable remote access to the hosted applications.
AC-17 - Medium - CCI-002322 - V-221301 - SV-221301r879693_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002322
Version
OH12-1X-000034
Vuln IDs
  • V-221301
  • V-64501
Rule IDs
  • SV-221301r879693_rule
  • SV-78991
During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack. The web server must provide a capability to disconnect users to a hosted application without compromising other hosted applications unless deemed necessary to stop the attack. Methods to disconnect or disable connections are to stop the application service for a specified hosted application, stop the web server, or block all connections through web server access list. The web server capabilities used to disconnect or disable users from connecting to hosted applications and the web server must be documented to make certain that, during an attack, the proper action is taken to conserve connectivity to any other hosted application if possible and to make certain log data is conserved for later forensic analysis.
Checks: C-23016r414586_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Directory&gt;", "&lt;Files&gt;", or "&lt;Location&gt;" directive serving the application/content under attack at the OHS server, virtual host, or directory configuration scope. 3. If the "&lt;Directory&gt;", "&lt;Files&gt;", or "&lt;Location&gt;" directive serving the application/content under attack does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access, this is a finding.

Fix: F-23005r414587_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>", "<Files>", or "<Location>" directive serving the application/content under attack at the OHS server, virtual host, or directory configuration scope. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Comment out any "Allow" directives to prohibit access to the application/content under attack if it exists. 5. Set "Deny" directives to "from all" to prohibit access to the application/content under attack, add the directive if it does not exist. 6. Issue a "nmSoftRestart(serverName='componentName',serverType='OHS') from the WLST shell prompt.

b
Non-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account.
AC-6 - Medium - CCI-002235 - V-221302 - SV-221302r879717_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002235
Version
OH12-1X-000035
Vuln IDs
  • V-221302
  • V-64503
Rule IDs
  • SV-221302r879717_rule
  • SV-78993
By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web server or on security-relevant information forces users to only operate as a web server administrator when necessary. Operating in this manner allows for better logging of changes and better forensic information and limits accidental changes to the web server.
Checks: C-23017r414589_chk

1. Check that sudo is properly configured for the account owning the OHS software. 2. If accounts other than the account that owns the OHS software can access the OHS software, this is a finding.

Fix: F-23006r414590_fix

1. Configure sudo such that only the account that owns the OHS software can access it from the hosting system.

b
OHS must have the client requests logging module loaded to generate log records for system startup and shutdown, system access, and system authentication logging.
AU-12 - Medium - CCI-000169 - V-221303 - SV-221303r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
OH12-1X-000040
Vuln IDs
  • V-221303
  • V-64173
Rule IDs
  • SV-221303r879559_rule
  • SV-78663
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23018r414592_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exist. If the file does not exist, this is a finding.

Fix: F-23007r414593_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. Set the "LoadModule log_config_module" directive to ""${PRODUCT_HOME}/modules/mod_log_config.so"", add the directive if it does not exist.

b
OHS must have OraLogMode set to Oracle Diagnostic Logging text mode to generate log records for system startup and shutdown, system access, and system authentication logging.
AU-12 - Medium - CCI-000169 - V-221304 - SV-221304r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
OH12-1X-000041
Vuln IDs
  • V-221304
  • V-64175
Rule IDs
  • SV-221304r879559_rule
  • SV-78665
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23019r414595_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "odl-text", this is a finding.

Fix: F-23008r414596_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. Set the "OraLogMode" directive to "odl-text", add the directive if it does not exist.

b
OHS must have a log directory location defined to generate log records for system startup and shutdown, system access, and system authentication logging.
AU-12 - Medium - CCI-000169 - V-221305 - SV-221305r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
OH12-1X-000042
Vuln IDs
  • V-221305
  • V-64177
Rule IDs
  • SV-221305r879559_rule
  • SV-78667
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23020r414598_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23009r414599_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. Set the "OraLogDir" directive to an appropriate, protected location on a partition with sufficient space that is different from the partition on which the OHS software is installed; add the directive if it does not exist.

b
OHS must have a log level severity defined to generate adequate log records for system startup and shutdown, system access, and system authentication events.
AU-12 - Medium - CCI-000169 - V-221306 - SV-221306r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
OH12-1X-000043
Vuln IDs
  • V-221306
  • V-64179
Rule IDs
  • SV-221306r879559_rule
  • SV-78669
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23021r414601_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "NOTIFICATION:32", this is a finding.

Fix: F-23010r414602_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. Set the "OraLogSeverity" directive to "NOTIFICATION:32", add the directive if it does not exist.

b
OHS must have the log rotation parameter set to allow for the generation log records for system startup and shutdown, system access, and system authentication events.
AU-12 - Medium - CCI-000169 - V-221307 - SV-221307r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
OH12-1X-000044
Vuln IDs
  • V-221307
  • V-64181
Rule IDs
  • SV-221307r879559_rule
  • SV-78671
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23022r414604_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23011r414605_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. As required, set the "OraLogRotationParams" directive to satisfy the NIST 800-92 logging requirements, add the directive if it does not exist.

b
OHS must have a log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.
AU-12 - Medium - CCI-000169 - V-221308 - SV-221308r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
OH12-1X-000045
Vuln IDs
  • V-221308
  • V-64183
Rule IDs
  • SV-221308r879559_rule
  • SV-78673
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23023r414607_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23012r414608_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.
AU-12 - Medium - CCI-000169 - V-221309 - SV-221309r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
OH12-1X-000046
Vuln IDs
  • V-221309
  • V-64185
Rule IDs
  • SV-221309r879559_rule
  • SV-78675
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23024r414610_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23013r414611_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture logs generated by system startup and shutdown, system access, and system authentication events.
AU-12 - Medium - CCI-000169 - V-221310 - SV-221310r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
OH12-1X-000047
Vuln IDs
  • V-221310
  • V-64187
Rule IDs
  • SV-221310r879559_rule
  • SV-78677
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23025r414613_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23014r414614_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log level severity defined to produce sufficient log records to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-221312 - SV-221312r879563_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
OH12-1X-000050
Vuln IDs
  • V-221312
  • V-64191
Rule IDs
  • SV-221312r879563_rule
  • SV-78681
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23027r414619_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "NOTIFICATION:32", this is a finding.

Fix: F-23016r414620_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. Set the "OraLogSeverity" directive to "NOTIFICATION:32", add the directive if it does not exist.

b
OHS must have a log format defined for log records generated to capture sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-221313 - SV-221313r879563_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
OH12-1X-000051
Vuln IDs
  • V-221313
  • V-64193
Rule IDs
  • SV-221313r879563_rule
  • SV-78683
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23028r414622_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23017r414623_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined for log records generated to capture sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-221314 - SV-221314r879563_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
OH12-1X-000052
Vuln IDs
  • V-221314
  • V-64195
Rule IDs
  • SV-221314r879563_rule
  • SV-78685
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23029r414625_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23018r414626_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-221315 - SV-221315r879563_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
OH12-1X-000053
Vuln IDs
  • V-221315
  • V-64197
Rule IDs
  • SV-221315r879563_rule
  • SV-78687
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23030r414628_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23019r414629_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log format defined for log records generated to capture sufficient information to establish when an event occurred.
AU-3 - Medium - CCI-000131 - V-221316 - SV-221316r879564_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000131
Version
OH12-1X-000054
Vuln IDs
  • V-221316
  • V-64199
Rule IDs
  • SV-221316r879564_rule
  • SV-78689
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23031r414631_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23020r414632_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined for log records generated to capture sufficient information to establish when an event occurred.
AU-3 - Medium - CCI-000131 - V-221317 - SV-221317r879564_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000131
Version
OH12-1X-000055
Vuln IDs
  • V-221317
  • V-64201
Rule IDs
  • SV-221317r879564_rule
  • SV-78691
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23032r414634_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23021r414635_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of when an event occurred.
AU-3 - Medium - CCI-000131 - V-221318 - SV-221318r879564_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000131
Version
OH12-1X-000056
Vuln IDs
  • V-221318
  • V-64203
Rule IDs
  • SV-221318r879564_rule
  • SV-78693
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23033r414637_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23022r414638_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log format defined for log records that allow the establishment of where within OHS the events occurred.
AU-3 - Medium - CCI-000132 - V-221319 - SV-221319r879565_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000132
Version
OH12-1X-000057
Vuln IDs
  • V-221319
  • V-64205
Rule IDs
  • SV-221319r879565_rule
  • SV-78695
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23034r414640_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23023r414641_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined for log records that allow the establishment of where within OHS the events occurred.
AU-3 - Medium - CCI-000132 - V-221320 - SV-221320r879565_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000132
Version
OH12-1X-000058
Vuln IDs
  • V-221320
  • V-64207
Rule IDs
  • SV-221320r879565_rule
  • SV-78697
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23035r414643_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23024r414644_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of where within OHS the events occurred.
AU-3 - Medium - CCI-000132 - V-221321 - SV-221321r879565_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000132
Version
OH12-1X-000059
Vuln IDs
  • V-221321
  • V-64209
Rule IDs
  • SV-221321r879565_rule
  • SV-78699
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23036r414646_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23025r414647_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log format defined for log records that allow the establishment of the source of events.
AU-3 - Medium - CCI-000133 - V-221322 - SV-221322r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
OH12-1X-000060
Vuln IDs
  • V-221322
  • V-64211
Rule IDs
  • SV-221322r879566_rule
  • SV-78701
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23037r414649_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23026r414650_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined for log records that allow the establishment of the source of events.
AU-3 - Medium - CCI-000133 - V-221323 - SV-221323r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
OH12-1X-000061
Vuln IDs
  • V-221323
  • V-64213
Rule IDs
  • SV-221323r879566_rule
  • SV-78703
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23038r414652_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23027r414653_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of the source of events.
AU-3 - Medium - CCI-000133 - V-221324 - SV-221324r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
OH12-1X-000062
Vuln IDs
  • V-221324
  • V-64215
Rule IDs
  • SV-221324r879566_rule
  • SV-78705
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23039r414655_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23028r414656_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
AU-3 - Medium - CCI-000133 - V-221325 - SV-221325r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
OH12-1X-000063
Vuln IDs
  • V-221325
  • V-64217
Rule IDs
  • SV-221325r879566_rule
  • SV-78707
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.
Checks: C-23040r414658_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23029r414659_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS, behind a load balancer or proxy server, must have the SSL log format set correctly to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
AU-3 - Medium - CCI-000133 - V-221326 - SV-221326r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
OH12-1X-000064
Vuln IDs
  • V-221326
  • V-64219
Rule IDs
  • SV-221326r879566_rule
  • SV-78709
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.
Checks: C-23041r414661_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23030r414662_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
AU-3 - Medium - CCI-000133 - V-221327 - SV-221327r879566_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000133
Version
OH12-1X-000065
Vuln IDs
  • V-221327
  • V-64221
Rule IDs
  • SV-221327r879566_rule
  • SV-78711
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.
Checks: C-23042r414664_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23031r414665_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
AU-3 - Medium - CCI-000134 - V-221328 - SV-221328r879567_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000134
Version
OH12-1X-000066
Vuln IDs
  • V-221328
  • V-64223
Rule IDs
  • SV-221328r879567_rule
  • SV-78713
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23043r414667_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23032r414668_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
AU-3 - Medium - CCI-000134 - V-221329 - SV-221329r879567_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000134
Version
OH12-1X-000067
Vuln IDs
  • V-221329
  • V-64225
Rule IDs
  • SV-221329r879567_rule
  • SV-78715
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23044r414670_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23033r414671_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
AU-3 - Medium - CCI-000134 - V-221330 - SV-221330r879567_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000134
Version
OH12-1X-000068
Vuln IDs
  • V-221330
  • V-64227
Rule IDs
  • SV-221330r879567_rule
  • SV-78717
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23045r414673_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23034r414674_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
AU-3 - Medium - CCI-001487 - V-221331 - SV-221331r879568_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
OH12-1X-000069
Vuln IDs
  • V-221331
  • V-64229
Rule IDs
  • SV-221331r879568_rule
  • SV-78719
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Checks: C-23046r414676_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23035r414677_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
AU-3 - Medium - CCI-001487 - V-221332 - SV-221332r879568_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
OH12-1X-000070
Vuln IDs
  • V-221332
  • V-64231
Rule IDs
  • SV-221332r879568_rule
  • SV-78721
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Checks: C-23047r414679_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23036r414680_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
AU-3 - Medium - CCI-001487 - V-221333 - SV-221333r879568_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
OH12-1X-000071
Vuln IDs
  • V-221333
  • V-64233
Rule IDs
  • SV-221333r879568_rule
  • SV-78723
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Checks: C-23048r414682_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23037r414683_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS log files must only be accessible by privileged users.
AU-9 - Medium - CCI-000162 - V-221334 - SV-221334r879576_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
OH12-1X-000074
Vuln IDs
  • V-221334
  • V-64235
Rule IDs
  • SV-221334r879576_rule
  • SV-78725
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. The web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by non-privileged users.
Checks: C-23049r414685_chk

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Verify that each log file that was returned has the owner and group set to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Verify that each log file that was returned has the permissions on the log file set to "640" or more restrictive. If the owner, group or permissions are set incorrectly on any of the log files, this is a finding.

Fix: F-23038r414686_fix

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Set the owner and group to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Set the permissions on all the log files returned to "640".

b
The log information from OHS must be protected from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-221335 - SV-221335r879577_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
OH12-1X-000075
Vuln IDs
  • V-221335
  • V-64237
Rule IDs
  • SV-221335r879577_rule
  • SV-78727
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of log records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized modification. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from modification by non-privileged users.
Checks: C-23050r414688_chk

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Verify that each log file that was returned has the owner and group set to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Verify that each log file that was returned has the permissions on the log file set to "640" or more restrictive. If the owner, group or permissions are set incorrectly on any of the log files, this is a finding.

Fix: F-23039r414689_fix

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Set the owner and group to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Set the permissions on all the log files returned to "640".

b
The log information from OHS must be protected from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-221336 - SV-221336r879578_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
OH12-1X-000076
Vuln IDs
  • V-221336
  • V-64239
Rule IDs
  • SV-221336r879578_rule
  • SV-78729
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of audit records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized deletion. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from deletion by non-privileged users.
Checks: C-23051r414691_chk

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Verify that each log file that was returned has the owner and group set to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Verify that each log file that was returned has the permissions on the log file set to "640" or more restrictive. If the owner, group or permissions are set incorrectly on any of the log files, this is a finding.

Fix: F-23040r414692_fix

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Set the owner and group to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Set the permissions on all the log files returned to "640".

b
The log data and records from OHS must be backed up onto a different system or media.
AU-9 - Medium - CCI-001348 - V-221337 - SV-221337r879582_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
OH12-1X-000077
Vuln IDs
  • V-221337
  • V-64241
Rule IDs
  • SV-221337r879582_rule
  • SV-78731
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.
Checks: C-23052r414694_chk

1. Verify that the System Administrator backs up the files located in the $DOMAIN_HOME/servers/&lt;componentName&gt;/logs directory. 2. If the files located in the $DOMAIN_HOME/servers/&lt;componentName&gt;/logs directory, this is a finding.

Fix: F-23041r414695_fix

Have the System Administrator back up the files located in the $DOMAIN_HOME/servers/<componentName>/logs directory.

b
OHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
AU-4 - Medium - CCI-001851 - V-221338 - SV-221338r879731_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
OH12-1X-000081
Vuln IDs
  • V-221338
  • V-64505
Rule IDs
  • SV-221338r879731_rule
  • SV-78995
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. Manual review of the web server logs may not occur in a timely manner, and each event logged is open to interpretation by a reviewer. By integrating the web server into an overall or organization-wide log review, a larger picture of events can be viewed, and analysis can be done in a timely and reliable manner.
Checks: C-23053r414697_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23042r414698_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. Set the "OraLogDir" directive to an appropriate, protected location on a partition with sufficient space that is different from the partition on which the OHS software is installed; add the directive if it does not exist.

b
OHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
AU-4 - Medium - CCI-001851 - V-221339 - SV-221339r879731_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
OH12-1X-000082
Vuln IDs
  • V-221339
  • V-64507
Rule IDs
  • SV-221339r879731_rule
  • SV-78997
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. Manual review of the web server logs may not occur in a timely manner, and each event logged is open to interpretation by a reviewer. By integrating the web server into an overall or organization-wide log review, a larger picture of events can be viewed, and analysis can be done in a timely and reliable manner.
Checks: C-23054r414700_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23043r414701_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope and reference a location where other tools can access the log files for diagnostic/forensic purposes. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope and reference a location where other tools can access the log files for diagnostic/forensic purposes.

b
OHS must have the LoadModule file_cache_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221340 - SV-221340r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000093
Vuln IDs
  • V-221340
  • V-64243
Rule IDs
  • SV-221340r879587_rule
  • SV-78733
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23055r414703_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule file_cache_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23044r414704_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule file_cache_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule file_cache_module" directive if it exists.

a
OHS must have the LoadModule vhost_alias_module directive disabled.
CM-7 - Low - CCI-000381 - V-221341 - SV-221341r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000094
Vuln IDs
  • V-221341
  • V-64245
Rule IDs
  • SV-221341r879587_rule
  • SV-78735
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23056r414706_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule vhost_alias_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23045r414707_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule vhost_alias_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule vhost_alias_module" directive if it exists.

b
OHS must have the LoadModule env_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221342 - SV-221342r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000095
Vuln IDs
  • V-221342
  • V-64247
Rule IDs
  • SV-221342r879587_rule
  • SV-78737
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23057r414709_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule env_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23046r414710_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule env_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule env_module" directive if it exists.

a
OHS must have the LoadModule mime_magic_module directive disabled.
CM-7 - Low - CCI-000381 - V-221343 - SV-221343r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000096
Vuln IDs
  • V-221343
  • V-64249
Rule IDs
  • SV-221343r879587_rule
  • SV-78739
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23058r414712_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule mime_magic_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23047r414713_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule mime_magic_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule mime_magic_module" directive if it exists.

a
OHS must have the LoadModule negotiation_module directive disabled.
CM-7 - Low - CCI-000381 - V-221344 - SV-221344r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000097
Vuln IDs
  • V-221344
  • V-64251
Rule IDs
  • SV-221344r879587_rule
  • SV-78741
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23059r414715_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule negotiation_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23048r414716_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule negotiation_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule negotiation_module" directive if it exists.

a
OHS must not have the LanguagePriority directive enabled.
CM-7 - Low - CCI-000381 - V-221345 - SV-221345r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000098
Vuln IDs
  • V-221345
  • V-64253
Rule IDs
  • SV-221345r879587_rule
  • SV-78743
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23060r414718_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "LanguagePriority" directive. 2. Search for the "LanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23049r414719_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "LanguagePriority" directive. 2. Search for the "LanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "LanguagePriority" directive if it exists.

a
OHS must not have the ForceLanguagePriority directive enabled.
CM-7 - Low - CCI-000381 - V-221346 - SV-221346r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000099
Vuln IDs
  • V-221346
  • V-64255
Rule IDs
  • SV-221346r879587_rule
  • SV-78745
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23061r414721_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ForceLanguagePriority" directive. 2. Search for the "ForceLanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23050r414722_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ForceLanguagePriority" directive. 2. Search for the "ForceLanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "ForceLanguagePriority" directive if it exists.

b
OHS must have the LoadModule status_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221347 - SV-221347r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000100
Vuln IDs
  • V-221347
  • V-64257
Rule IDs
  • SV-221347r879587_rule
  • SV-78747
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23062r414724_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule status_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23051r414725_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule status_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule status_module" directive if it exists.

b
OHS must have the LoadModule info_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221348 - SV-221348r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000101
Vuln IDs
  • V-221348
  • V-64259
Rule IDs
  • SV-221348r879587_rule
  • SV-78749
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23063r414727_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule info_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23052r414728_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule info_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule info_module" directive if it exists.

b
OHS must have the LoadModule include_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221349 - SV-221349r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000102
Vuln IDs
  • V-221349
  • V-64261
Rule IDs
  • SV-221349r879587_rule
  • SV-78751
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23064r414730_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule include_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23053r414731_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule include_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule include_module" directive if it exists.

b
OHS must have the LoadModule autoindex_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221350 - SV-221350r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000103
Vuln IDs
  • V-221350
  • V-64263
Rule IDs
  • SV-221350r879587_rule
  • SV-78753
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23065r414733_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule autoindex_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23054r414734_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule autoindex_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule autoindex_module" directive if it exists.

b
OHS must have the IndexOptions directive disabled.
CM-7 - Medium - CCI-000381 - V-221351 - SV-221351r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000104
Vuln IDs
  • V-221351
  • V-64265
Rule IDs
  • SV-221351r879587_rule
  • SV-78755
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23066r414736_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexOptions" directive. 2. Search for the "IndexOptions" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23055r414737_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexOptions" directive. 2. Search for the "IndexOptions" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "IndexOptions" directive if it exists.

b
OHS must have the AddIconByEncoding directive disabled.
CM-7 - Medium - CCI-000381 - V-221352 - SV-221352r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000105
Vuln IDs
  • V-221352
  • V-64267
Rule IDs
  • SV-221352r879587_rule
  • SV-78757
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23067r414739_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByEncoding" directive. 2. Search for an "AddIconByEncoding" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23056r414740_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByEncoding" directive. 2. Search for an "AddIconByEncoding" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "AddIconByEncoding" directive if it exists.

b
OHS must have the AddIconByType directive disabled.
CM-7 - Medium - CCI-000381 - V-221353 - SV-221353r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000106
Vuln IDs
  • V-221353
  • V-64269
Rule IDs
  • SV-221353r879587_rule
  • SV-78759
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23068r414742_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByType" directive. 2. Search for an "AddIconByType" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23057r414743_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByType" directive. 2. Search for an "AddIconByType" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "AddIconByType" directive if it exists.

b
OHS must have the AddIcon directive disabled.
CM-7 - Medium - CCI-000381 - V-221354 - SV-221354r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000107
Vuln IDs
  • V-221354
  • V-64271
Rule IDs
  • SV-221354r879587_rule
  • SV-78761
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23069r414745_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIcon" directive. 2. Search for an "AddIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23058r414746_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIcon" directive. 2. Search for an "AddIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "AddIcon" directive if it exists.

b
OHS must have the DefaultIcon directive disabled.
CM-7 - Medium - CCI-000381 - V-221355 - SV-221355r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000108
Vuln IDs
  • V-221355
  • V-64273
Rule IDs
  • SV-221355r879587_rule
  • SV-78763
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23070r414748_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DefaultIcon" directive. 2. Search for a "DefaultIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23059r414749_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DefaultIcon" directive. 2. Search for a "DefaultIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "DefaultIcon" directive if it exists.

b
OHS must have the ReadmeName directive disabled.
CM-7 - Medium - CCI-000381 - V-221356 - SV-221356r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000109
Vuln IDs
  • V-221356
  • V-64275
Rule IDs
  • SV-221356r879587_rule
  • SV-78765
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23071r414751_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ReadmeName" directive. 2. Search for a "ReadmeName" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23060r414752_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ReadmeName" directive. 2. Search for a "ReadmeName" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "ReadmeName" directive if it exists.

b
OHS must have the HeaderName directive disabled.
CM-7 - Medium - CCI-000381 - V-221357 - SV-221357r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000110
Vuln IDs
  • V-221357
  • V-64277
Rule IDs
  • SV-221357r879587_rule
  • SV-78767
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23072r414754_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "HeaderName" directive. 2. Search for a "HeaderName" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23061r414755_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "HeaderName" directive. 2. Search for a "HeaderName" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "HeaderName" directive if it exists.

b
OHS must have the IndexIgnore directive disabled.
CM-7 - Medium - CCI-000381 - V-221358 - SV-221358r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000111
Vuln IDs
  • V-221358
  • V-64279
Rule IDs
  • SV-221358r879587_rule
  • SV-78769
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23073r414757_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexIgnore" directive. 2. Search for an "IndexIgnore" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23062r414758_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexIgnore" directive. 2. Search for an "IndexIgnore" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "IndexIgnore" directive if it exists.

a
OHS must have the LoadModule dir_module directive disabled.
CM-7 - Low - CCI-000381 - V-221359 - SV-221359r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000112
Vuln IDs
  • V-221359
  • V-64281
Rule IDs
  • SV-221359r879587_rule
  • SV-78771
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23074r414760_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule dir_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23063r414761_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule dir_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule dir_module" directive if it exists.

a
OHS must have the DirectoryIndex directive disabled.
CM-7 - Low - CCI-000381 - V-221360 - SV-221360r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000113
Vuln IDs
  • V-221360
  • V-64283
Rule IDs
  • SV-221360r879587_rule
  • SV-78773
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23075r414763_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DirectoryIndex" directive. 2. Search for the "DirectoryIndex" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive and any surrounding "&lt;IfModule dir_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23064r414764_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DirectoryIndex" directive. 2. Search for the "DirectoryIndex" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "DirectoryIndex" directive and any surrounding "<IfModule dir_module>" directive if they exist.

b
OHS must have the LoadModule cgi_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221361 - SV-221361r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000114
Vuln IDs
  • V-221361
  • V-64285
Rule IDs
  • SV-221361r879587_rule
  • SV-78775
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23076r414766_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "&lt;IfModule mpm_prefork_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_prefork_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23065r414767_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_prefork_module>" directives if they exist.

b
OHS must have the LoadModule fastcgi_module disabled.
CM-7 - Medium - CCI-000381 - V-221362 - SV-221362r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000115
Vuln IDs
  • V-221362
  • V-64287
Rule IDs
  • SV-221362r879587_rule
  • SV-78777
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23077r414769_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule fastcgi_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23066r414770_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule fastcgi_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule fastcgi_module" directive if it exists.

b
OHS must have the LoadModule cgid_module directive disabled for mpm workers.
CM-7 - Medium - CCI-000381 - V-221363 - SV-221363r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000116
Vuln IDs
  • V-221363
  • V-64289
Rule IDs
  • SV-221363r879587_rule
  • SV-78779
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23078r414772_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_worker_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23067r414773_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgid_module" directive and surrounding "<IfModule mpm_worker_module>" directives if they exist.

a
OHS must have the IfModule cgid_module directive disabled.
CM-7 - Low - CCI-000381 - V-221364 - SV-221364r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000117
Vuln IDs
  • V-221364
  • V-64291
Rule IDs
  • SV-221364r879587_rule
  • SV-78781
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23079r414775_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;IfModule cgid_module&gt;" directive. 2. Search for the "&lt;IfModule cgid_module&gt;" directive at the OHS server, virtual host, and directory configuration scope. 3. If the directive and any directives that it may contain exist and are not commented out, this is a finding.

Fix: F-23068r414776_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<IfModule cgid_module>" directive. 2. Search for the "<IfModule cgid_module>" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "<IfModule cgid_module>" directive and any directives it may contain.

a
OHS must have the LoadModule mpm_winnt_module directive disabled.
CM-7 - Low - CCI-000381 - V-221365 - SV-221365r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000118
Vuln IDs
  • V-221365
  • V-64293
Rule IDs
  • SV-221365r879587_rule
  • SV-78783
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23080r414778_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "&lt;IfModule mpm_winnt_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_winnt_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23069r414779_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_winnt_module>" directives if they exist.

b
OHS must have the ScriptAlias directive for CGI scripts disabled.
CM-7 - Medium - CCI-000381 - V-221366 - SV-221366r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000119
Vuln IDs
  • V-221366
  • V-64295
Rule IDs
  • SV-221366r879587_rule
  • SV-78785
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23081r414781_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "&lt;IfModule alias_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule alias_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23070r414782_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "<IfModule alias_module>" directive at the OHS server configuration scope. 3. Comment out the "ScriptAlias /cgi-bin/" directive and its surrounding "<IfModule alias_module>" directive if they exist.

b
OHS must have the ScriptSock directive disabled.
CM-7 - Medium - CCI-000381 - V-221367 - SV-221367r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000120
Vuln IDs
  • V-221367
  • V-64297
Rule IDs
  • SV-221367r879587_rule
  • SV-78787
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23082r414784_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "&lt;IfModule cgid_module&gt;" directive at the OHS server configuration scope. Note: “ScriptSock” may appear as “Scriptsock” within the httpd.conf file. 3. If the directive and its surrounding "&lt;IfModule cgid_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23071r414785_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "<IfModule cgid_module>" directive at the OHS server configuration scope. Note: “ScriptSock” may appear as “Scriptsock” within the httpd.conf file. 3. Comment out the "ScriptSock" directive and its surrounding "<IfModule cgid_module>" directive if they exist.

b
OHS must have the cgi-bin directory disabled.
CM-7 - Medium - CCI-000381 - V-221368 - SV-221368r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000121
Vuln IDs
  • V-221368
  • V-64299
Rule IDs
  • SV-221368r879587_rule
  • SV-78789
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23083r414787_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for a "&lt;Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin"&gt;" directive at the OHS server and virtual host configuration scopes. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23072r414788_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive at the OHS server and virtual host configuration scopes. 3. Comment out the "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive and any directives it contains if they exist.

b
OHS must have directives pertaining to certain scripting languages removed from virtual hosts.
CM-7 - Medium - CCI-000381 - V-221369 - SV-221369r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000122
Vuln IDs
  • V-221369
  • V-64301
Rule IDs
  • SV-221369r879587_rule
  • SV-78791
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23084r414790_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for a "&lt;FilesMatch "\.(cgi|shtml|phtml|php)$"&gt;" directive at the virtual host configuration scope. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23073r414791_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive at the OHS server configuration scope. 3. Comment out the "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive and any directives it contains if they exist.

a
OHS must have the LoadModule asis_module directive disabled.
CM-7 - Low - CCI-000381 - V-221370 - SV-221370r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000123
Vuln IDs
  • V-221370
  • V-64303
Rule IDs
  • SV-221370r879587_rule
  • SV-78793
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23085r414793_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule asis_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23074r414794_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule asis_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule asis_module" directive if it exists.

a
OHS must have the LoadModule imagemap_module directive disabled.
CM-7 - Low - CCI-000381 - V-221371 - SV-221371r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000124
Vuln IDs
  • V-221371
  • V-64305
Rule IDs
  • SV-221371r879587_rule
  • SV-78795
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23086r414796_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule imagemap_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23075r414797_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule imagemap_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule imagemap_module" directive if it exists.

b
OHS must have the LoadModule actions_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221372 - SV-221372r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000125
Vuln IDs
  • V-221372
  • V-64307
Rule IDs
  • SV-221372r879587_rule
  • SV-78797
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23087r414799_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule actions_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23076r414800_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule actions_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule actions_module" directive if it exists.

a
OHS must have the LoadModule speling_module directive disabled.
CM-7 - Low - CCI-000381 - V-221373 - SV-221373r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000126
Vuln IDs
  • V-221373
  • V-64309
Rule IDs
  • SV-221373r879587_rule
  • SV-78799
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23088r414802_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule speling_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23077r414803_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule speling_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule speling_module" directive if it exists.

b
OHS must have the LoadModule userdir_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221374 - SV-221374r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000127
Vuln IDs
  • V-221374
  • V-64311
Rule IDs
  • SV-221374r879587_rule
  • SV-78801
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23089r414805_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule userdir_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23078r414806_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule userdir_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule userdir_module" directive if it exists.

b
OHS must have the AliasMatch directive pertaining to the OHS manuals disabled.
CM-7 - Medium - CCI-000381 - V-221375 - SV-221375r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000128
Vuln IDs
  • V-221375
  • V-64313
Rule IDs
  • SV-221375r879587_rule
  • SV-78803
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23090r414808_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23079r414809_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for an "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. Comment out the "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive if it exists.

b
OHS must have the Directory directive pointing to the OHS manuals disabled.
CM-7 - Medium - CCI-000381 - V-221376 - SV-221376r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000129
Vuln IDs
  • V-221376
  • V-64315
Rule IDs
  • SV-221376r879587_rule
  • SV-78805
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23091r414811_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "&lt;Directory "${PRODUCT_HOME}/manual"&gt;" directive at the OHS server configuration scope. 3. If the directive and the directives it contains exists and is not commented out, this is a finding.

Fix: F-23080r414812_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/manual">" directive at the OHS server configuration scope. 3. Comment out the "<Directory "${PRODUCT_HOME}/manual">" directive and any directives it contains if they exist.

b
OHS must have the LoadModule auth_basic_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221377 - SV-221377r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000130
Vuln IDs
  • V-221377
  • V-64317
Rule IDs
  • SV-221377r879587_rule
  • SV-78807
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23092r414814_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule auth_basic_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23081r414815_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule auth_basic_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule auth_basic_module" directive if it exists.

b
OHS must have the LoadModule authz_user_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221378 - SV-221378r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000131
Vuln IDs
  • V-221378
  • V-64319
Rule IDs
  • SV-221378r879587_rule
  • SV-78809
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance. This module provides authorization capabilities so authenticated users can be allowed or denied access to portions of the web site. This requirement is meant to disable an unneeded service; it is not intended to restrict the use of authorization when data access restrictions specify the use of authorization. Refer to the system security plan to determine if authorization is required based on data access requirements.
Checks: C-23093r539626_chk

If the AO approved system security plan for web server configuration specifies using the OHS authz_user_module in order to meet application architecture requirements, this requirement can be marked NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule authz_user_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23082r457166_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authz_user_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule authz_user_module" directive if it exists.

b
OHS must have the LoadModule authn_file_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221379 - SV-221379r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000132
Vuln IDs
  • V-221379
  • V-64321
Rule IDs
  • SV-221379r879587_rule
  • SV-78811
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23094r414820_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule authn_file_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23083r414821_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authn_file_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule authn_file_module" directive if it exists.

b
OHS must have the LoadModule authn_anon_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221380 - SV-221380r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000133
Vuln IDs
  • V-221380
  • V-64323
Rule IDs
  • SV-221380r879587_rule
  • SV-78813
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23095r414823_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule authn_anon_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23084r414824_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authn_anon_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule authn_anon_module" directive if it exists.

b
OHS must have the LoadModule proxy_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221381 - SV-221381r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000134
Vuln IDs
  • V-221381
  • V-64325
Rule IDs
  • SV-221381r879587_rule
  • SV-78815
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23096r457168_chk

If the AO-approved system security plan for web server configuration specifies using the proxy_module directive in order to meet application architecture requirements and authentication is enforced, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23085r457169_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_module" directive if it exists.

b
OHS must have the LoadModule proxy_http_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221382 - SV-221382r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000135
Vuln IDs
  • V-221382
  • V-64327
Rule IDs
  • SV-221382r879587_rule
  • SV-78817
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance. The proxy_http_module requires the service of mod_proxy. It provides the features used for proxying HTTP and HTTPS requests. If proxy services are required, the proxy configuration must be approved by the AO.
Checks: C-23097r539628_chk

If the AO approved system security plan for the web server configuration specifies using the proxy_http_module directive in order to meet application architecture requirements and authentication is enforced, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23086r457157_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_http_module" directive if it exists.

b
OHS must have the LoadModule proxy_ftp_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221383 - SV-221383r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000136
Vuln IDs
  • V-221383
  • V-64329
Rule IDs
  • SV-221383r879587_rule
  • SV-78819
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23098r414832_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23087r414833_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_ftp_module" directive if it exists.

b
OHS must have the LoadModule proxy_connect_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221384 - SV-221384r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000137
Vuln IDs
  • V-221384
  • V-64331
Rule IDs
  • SV-221384r879587_rule
  • SV-78821
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23099r414835_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23088r414836_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_connnect_module" directive if it exists.

b
OHS must have the LoadModule proxy_balancer_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221385 - SV-221385r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000138
Vuln IDs
  • V-221385
  • V-64333
Rule IDs
  • SV-221385r879587_rule
  • SV-78823
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23100r414838_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23089r414839_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_balancer_module" directive if it exists.

a
OHS must have the LoadModule cern_meta_module directive disabled.
CM-7 - Low - CCI-000381 - V-221386 - SV-221386r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000139
Vuln IDs
  • V-221386
  • V-64335
Rule IDs
  • SV-221386r879587_rule
  • SV-78825
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23101r414841_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cern_meta_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23090r414842_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cern_meta_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cern_meta_module" directive if it exists.

a
OHS must have the LoadModule expires_module directive disabled.
CM-7 - Low - CCI-000381 - V-221387 - SV-221387r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000140
Vuln IDs
  • V-221387
  • V-64337
Rule IDs
  • SV-221387r879587_rule
  • SV-78827
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23102r414844_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule expires_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23091r414845_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule expires_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule expires_module" directive if it exists.

a
OHS must have the LoadModule usertrack_module directive disabled.
CM-7 - Low - CCI-000381 - V-221388 - SV-221388r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000141
Vuln IDs
  • V-221388
  • V-64339
Rule IDs
  • SV-221388r879587_rule
  • SV-78829
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23103r414847_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule usertrack_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23092r414848_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule usertrack_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule usertrack_module" directive if it exists.

a
OHS must have the LoadModule uniqueid_module directive disabled.
CM-7 - Low - CCI-000381 - V-221389 - SV-221389r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000142
Vuln IDs
  • V-221389
  • V-64341
Rule IDs
  • SV-221389r879587_rule
  • SV-78831
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23104r414850_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule unique_id_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23093r414851_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule unique_id_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule unique_id_module" directive if it exists.

b
OHS must have the LoadModule setenvif_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221390 - SV-221390r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000143
Vuln IDs
  • V-221390
  • V-64343
Rule IDs
  • SV-221390r879587_rule
  • SV-78833
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23105r414853_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule setenvif_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23094r414854_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule setenvif_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule setenvif_module" directive if it exists.

b
OHS must have the BrowserMatch directive disabled.
CM-7 - Medium - CCI-000381 - V-221391 - SV-221391r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000144
Vuln IDs
  • V-221391
  • V-64345
Rule IDs
  • SV-221391r879587_rule
  • SV-78835
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23106r414856_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "BrowserMatch" directive. 2. Search for the "BrowserMatch" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive and any surrounding "BrowserMatch" directive exist and are not commented out, this is a finding.

Fix: F-23095r414857_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "BrowserMatch" directive. 2. Search for the "BrowserMatch" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "BrowserMatch" directive and any surrounding "<IfModule dir_module>" directive if they exist.

b
OHS must have the LoadModule dumpio_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221392 - SV-221392r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000145
Vuln IDs
  • V-221392
  • V-64347
Rule IDs
  • SV-221392r879587_rule
  • SV-78837
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23107r414859_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule dumpio_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23096r414860_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule dumpio_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule dumpio_module" directive if it exists.

a
OHS must have the IfModule dumpio_module directive disabled.
CM-7 - Low - CCI-000381 - V-221393 - SV-221393r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000146
Vuln IDs
  • V-221393
  • V-64349
Rule IDs
  • SV-221393r879587_rule
  • SV-78839
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23108r414862_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "&lt;IfModule dumpio_module&gt;" directive at the OHS server configuration scope. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23097r414863_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<IfModule dumpio_module>" directive at the OHS server configuration scope. 3. Comment out the "<IfModule dumpio_module>" directive and any directives it contains if they exist.

b
OHS must have the Alias /icons/ directive disabled.
CM-7 - Medium - CCI-000381 - V-221394 - SV-221394r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000147
Vuln IDs
  • V-221394
  • V-64351
Rule IDs
  • SV-221394r879587_rule
  • SV-78841
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23109r414865_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for an "Alias /icons/" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23098r414866_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for an "Alias /icons/" directive at the OHS server configuration scope. 3. Comment out the "Alias /icons/" directive if it exists.

b
OHS must have the path to the icons directory disabled.
CM-7 - Medium - CCI-000381 - V-221395 - SV-221395r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000148
Vuln IDs
  • V-221395
  • V-64353
Rule IDs
  • SV-221395r879587_rule
  • SV-78843
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23110r414868_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "&lt;Directory "${PRODUCT_HOME}/icons"&gt;" directive at the OHS server configuration scope. 3. If the directive exists and any directives that it contains are not commented out, this is a finding.

Fix: F-23099r414869_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/icons">" directive at the OHS server configuration scope. 3. Comment out the "<Directory "$PRODUCT_HOME}/icons">" directive and any directives that it contains if they exist.

a
OHS must have the IfModule mpm_winnt_module directive disabled.
CM-7 - Low - CCI-000381 - V-221396 - SV-221396r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000149
Vuln IDs
  • V-221396
  • V-64355
Rule IDs
  • SV-221396r879587_rule
  • SV-78845
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23111r414871_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "&lt;IfModule mpm_winnt_module&gt;" directive at the OHS server configuration scope. 3. If the directive and any directives it contains exist and are not commented out, this is a finding.

Fix: F-23100r414872_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. Comment out the "<IfModule mpm_winnt_module>" directive and any directives it contains if they exist.

b
OHS must have the LoadModule proxy_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221397 - SV-221397r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000150
Vuln IDs
  • V-221397
  • V-64361
Rule IDs
  • SV-221397r879587_rule
  • SV-78851
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.
Checks: C-23112r539630_chk

If the AO-approved system security plan for the web server configuration specifies using proxy_module directive in order to meet application architecture requirements, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23101r457160_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_module" directive if it exists.

b
OHS must have the LoadModule proxy_http_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221398 - SV-221398r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000151
Vuln IDs
  • V-221398
  • V-64363
Rule IDs
  • SV-221398r879587_rule
  • SV-78853
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.
Checks: C-23113r539632_chk

If the AO-approved system security plan for the web server configuration specifies using the proxy_http_module directive in order to meet application architecture requirements, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23102r457163_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_http_module" directive if it exists.

b
OHS must have the LoadModule proxy_ftp_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221399 - SV-221399r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000152
Vuln IDs
  • V-221399
  • V-64365
Rule IDs
  • SV-221399r879587_rule
  • SV-78855
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.
Checks: C-23114r414880_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23103r414881_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_ftp_module" directive if it exists.

b
OHS must have the LoadModule proxy_connect_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221400 - SV-221400r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000153
Vuln IDs
  • V-221400
  • V-64375
Rule IDs
  • SV-221400r879587_rule
  • SV-78865
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.
Checks: C-23115r414883_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23104r414884_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_connnect_module" directive if it exists.

b
OHS must have the LoadModule proxy_balancer_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221401 - SV-221401r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000154
Vuln IDs
  • V-221401
  • V-64377
Rule IDs
  • SV-221401r879587_rule
  • SV-78867
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.
Checks: C-23116r414886_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23105r414887_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_balancer_module" directive if it exists.

a
OHS must disable the directive pointing to the directory containing the OHS manuals.
CM-7 - Low - CCI-000381 - V-221402 - SV-221402r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000156
Vuln IDs
  • V-221402
  • V-64379
Rule IDs
  • SV-221402r879587_rule
  • SV-78869
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.
Checks: C-23117r414889_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "&lt;Directory "${PRODUCT_HOME}/manual"&gt;" directive at the OHS server configuration scope. 3. If the directive and the directives it contains exists and is not commented out, this is a finding.

Fix: F-23106r414890_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/manual">" directive at the OHS server configuration scope. 3. Comment out the "<Directory "${PRODUCT_HOME}/manual">" directive and any directives it contains if they exist.

b
OHS must have the AliasMatch directive disabled for the OHS manuals.
CM-7 - Medium - CCI-000381 - V-221403 - SV-221403r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000157
Vuln IDs
  • V-221403
  • V-64381
Rule IDs
  • SV-221403r879587_rule
  • SV-78871
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.
Checks: C-23118r414892_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23107r414893_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for an "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. Comment out the "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive if it exists.

b
OHS must have the AddHandler directive disabled.
CM-7 - Medium - CCI-000381 - V-221404 - SV-221404r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000160
Vuln IDs
  • V-221404
  • V-64383
Rule IDs
  • SV-221404r879587_rule
  • SV-78873
Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A shell is a program that serves as the basic interface between the user and the operating system, so hosted application users must not have access to these programs. Shell programs may execute shell escapes and can then perform unauthorized activities that could damage the security posture of the web server.
Checks: C-23119r414895_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "AddHandler" directives at the OHS server, virtual host, and directory configuration scopes. 3. If an "AddHandler" directive exists, this is a finding.

Fix: F-23108r414896_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "AddHandler" directives at the OHS server, virtual host, and directory configuration scopes. 3. If an "AddHandler" directive exists, remove it.

b
OHS must have the LoadModule cgi_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221405 - SV-221405r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000161
Vuln IDs
  • V-221405
  • V-64385
Rule IDs
  • SV-221405r879587_rule
  • SV-78875
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23120r414898_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "&lt;IfModule mpm_prefork_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_prefork_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23109r414899_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_prefork_module>" directives if they exist.

b
OHS must have the LoadModule cgid_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221406 - SV-221406r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000162
Vuln IDs
  • V-221406
  • V-64387
Rule IDs
  • SV-221406r879587_rule
  • SV-78877
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23121r414901_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_worker_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23110r414902_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgid_module" directive and surrounding "<IfModule mpm_worker_module>" directives if they exist.

b
OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration.
CM-7 - Medium - CCI-000381 - V-221407 - SV-221407r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000163
Vuln IDs
  • V-221407
  • V-64389
Rule IDs
  • SV-221407r879587_rule
  • SV-78879
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23122r414904_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;IfModule cgid_module&gt;" directive. 2. Search for the "&lt;IfModule cgid_module&gt;" directive at the OHS server, virtual host, and directory configuration scope. 3. If the directive and any directives that it may contain exist and are not commented out, this is a finding.

Fix: F-23111r414905_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<IfModule cgid_module>" directive. 2. Search for the "<IfModule cgid_module>" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "<IfModule cgid_module>" directive and any directives it may contain.

a
OHS must have the LoadModule cgi_module directive disabled within the IfModule mpm_winnt_module directive.
CM-7 - Low - CCI-000381 - V-221408 - SV-221408r879587_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
OH12-1X-000164
Vuln IDs
  • V-221408
  • V-64391
Rule IDs
  • SV-221408r879587_rule
  • SV-78881
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23123r414907_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "&lt;IfModule mpm_winnt_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_winnt_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23112r414908_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_winnt_module>" directives if they exist.

b
OHS must have the ScriptAlias /cgi-bin/ directive within a IfModule alias_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221409 - SV-221409r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000165
Vuln IDs
  • V-221409
  • V-64393
Rule IDs
  • SV-221409r879587_rule
  • SV-78883
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23124r414910_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "&lt;IfModule alias_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule alias_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23113r414911_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "<IfModule alias_module>" directive at the OHS server configuration scope. 3. Comment out the "ScriptAlias /cgi-bin/" directive and its surrounding "<IfModule alias_module>" directive if they exist.

b
OHS must have the ScriptSock directive within a IfModule cgid_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221410 - SV-221410r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000166
Vuln IDs
  • V-221410
  • V-64395
Rule IDs
  • SV-221410r879587_rule
  • SV-78885
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23125r414913_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "&lt;IfModule cgid_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule cgid_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23114r414914_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "<IfModule cgid_module>" directive at the OHS server configuration scope. 3. Comment out the "ScriptSock" directive and its surrounding "<IfModule cgid_module>" directive if they exist.

b
OHS must have the cgi-bin directory disabled.
CM-7 - Medium - CCI-000381 - V-221411 - SV-221411r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000167
Vuln IDs
  • V-221411
  • V-64397
Rule IDs
  • SV-221411r879587_rule
  • SV-78887
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23126r810867_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for a "&lt;Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin"&gt;" directive at the OHS server and virtual host configuration scopes. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23115r810868_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive at the OHS server and virtual host configuration scopes. 3. Comment out the "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive and any directives it contains if they exist.

b
OHS must have directives pertaining to certain scripting languages removed from virtual hosts.
CM-7 - Medium - CCI-000381 - V-221412 - SV-221412r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000168
Vuln IDs
  • V-221412
  • V-64399
Rule IDs
  • SV-221412r879587_rule
  • SV-78889
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23127r414919_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for a "&lt;FilesMatch "\.(cgi|shtml|phtml|php)$"&gt;" directive at the virtual host configuration scope. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23116r414920_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive at the OHS server configuration scope. 3. Comment out the "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive and any directives it contains if they exist.

b
OHS must have resource mappings set to disable the serving of certain file types.
CM-7 - Medium - CCI-000381 - V-221413 - SV-221413r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000169
Vuln IDs
  • V-221413
  • V-64401
Rule IDs
  • SV-221413r879587_rule
  • SV-78891
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. The web server must only allow hosted application file types to be served to a user and all other types must be disabled.
Checks: C-23128r414922_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "&lt;FilesMatch&gt;" directives beyond the "&lt;FilesMatch"^\.ht"&gt;" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the "&lt;FilesMatch&gt;" directive is omitted or it and/or any directives it contains are set improperly, this is a finding.

Fix: F-23117r414923_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "<FilesMatch>" directives beyond the "<FilesMatch"^\.ht">" directive at the OHS server, virtual host, and directory configuration scopes. 3. Set the "<FilesMatch>" directive to ""^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$"" or other value appropriate for the server/site to prevent inappropriate file access, add the directive if it does not exist. 4a. Within the "<FilesMatch "^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$">" directive, set the "Order" directive to "allow,deny", add the directive if it does not exist. 4b. Within the "<FilesMatch "^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$">" directive, set the "Deny" directive to "from all", add the directive if it does not exist. 4c. Within the "<FilesMatch "^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$">" directive, set the "Satisfy" directive to "All", add the directive if it does not exist.

b
Users and scripts running on behalf of users must be contained to the document root or home directory tree of OHS.
CM-7 - Medium - CCI-000381 - V-221414 - SV-221414r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
OH12-1X-000172
Vuln IDs
  • V-221414
  • V-64403
Rule IDs
  • SV-221414r879587_rule
  • SV-78893
A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and applications guarantees that the user is not accessing information protected outside the application's realm. The web server must also prohibit users from jumping outside the hosted application directory tree through access to the user's home directory, symbolic links or shortcuts, or through search paths for missing files.
Checks: C-23129r414925_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Directory&gt;" directive at OHS server and virtual host configuration scopes. 3. If the "Options" directive within the "&lt;Directory&gt;" directive is omitted or is set improperly, this is a finding.

Fix: F-23118r414926_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directive at OHS server and virtual host configuration scopes. 3. Set the "Options" directive within the "<Directory>" directive to "None", add the directive if it does not exist.

b
OHS must be configured to use a specified IP address, port, and protocol.
CM-7 - Medium - CCI-000382 - V-221415 - SV-221415r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
OH12-1X-000173
Vuln IDs
  • V-221415
  • V-64405
Rule IDs
  • SV-221415r879588_rule
  • SV-78895
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.
Checks: C-23130r414928_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for a "Listen" directive at the OHS server configuration scope. 3. If the directive is set without an IP address, port, and protocol specified, this is a finding.

Fix: F-23119r414929_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "Listen" directive at the OHS server configuration scope. 3. Set the "Listen" directive to a value containing an IP address, port, and protocol (e.g., "Listen 123.123.123.123:80 http" or "Listen 456.456.456.456:443 https").

b
The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc.
CM-6 - Medium - CCI-000366 - V-221416 - SV-221416r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000176
Vuln IDs
  • V-221416
  • V-64593
Rule IDs
  • SV-221416r879887_rule
  • SV-79083
During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user community. The first things an attacker will try when presented with a login screen are the default user identifiers with default passwords. Installed applications may also install accounts with no password, making the login even easier. Once the web server is installed, the passwords for any created accounts should be changed and documented. The new passwords must meet the requirements for all passwords, i.e., upper/lower characters, numbers, special characters, time until change, reuse policy, etc. Service accounts or system accounts that have no login capability do not need to have passwords set or changed.
Checks: C-23131r414931_chk

1. If the password for Node Manager does not meet DoD requirements for password complexity, this is a finding. 2. Open $DOMAIN_HOME/config/nodemanager/nm_password.properties with an editor. 3. If the "username" property and value are still present, this is a finding. 4. If the "password" property and value are still present, this is a finding.

Fix: F-23120r414932_fix

1. Open $DOMAIN_HOME/config/nodemanager/nm_password.properties with an editor. 2. Remove the "hashed" property and value. 3. Set the "username" property to the account name to use for Node Manager, add the property if it does not exist. 4. Set the "password" property to a password compliant with DoD requirements for password complexity to use for Node Manager, add the property if it does not exist. 5. Start/Restart Node Manager so that the password contained within $DOMAIN_HOME/config/nodemanager/nm_password.properties is encrypted. 6. Remove the "username" and "password" properties and along with their values from within $DOMAIN_HOME/config/nodemanager/nm_password.properties, but leave the new "hashed" property and value.

b
OHS must have Entity tags (ETags) disabled.
CM-6 - Medium - CCI-000366 - V-221417 - SV-221417r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000178
Vuln IDs
  • V-221417
  • V-64595
Rule IDs
  • SV-221417r879887_rule
  • SV-79085
Entity tags (ETags) are used for cache management to save network bandwidth by not sending a web page to the requesting client if the cached version on the client is current. When the client only has the ETag information, the client will make a request to the server with the ETag. The server will then determine if the client can use the client cached version of the web page or if a new version is required. As part of the ETag information, the server sends to the client the index node (inode) information for the file being requested. The inode information gives an attacker sensitive information like inode number, multipart MIME boundaries and makes certain NFS attacks much simpler to execute.
Checks: C-23132r414934_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Header" and "FileETag" directives at the OHS server, virtual host, or directory configuration scope. 3. If the "Header" and "FileETag" directives are omitted or set improperly, this is a finding.

Fix: F-23121r414935_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Header" and "FileETag" directives at the OHS server, virtual host, or directory configuration scopes. 3a. Set the "Header" directive to "unset ETag", add the directive if it does not exist. 3b. Set the "FileETag" directive to "none", add the directive if it does not exist.

b
The SecureListener property of the Node Manager configured to support OHS must be enabled for secure communication.
CM-6 - Medium - CCI-000366 - V-221418 - SV-221418r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000179
Vuln IDs
  • V-221418
  • V-64597
Rule IDs
  • SV-221418r879887_rule
  • SV-79087
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. To protect the information being sent between WebLogic Scripting Tool and Node Manager, the Node Manager listening address must be secured.
Checks: C-23133r414937_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "SecureListener" property. 3. If the property is not set to "True", this is a finding.

Fix: F-23122r414938_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "SecureListener" property. 3. Set the "SecureListener" property to "True".

b
The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager.
CM-6 - Medium - CCI-000366 - V-221419 - SV-221419r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000180
Vuln IDs
  • V-221419
  • V-64599
Rule IDs
  • SV-221419r879887_rule
  • SV-79089
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. For connections to be made to the Node Manager, it must listen on an assigned address. When this parameter is not set, the Node Manager will listen on all available addresses on the server. This may lead to the Node Manager listening on networks, i.e., public network space, where Node Manager may become susceptible to attack instead of being limited to listening for connections on a controlled and secure management network. It is also important that the address specified matches the CN of the Node Manager.
Checks: C-23134r414940_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "ListenAddress" property. 3. If the property does not exist or is not set to the CN of the Node Manager certificate, this is a finding.

Fix: F-23123r414941_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "ListenAddress" property. 3. Set the "ListenAddress" property to the CN of the Node Manager certificate, add the property if it does not exist.

b
The AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication.
CM-6 - Medium - CCI-000366 - V-221420 - SV-221420r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000181
Vuln IDs
  • V-221420
  • V-64601
Rule IDs
  • SV-221420r879887_rule
  • SV-79091
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. To accept connections from the WebLogic Scripting Tool, the Node Manager can be setup to authenticate the connections or not. If connections are not authenticated, a hacker could connect to the Node Manager and initiate commands to OHS to gain further access, cause a DoS, or view protected information. To protect against unauthenticated connections, the "AuthenticationEnabled" directive must be set to "true".
Checks: C-23135r414943_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "AuthenticationEnabled" property. 3. If the property does not exist or is not set "True", this is a finding.

Fix: F-23124r414944_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "AuthenticationEnabled" property. 3. Set the "AuthenticationEnabled" property "True", add the property if it does not exist.

b
The KeyStores property of the Node Manager configured to support OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221421 - SV-221421r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000182
Vuln IDs
  • V-221421
  • V-64603
Rule IDs
  • SV-221421r879887_rule
  • SV-79093
Oracle Node Manager is a utility that can be used to perform common operational tasks across Managed Servers. These servers can be distributed across multiple machines and geographical locations. The "KeyStores" property is used to configure the keystore configuration that will be used by Node Manager to locate its identity (private key and digital certificate) and trust (trusted CA certificates). The property must be set to "CustomIdentityAndCustomTrust", which causes Node Manager to use an identity and trust keystore created by the SA.
Checks: C-23136r414946_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "KeyStores" property. 3. If the property does not exist or is not set to "CustomIdentityAndCustomTrust", this is a finding.

Fix: F-23125r414947_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "KeyStores" property. 3. Set the "KeyStores" property to "CustomIdentityAndCustomTrust", add the property if it does not exist.

b
The CustomIdentityKeyStoreFileName property of the Node Manager configured to support OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221422 - SV-221422r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000183
Vuln IDs
  • V-221422
  • V-64605
Rule IDs
  • SV-221422r879887_rule
  • SV-79095
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityKeyStoreFileName" property specifies the file name of the identity keystore. This property is required when the "KeyStores" property is set to "CustomIdentityAndCustomTrust". Without specifying the "CustomIdentityKeyStoreFileName" property, the Node Manager will not operate properly and may cause the system to fail into an unsecure state.
Checks: C-23137r414949_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStoreFileName" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23126r414950_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStoreFileName" property. 3. Set the "CustomIdentityKeyStoreFileName" property to a keystore location that contains a valid DoD certificate for the Node Manager identity, add the property if it does not exist.

b
The CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221423 - SV-221423r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000184
Vuln IDs
  • V-221423
  • V-64607
Rule IDs
  • SV-221423r879887_rule
  • SV-79097
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityKeyStorePassPhrase" property is used to protect the data within the keystore. Without protection, the data within the keystore could be compromised allowing an attacker to use the certificates to gain trusted access to other systems or processes.
Checks: C-23138r414952_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStorePassPhrase" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23127r414953_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStorePassPhrase" property. 3. Set the "CustomIdentityKeyStorePassPhrase" property to the password of the keystore that contains a valid DoD certificate for the Node Manager identity, add the property if it does not exist.

b
The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221424 - SV-221424r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000185
Vuln IDs
  • V-221424
  • V-64609
Rule IDs
  • SV-221424r879887_rule
  • SV-79099
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityAlias" specifies the alias when loading the private key into the keystore. This property is required when the "KeyStores" property is set to "CustomIdentityAndCustomTrust". Without specifying the "CustomIdentityKeyStoreFileName" property, the Node Manager will not operate properly and may cause the system to fail into an unsecure state.
Checks: C-23139r414955_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityAlias" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23128r414956_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityAlias" property. 3. Set the "CustomIdentityAlias" property to the alias of the keystore PrivateKeyEntry containing the Node Manager identity, add the property if it does not exist.

b
The CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221425 - SV-221425r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000186
Vuln IDs
  • V-221425
  • V-64611
Rule IDs
  • SV-221425r879887_rule
  • SV-79101
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityPrivateKeyPassPhrase" is the password that protects the private key when creating certificates. If a password is not used, the private key is not protected and can be used by any user or attacker that can get access to the private key.
Checks: C-23140r414958_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityPrivateKeyPassPhrase" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23129r414959_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityPrivateKeyPassPhrase" property. 3. Set the "CustomIdentityPrivateKeyPassPhrase" property to the password protecting the Private Key of the Node Manager identity, add the property if it does not exist.

b
The listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221426 - SV-221426r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000187
Vuln IDs
  • V-221426
  • V-64613
Rule IDs
  • SV-221426r879887_rule
  • SV-79103
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml file to setup the communication to the Node Manager. If the IP address to be used for communication is not specified, the WebLogic Scripting tool will not be able to setup a secure connection to Node Manager.
Checks: C-23141r414961_chk

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "&lt;listen-address&gt;" element within the "&lt;node-manager&gt;" element. 3. If the element does not exist or is not set to the CN of the Node Manager certificate, this is a finding.

Fix: F-23130r414962_fix

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "<listen-address>" element within the "<node-manager>" element. 3. Set the "<listen-address>" element to the CN of the Node Manager certificate, add the element if it does not exist.

b
The listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221427 - SV-221427r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000188
Vuln IDs
  • V-221427
  • V-64615
Rule IDs
  • SV-221427r879887_rule
  • SV-79105
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml file to setup the communication to the Node Manager. If the port to be used for communication is not specified, the WebLogic Scripting tool will not be able to setup a secure connection to Node Manager.
Checks: C-23142r414964_chk

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "&lt;listen-port&gt;" element within the "&lt;node-manager&gt;" element. 3. If the element does not exist or is not set to the same value as the "ListenPort" property found in $DOMAIN_HOME/nodemanager/nodemanager.properties, this is a finding.

Fix: F-23131r414965_fix

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "<listen-port>" element within the "<node-manager>" element. 3. Set the "<listen-port>" element to same value as the "ListenPort" property found in $DOMAIN_HOME/nodemanager/nodemanager.properties, add the element if it does not exist.

b
The WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
CM-6 - Medium - CCI-000366 - V-221428 - SV-221428r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000189
Vuln IDs
  • V-221428
  • V-64617
Rule IDs
  • SV-221428r879887_rule
  • SV-79107
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "OHS" WebLogic Scripting Tool needs to trust the certificate presented by the Node Manager in order to setup secure communication with it. If the "OHS" WLST does not trust the certificate presented by Node Manager, the "OHS" WebLogic Scripting tool will not be able to setup a secure connection to it.
Checks: C-23143r414967_chk

1. Check for the existence of $ORACLE_HOME/ohs/common/bin/setWlstEnv.sh. 2a. If the setWlstEnv.sh does not exist or does not contain the "WLST_PROPERTIES" environment variable set to a valid trust keystore containing the Certificate Authority and Chain of the Node Manager identity, this is a finding. 2b. If the setWlstenv.sh file does not exist, this is a finding. 2c. If the setWlstenv.sh file has permissions more permissive than 750, this is a finding.

Fix: F-23132r414968_fix

1. Open $ORACLE_HOME/ohs/common/bin/setWlstEnv.sh. with an editor. If the file does not exist, create the file. 2. Set "WLST_PROPERTIES" environment variable to a valid trust keystore containing the Certificate Authority and Chain of Node Manager identity, add the property if it does not exist. 3. Issue a "chmod 750 $ORACLE_HOME/ohs/common/bin/setWlstEnv.sh' to modify the permissions of the script.

b
The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
CM-6 - Medium - CCI-000366 - V-221429 - SV-221429r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000190
Vuln IDs
  • V-221429
  • V-64619
Rule IDs
  • SV-221429r879887_rule
  • SV-79109
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "Fusion Middleware" WebLogic Scripting Tool needs to trust the certificate presented by the Node Manager in order to setup secure communication with it. If the "Fusion Middleware" WLST does not trust the certificate presented by Node Manager, the "Fusion Middleware" WebLogic Scripting tool will not be able to setup a secure connection to it.
Checks: C-23144r414970_chk

1. Check for the existence of $ORACLE_HOME/oracle_common/common/bin/setWlstEnv.sh. 2a. If the setWlstEnv.sh does not exist or does not contain the "WLST_PROPERTIES" environment variable set to a valid trust keystore containing the Certificate Authority and Chain of the Node Manager identity, this is a finding. 2b. If the setWlstenv.sh file does not exist, this is a finding. 2c. If the setWlstenv.sh file has permissions more permissive than 750, this is a finding.

Fix: F-23133r414971_fix

1. Open $ORACLE_HOME/oracle_common/common/bin/setWlstEnv.sh. with an editor. If the file does not exist, create the file. 2. Set "WLST_PROPERTIES" environment variable to a valid trust keystore containing the Certificate Authority and Chain of Node Manager identity, add the property if it does not exist. 3. Issue a "chmod 750 $ORACLE_HOME/oracle_common/common/bin/setWlstEnv.sh' to modify the permissions of the script.

b
OHS must limit access to the Dynamic Monitoring Service (DMS).
CM-6 - Medium - CCI-000366 - V-221430 - SV-221430r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000192
Vuln IDs
  • V-221430
  • V-64623
Rule IDs
  • SV-221430r879887_rule
  • SV-79113
The Oracle Dynamic Monitoring Service (DMS) enables application developers, support analysts, system administrators, and others to measure application specific performance information. If OHS allows any machine to connect and monitor performance, an attacker could connect and gather information that could be used to cause a DoS for OHS. Information that is shared could also be used to further an attack to other servers and devices through trusted relationships.
Checks: C-23145r414973_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/admin.conf in it with an editor. 2. Search for the "Allow" directive within the "&lt;Location /dms/&gt;" directive at the virtual host configuration scope. 3. If the "Allow" directive is set to "from all", this is a finding.

Fix: F-23134r414974_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/admin.conf with an editor. 2. Search for the "Allow" directive within the "<Location /dms/>" virtual host configuration scope. 3. Set the "Allow" directive to "from 127.0.0.1".

b
OHS must have the AllowOverride directive set properly.
CM-6 - Medium - CCI-000366 - V-221431 - SV-221431r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000193
Vuln IDs
  • V-221431
  • V-64625
Rule IDs
  • SV-221431r879887_rule
  • SV-79115
The property "AllowOverride" is used to allow directives to be set differently than those set for the overall architecture. When the property is not set to "None", OHS will check for directives in the htaccess files at each directory level until the requested resource is found for each URL request. Allowing parameters to be overridden at different levels of an application becomes a security risk as the overall security of the hosted application can change dependencies on the URL being accessed. Security management also becomes difficult as a misconfiguration can be mistakenly made.
Checks: C-23146r414976_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "AllowOverride" directive at the directory configuration scope. 3. If the "AllowOverride" directive is omitted or is not set to "None", this is a finding.

Fix: F-23135r414977_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "AllowOverride" directive at the directory configuration scope. 3. Set the "AllowOverride" directive to "None", add the directive if it does not exist.

b
OHS must be set to evaluate deny directives first when considering whether to serve a file.
CM-6 - Medium - CCI-000366 - V-221432 - SV-221432r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000194
Vuln IDs
  • V-221432
  • V-64627
Rule IDs
  • SV-221432r879887_rule
  • SV-79117
Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the evaluation is reversed. By ordering the access as first deny and then allow, OHS will deny all access first and then look at the allow clauses to see who may access the server. By structuring the evaluation in this manner, a misconfiguration will more likely deny a valid user than allow an illegitimate user that may compromise the system.
Checks: C-23147r414979_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "&lt;Directory /&gt;" directive within the OHS server configuration scope. 3. If the "Order" directive within the "&lt;Directory /&gt;" directive is omitted or is set improperly, this is a finding.

Fix: F-23136r414980_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "<Directory />" directive within the OHS server configuration scope. 3. Set the "Order" directive within the "<Directory />" directive to "deny,allow", add the directive if it does not exist.

b
OHS must deny all access by default when considering whether to serve a file.
CM-6 - Medium - CCI-000366 - V-221433 - SV-221433r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000195
Vuln IDs
  • V-221433
  • V-64629
Rule IDs
  • SV-221433r879887_rule
  • SV-79119
Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the evaluation is reversed. By ordering the access as first deny and then allow, OHS will deny all access first and then look at the allow clauses to see who may access the server. By structuring the evaluation in this manner, a misconfiguration will more likely deny a valid user than allow an illegitimate user that may compromise the system.
Checks: C-23148r414982_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "&lt;Directory /&gt;" directive within the OHS server configuration scope. 3. If the "Deny" directive within the "&lt;Directory /&gt;" directive is omitted or is set improperly, this is a finding.

Fix: F-23137r414983_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "<Directory />" directive within the OHS server configuration scope. 3. Set the "Deny" directive within the "<Directory />" directive to "from all", add the directive if it does not exist.

b
The OHS instance installation must not contain an .htaccess file.
CM-6 - Medium - CCI-000366 - V-221434 - SV-221434r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000196
Vuln IDs
  • V-221434
  • V-64631
Rule IDs
  • SV-221434r879887_rule
  • SV-79121
.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .htaccess files, the hosted application security posture and overall OHS posture could change dependent on the URL being accessed. Allowing the override of parameters in .htaccess files makes it difficult to truly know the security posture of the system and it also makes it difficult to understand what the security posture may have been if an attack is successful. To thwart the overriding of parameters, .htaccess files must not be used and the "AllowOverride" parameter must be set to "none".
Checks: C-23149r414985_chk

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS 2. find . -name .htaccess -print 3. If any .htaccess files are found, this is a finding.

Fix: F-23138r414986_fix

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS 2. find . -name .htaccess -exec rm {} \;

b
The OHS instance configuration must not reference directories that contain an .htaccess file.
CM-6 - Medium - CCI-000366 - V-221435 - SV-221435r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000197
Vuln IDs
  • V-221435
  • V-64633
Rule IDs
  • SV-221435r879887_rule
  • SV-79123
.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .htaccess files, the hosted application security posture and overall OHS posture could change dependent on the URL being accessed. Allowing the override of parameters in .htaccess files makes it difficult to truly know the security posture of the system and it also makes it difficult to understand what the security posture may have been if an attack is successful. To thwart the overriding of parameters, .htaccess files must not be used and the "AllowOverride" parameter must be set to "none".
Checks: C-23150r414988_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Directory&gt;" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "&lt;Directory&gt;" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs). 4. Check for the existence of any .htaccess files in the aforementioned locations (e.g., find . -name .htaccess -print). 5. If any .htaccess files are found, this is a finding.

Fix: F-23139r414989_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "<Directory>" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs). 4. find . -name .htaccess -exec rm {} \;

a
OHS must have the HostnameLookups directive enabled.
CM-6 - Low - CCI-000366 - V-221436 - SV-221436r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
OH12-1X-000198
Vuln IDs
  • V-221436
  • V-64635
Rule IDs
  • SV-221436r879887_rule
  • SV-79125
Setting the "HostnameLookups" to "On" allows for more information to be logged in the event of an attack and subsequent investigation. This information can be added to other information gathered to narrow the attacker location. The DNS name can also be used for filtering access to the OHS hosted applications by denying particular types of hostnames.
Checks: C-23151r414991_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "HostnameLookups" directive at the server, virtual host, and directory configuration scopes. 3. If the "HostnameLookups" directive is omitted or is not set to "On", this is a finding.

Fix: F-23140r414992_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "HostnameLookups" directive at the server, virtual host, and directory configuration scopes. 3. Set the "HostnameLookups" directive to "On", add the directive if it does not exist.

b
OHS must have the ServerAdmin directive set properly.
CM-6 - Medium - CCI-000366 - V-221437 - SV-221437r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000199
Vuln IDs
  • V-221437
  • V-64637
Rule IDs
  • SV-221437r879887_rule
  • SV-79127
Making sure that information is given to the system administrator in a timely fashion is important. This information can be system status, warnings that may need attention before system failure or actual failure notification. Having this information sent to the system administrator when the issue arises allows for the system administrator to quickly take action and avoid potential DoS for customers.
Checks: C-23152r414994_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "ServerAdmin" directive at the server and virtual host configuration scopes. 3. If the "ServerAdmin" directive is omitted or is set improperly, this is a finding.

Fix: F-23141r414995_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "ServerAdmin" directive at the virtual host and directory configuration scopes. 3. Set the "ServerAdmin" directive to an appropriate service-based email address for the organization, add the directive if it does not exist.

b
OHS must restrict access methods.
CM-6 - Medium - CCI-000366 - V-221438 - SV-221438r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000200
Vuln IDs
  • V-221438
  • V-64639
Rule IDs
  • SV-221438r879887_rule
  • SV-79129
The directive "" allows the system administrator to restrict what users may use which methods. An example of methods would be GET, POST and DELETE. These three are the most common used by applications and should be allowed. Methods such as TRACE, if allowed, give an attacker a way to map the system so that vulnerabilities to the system can be researched and developed.
Checks: C-23153r414997_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;LimitExcept&gt;" directive at the directory configuration scope. 3. If the "&lt;LimitExcept&gt;" directive is omitted (with the exception of the "&lt;Directory /&gt;" directive) or is set improperly, this is a finding.

Fix: F-23142r414998_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<LimitExcept>" directive at the directory configuration scope. 3. Set the "<LimitExcept>" directive to "GET POST", add the directive if it does not exist. 4. Within the "<LimitExcept GET POST>" directives, add the directive "Deny" and set it to "from all".

b
The OHS htdocs directory must not contain any default files.
CM-6 - Medium - CCI-000366 - V-221439 - SV-221439r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000201
Vuln IDs
  • V-221439
  • V-64641
Rule IDs
  • SV-221439r879887_rule
  • SV-79131
Default files from the OHS installation should not be part of the htdocs directory. These files are not always patched or supported and may become an attacker vector in the future.
Checks: C-23154r415000_chk

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs 2. Check for the existence of the OracleHTTPServer12c_files directory (e.g., ls). 3. If there is an OracleHTTPServer12c_files directory exists, this is a finding.

Fix: F-23143r415001_fix

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs 2. rm –rf OracleHTTPServer12c_files.

b
OHS must have the SSLSessionCacheTimeout directive set properly.
CM-6 - Medium - CCI-000366 - V-221440 - SV-221440r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000202
Vuln IDs
  • V-221440
  • V-64643
Rule IDs
  • SV-221440r879887_rule
  • SV-79133
During an SSL session, information about the session is stored in the global/inter-process SSL Session Cache, the OpenSSL internal memory cache and for sessions resumed by TLS session resumption (RFC 5077). This information must not be allowed to live forever, but expire and become invalid so that an attacker cannot hijack the session if not closed by the hosted application properly.
Checks: C-23155r415003_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLSessionCacheTimeout" directive at the OHS server configuration scope. 3. If the directive is omitted or is set greater than 60, this is a finding.

Fix: F-23144r415004_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLSessionCacheTimeout" directive at the OHS server configuration scope. 3. Set the "SSLSessionCacheTimeout" directive to "60", add the directive if it does not exist.

a
OHS must have the RewriteEngine directive enabled.
CM-6 - Low - CCI-000366 - V-221441 - SV-221441r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
OH12-1X-000203
Vuln IDs
  • V-221441
  • V-64645
Rule IDs
  • SV-221441r879887_rule
  • SV-79135
The rewrite engine is used to evaluate URL requests and modify the requests on the fly. Enabling this engine gives the system administrator the capability to trap potential attacks before reaching the hosted applications or to modify the URL to fix issues in the request before forwarding to the applications. The rewrite engine becomes a pre-filtering tool to fix data issues before reaching the hosted applications where the URL format or data within the URL could cause buffer overflows, redirection or mobile code snippets that could become an issue if not filtered.
Checks: C-23156r415006_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "RewriteEngine" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "On", this is a finding unless inherited from a larger scope.

Fix: F-23145r415007_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteEngine" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteEngine" directive to "On", add the directive if it does not exist unless inherited from a larger scope.

a
OHS must have the RewriteOptions directive set properly.
CM-6 - Low - CCI-000366 - V-221442 - SV-221442r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
OH12-1X-000204
Vuln IDs
  • V-221442
  • V-64647
Rule IDs
  • SV-221442r879887_rule
  • SV-79137
The rules for the rewrite engine can be configured to inherit those from the parent and build upon that set of rules, to copy the rules from the parent if there are none defined or to only process the rules if the input is a URL. Of these, the most secure is to inherit from the parent because of how this implemented. The rules for the current configuration, process or directory, are loaded and then the parent are overlaid. This means that the parent rule will always override the child rule. This gives the server a more consistent security configuration.
Checks: C-23157r415009_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "RewriteOptions" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "inherit", this is a finding unless inherited from a larger scope.

Fix: F-23146r415010_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteOptions" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteOptions" directive to "inherit", add the directive if it does not exist unless inherited from a larger scope.

a
OHS must have the RewriteLogLevel directive set to the proper log level.
CM-6 - Low - CCI-000366 - V-221443 - SV-221443r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
OH12-1X-000205
Vuln IDs
  • V-221443
  • V-64649
Rule IDs
  • SV-221443r879887_rule
  • SV-79139
Logging must not contain sensitive information or more information necessary than that needed to administer the system. The log levels from the rewrite engine range from 0 to 9 where 0 is no logging and 9 being the most verbose. A log level that gives enough information for an investigation if an attack occurs of enough information to troubleshoot issues should be selected. Too much information makes the system vulnerable and may give attacker information to other resources or data within the hosted applications.
Checks: C-23158r415012_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "RewriteLogLevel" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "3", this is a finding unless inherited from a larger scope.

Fix: F-23147r415013_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteLogLevel" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteLogLevel" directive to "3"; add the directive if it does not exist unless inherited from a larger scope.

a
OHS must have the RewriteLog directive set properly.
CM-6 - Low - CCI-000366 - V-221444 - SV-221444r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
OH12-1X-000206
Vuln IDs
  • V-221444
  • V-64651
Rule IDs
  • SV-221444r879887_rule
  • SV-79141
Specifying where the log files are written gives the system administrator the capability to store the files in a location other than the default, with system files or in a globally accessible location. The system administrator can also specify a location that is accessible by any enterprise tools that may use the logged data to give a picture of the overall enterprise security posture. If a file is not specified, OHS will still generate the log data, but it is not written and therefore, cannot be used to monitor the system or for forensic analysis.
Checks: C-23159r415015_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "RewriteLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23148r415016_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteLog" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteLog" directive to the same location as the "CustomLog" directive; add the directive if it does not exist unless inherited from a larger scope.

b
All accounts installed with the web server software and tools must have passwords assigned and default passwords changed.
CM-6 - Medium - CCI-000366 - V-221445 - SV-221445r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000207
Vuln IDs
  • V-221445
  • V-64653
Rule IDs
  • SV-221445r879887_rule
  • SV-79143
During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user community. The first things an attacker will try when presented with a login screen are the default user identifiers with default passwords. Installed applications may also install accounts with no password, making the login even easier. Once the web server is installed, the passwords for any created accounts should be changed and documented. The new passwords must meet the requirements for all passwords, i.e., upper/lower characters, numbers, special characters, time until change, reuse policy, etc. Normally, a service account is established for OHS. This is because a privileged account is not desirable and the server is designed to run for long uninterrupted periods of time. The SA or Web Manager will need password access to OHS to restart the service in the event of an emergency as OHS is not to restart automatically after an unscheduled interruption. If the password is not entrusted to an SA or web manager the ability to ensure the availability of OHS is compromised. Service accounts or system accounts that have no login capability do not need to have passwords set or changed.
Checks: C-23160r415018_chk

NOTE: Service accounts or system accounts that have no login capability do not need to have passwords set or changed. Review the web server documentation and deployment configuration to determine what non-service/system accounts were installed by the web server installation process. Verify the passwords for these accounts have been set and/or changed from the default passwords. Verify the SA/Web manager are notified of the changed password. If these accounts still have no password or have default passwords, this is a finding. If the SA/web manager does not know the changed password, this is a finding.

Fix: F-23149r415019_fix

Inform the OHS Administrator as to what the password is for the OS account that owns the OHS Software.

b
A production OHS Installation must prohibit the installation of a compiler.
CM-6 - Medium - CCI-000366 - V-221446 - SV-221446r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000208
Vuln IDs
  • V-221446
  • V-64655
Rule IDs
  • SV-221446r879887_rule
  • SV-79145
The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker’s code can be uploaded and compiled on the server under attack.
Checks: C-23161r415021_chk

1. Ask the System Administrator if a compiler is installed on the system. 2. If it is, this is a finding.

Fix: F-23150r415022_fix

Ask the System Administrator to remove any compilers installed on the system.

b
A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
CM-6 - Medium - CCI-000366 - V-221447 - SV-221447r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000209
Vuln IDs
  • V-221447
  • V-64657
Rule IDs
  • SV-221447r879887_rule
  • SV-79147
To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from publically based sources, such as the public Internet. Once compromised, a public web server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DoD DMZ Extension, if hosted on the NIPRNet, with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources.
Checks: C-23162r415024_chk

1. As required, confirm with the OHS Administrator that OHS is installed in a DMZ and isolated from internal systems. 2. If not, this is a finding.

Fix: F-23151r415025_fix

1. Relocate the OHS server to be in a DMZ, isolated from internal systems. 2. Confirm that the OHS server only has connections to supporting Application and Database Servers.

b
A private OHS installation must be located on a separate controlled access subnet.
CM-6 - Medium - CCI-000366 - V-221448 - SV-221448r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000210
Vuln IDs
  • V-221448
  • V-64659
Rule IDs
  • SV-221448r879887_rule
  • SV-79149
Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but, in either case, can cause a disruption in service of the web server. To protect the private web server from these threats, it must be located on a separate controlled access subnet and must not be a part of the public DMZ that houses the public web servers. It also cannot be located inside the enclave as part of the local general population LAN.
Checks: C-23163r415027_chk

1. As required, confirm with the OHS Administrator that OHS is installed on a separately controlled access subnet, not part of any DMZ. 2. Confirm that the OHS server is isolated from access by the LAN's general population. 3. If not, this is a finding.

Fix: F-23152r415028_fix

1. Relocate the OHS server to be on a local subnet, isolated from the DMZ. 2. Remove access to the OHS server from the LAN's general population.

c
The version of the OHS installation must be vendor-supported.
CM-6 - High - CCI-000366 - V-221449 - SV-221449r879887_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
OH12-1X-000211
Vuln IDs
  • V-221449
  • V-64661
Rule IDs
  • SV-221449r879887_rule
  • SV-79151
Many vulnerabilities are associated with older versions of software. As hot fixes and patches are issued, these solutions are included in the next version of the server software. Maintaining OHS at a current version makes the efforts of a malicious user to exploit the web service more difficult.
Checks: C-23164r415030_chk

1. Obtain the version of the OHS 12c software (e.g., grep Oracle-HTTP-Server-12c $DOMAIN_HOME/servers/&lt;componentName&gt;/logs/ohs1.log). Confirm it is 12.1.3. 2. Refer to the support date schedule for "Fusion Middleware 12c (12.1.x)" at http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf. Confirm that support remains available and that the organization is current with respect to payments. 3. If not, this is a finding.

Fix: F-23153r415031_fix

1. Install or upgrade to a version of OHS that is within the support timeframes for "Fusion Middleware 12c" at http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf. 2. Confirm that the organization is current with respect to support payments.

b
OHS must be certified with accompanying Fusion Middleware products.
CM-6 - Medium - CCI-000366 - V-221450 - SV-221450r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000212
Vuln IDs
  • V-221450
  • V-64663
Rule IDs
  • SV-221450r879887_rule
  • SV-79153
OHS is capable of being used with other Oracle products. For the products to work properly and not introduce vulnerabilities or errors, Oracle certifies which versions work with each other. Insisting that the certified versions be installed together in a production environment reduces the possibility of successful attacks, DoS through software system downtime and easier patch management for the SA.
Checks: C-23165r415033_chk

1. If OHS is used with other Fusion Middleware products, check to see if the combination is certified per http://www.oracle.com/technetwork/middleware/fusion-middleware/documentation/fmw-1213certmatrix-2226694.xls. 2. If not a certified configuration, this is a finding.

Fix: F-23154r415034_fix

Upgrade or patch OHS or other Oracle Fusion Middleware products to achieve a certified configuration per http://www.oracle.com/technetwork/middleware/fusion-middleware/documentation/fmw-1213certmatrix-2226694.xls.

b
OHS tools must be restricted to the web manager and the web managers designees.
CM-6 - Medium - CCI-000366 - V-221451 - SV-221451r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000214
Vuln IDs
  • V-221451
  • V-64665
Rule IDs
  • SV-221451r879887_rule
  • SV-79155
All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or damage that may ultimately compromise the mission. Adequate protection ensures that server administration operates with less risk of losses or operations outages. The key web service administrative and configuration tools must be accessible only by the authorized web server administrators. All users granted this authority must be documented and approved by the ISSO. Access to OHS must be limited to authorized users and administrators.
Checks: C-23166r415036_chk

1. Determine whether anyone other than the System Administrator or the OHS Administrator has inappropriate access to modify the OHS configuration. This includes the ability to use the OS account that owns OHS, root, or a tool with OHS management or monitoring capability such as Oracle Enterprise Manager (OEM). 2. If so, this is a finding.

Fix: F-23155r415037_fix

Restrict access to the OS account that owns OHS, root, or tool with OHS management or monitoring capability such as Oracle Enterprise Manager (OEM).

a
All utility programs, not necessary for operations, must be removed or disabled.
CM-6 - Low - CCI-000366 - V-221452 - SV-221452r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
OH12-1X-000215
Vuln IDs
  • V-221452
  • V-64667
Rule IDs
  • SV-221452r879887_rule
  • SV-79157
Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and graphical editors are examples of such programs that are troublesome. Individual productivity tools have no legitimate place or use on an enterprise, production web server and they are also prone to their own security risks.
Checks: C-23167r415039_chk

1. Check the server for software that is unnecessary for OHS operation. 2. If the software is unnecessary for OHS, other organization requirements, or is not appropriately patched or supported, this is a finding.

Fix: F-23156r415040_fix

Remove any software that is unnecessary for OHS operation, other organization requirements, or is not appropriately patched or supported.

b
The OHS htpasswd files (if present) must reflect proper ownership and permissions.
CM-6 - Medium - CCI-000366 - V-221453 - SV-221453r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000216
Vuln IDs
  • V-221453
  • V-64669
Rule IDs
  • SV-221453r879887_rule
  • SV-79159
In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition to allowing or denying all access rights, a rule can be specified that allows or denies partial access rights. For example, users can be given read-only access rights to files, to view the information but not change the files. This check verifies that the htpasswd file is only accessible by system administrators or web managers, with the account running the web service having group permissions of read and execute. Htpasswd is a utility used by OHS to provide for password access to designated web sites.
Checks: C-23168r415042_chk

1. Check the permissions of the htpasswd file. (e.g., ls -l $ORACLE_HOME/ohs/bin/htpasswd). 2. If the file has permissions beyond "-rwxr-----" (i.e., 740), this is a finding.

Fix: F-23157r415043_fix

Set permissions on htpasswd to 740 (i.e., chmod 740 $ORACLE_HOME/ohs/bin/htpasswd).

b
A public OHS installation must limit email to outbound only.
CM-6 - Medium - CCI-000366 - V-221454 - SV-221454r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000217
Vuln IDs
  • V-221454
  • V-64671
Rule IDs
  • SV-221454r879887_rule
  • SV-79161
Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, Email represents the main use of the Internet. It is specialized application that requires the dedication of server resources. To combine this type of transaction processing function with the file serving role of the web server creates an inherent conflict. Supporting mail services on a web server opens the server to the risk of abuse as an email relay. This check verifies, by checking the OS, that incoming e-mail is not supported.
Checks: C-23169r415045_chk

1. Check whether the OHS server is configured to accept SMTP connections. (e.g., telnet localhost 25). 2. If it is, this is a finding.

Fix: F-23158r415046_fix

Configure the server to disallow inbound SMTP connections.

a
OHS content and configuration files must be part of a routine backup program.
CM-6 - Low - CCI-000366 - V-221455 - SV-221455r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
OH12-1X-000218
Vuln IDs
  • V-221455
  • V-64673
Rule IDs
  • SV-221455r879887_rule
  • SV-79163
Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to determine and recover from subsequent unauthorized changes to the software and data. A tested and verifiable backup strategy will be implemented for web server software as well as all web server data files. Backup and recovery procedures will be documented and the Web Manager or SA for the specific application will be responsible for the design, test, and implementation of the procedures. The site will have a contingency processing plan/disaster recovery plan that includes web servers. The contingency plan will be periodically tested in accordance with DoDI 8500.2 requirements. The site will identify an off-site storage facility in accordance with DoDI 8500.2 requirements. Off-site backups will be updated on a regular basis and the frequency will be documented in the contingency plan.
Checks: C-23170r415048_chk

1. Check that the following files and directories are backed up on a regular basis: a) /etc/oraInst.loc b) Directory identified by inventory_loc parameter within /etc/oraInst.loc c) /etc/cap.ora d) $MW_HOME 2. Confirm the ability to restore the above files and directories successfully. 3. Confirm the successful operation of OHS upon a successful restoration of the files and directories. 4. If the files aren't backed up on a regular schedule or the backups haven't been tested, this is a finding.

Fix: F-23159r415049_fix

1. Backup the following files on a regular basis: a) /etc/oraInst.loc b) Directory identified by inventory_loc parameter within /etc/oraInst.loc c) /etc/cap.ora d) $MW_HOME 2. Perform a restore and start the restored OHS server on a test machine. 3. Test the functionality of the restored OHS software on the test machine.

b
OHS must be segregated from other services.
CM-6 - Medium - CCI-000366 - V-221456 - SV-221456r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000219
Vuln IDs
  • V-221456
  • V-64675
Rule IDs
  • SV-221456r879887_rule
  • SV-79165
The web server installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server that is providing the web publishing service. By separating these services, physically or logically, additional defensive layers are established between the web service and the applicable application should either be compromised. Disallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system that supports a web server will not provide other services (e.g., domain controller, e-mail server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements.
Checks: C-23171r415051_chk

1. Obtain a copy of the OHS installation and configuration plan. 2. Ask the System Administrator whether any additional services (e.g., database, DNS, mail, application server, etc.) are installed with OHS that do not directly support operation or management of OHS. Separation of services may be physical or logical. 3. If so, this is a finding.

Fix: F-23160r415052_fix

Move any software from the OHS installation that is not required for the operation or management of the OHS server to another physical or logical server.

b
OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM).
CM-6 - Medium - CCI-000366 - V-221457 - SV-221457r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000220
Vuln IDs
  • V-221457
  • V-64677
Rule IDs
  • SV-221457r879887_rule
  • SV-79167
The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services available to notify users of known security threats. The site needs to be aware of these fixes and make determinations based on local policy and what software features are installed, if these patches need to be applied. In some cases, patches also apply to middleware and database systems. Maintaining the security of web servers requires frequent reviews of security notices. Many security notices mandate the installation of a software patch to overcome security vulnerabilities. SAs and ISSOs should regularly check the vendor support web site for patches and information related to the web server software. All applicable security patches will be applied to the operating system and to the web server software. Security patches are deemed applicable if the product is installed, even if it is not used or is disabled.
Checks: C-23172r415054_chk

1. Obtain the list of patches that have been applied to OHS (e.g., $ORACLE_HOME/OPatch/opatch lsinventory). 2. In reviewing the list, also review the latest Oracle CPU at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates. Specifically, review the My Oracle Support note specified for Oracle Fusion Middleware to see whether there are patches available for Oracle HTTP Server 12.1.3. 3. If there are patches listed for Oracle HTTP Server 12.1.3 in the support note and they do not show in the list from Step 1 above, this is a finding.

Fix: F-23161r415055_fix

1. Obtain the latest Fusion Middleware Patches applicable for Oracle HTTP Server from the My Oracle Support note associated with the latest Oracle CPU at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates. 2. Follow the instructions associated with each patch to successfully apply.

b
A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
CM-6 - Medium - CCI-000366 - V-221458 - SV-221458r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000221
Vuln IDs
  • V-221458
  • V-64679
Rule IDs
  • SV-221458r879887_rule
  • SV-79169
A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity. Most web browsers perform server authentication automatically; the user is notified only if the authentication fails. The authentication process between the server and the client is performed using the SSL/TLS protocol. Digital certificates are authenticated, issued, and managed by a trusted Certification Authority (CA). The use of a trusted certificate validation hierarchy is crucial to the ability to control access to the server and prevent unauthorized access. This hierarchy needs to lead to the DoD PKI Root CA or to an approved External Certificate Authority (ECA) or are required for the server to function.
Checks: C-23173r415057_chk

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet &lt;wallet_directory&gt;". b) Confirm that only the appropriate DoD Certificate Authorities are listed as Trusted Certificates and that the Identity Certificate has been issued by a DoD Certificate authority. 3. If any of the Trusted Certificates are not appropriate DoD Certificate Authorities or the Identity Certificate has not been issued by a DoD Certificate authority, this is a finding.

Fix: F-23162r415058_fix

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet <wallet_directory>". b) Remove the Identity Certificate if it was not issued by a DoD Certificate authority. c) Remove each Trusted Certificate from the wallet that is not an appropriate DoD Certificate Authority with the command "$ORACLE_HOME/oracle_common/bin/orapki wallet remove -wallet <wallet_directory> -dn <dn_of_the_trusted_certificate> -trusted_cert".

b
OHS must have the ScoreBoardFile directive disabled.
CM-6 - Medium - CCI-000366 - V-221459 - SV-221459r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000222
Vuln IDs
  • V-221459
  • V-64681
Rule IDs
  • SV-221459r879887_rule
  • SV-79171
The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apache processes. If the directive is specified, then Apache will use the configured file for the inter-process communication. Therefore if it is specified it needs to be located in a secure directory. If the ScoreBoard file is placed in openly writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a file with the same name, and or users could monitor and disrupt the communication between the processes by reading and writing to the file.
Checks: C-23174r415060_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "ScoreBoardFile" directive at the server configuration scope. 3. If the "ScoreBoardFile" directive exists, this is a finding.

Fix: F-23163r415061_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ScoreBoardFile" directive at the server configuration scope. 3. Remove the "ScoreBoardFile" directive.

b
The OHS document root directory must not be on a network share.
CM-6 - Medium - CCI-000366 - V-221460 - SV-221460r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000223
Vuln IDs
  • V-221460
  • V-64683
Rule IDs
  • SV-221460r879887_rule
  • SV-79173
Sharing of web server content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their contents to unnecessary access. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web content or cause web server performance problems.
Checks: C-23175r415063_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directive value is used as a network share (e.g., ps -ef | grep nfs, ps -ef | grep smb, etc.), this is a finding.

Fix: F-23164r415064_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Remove the shares that are associated with any directory specified as a value for the "DocumentRoot" directives.

b
The OHS server root directory must not be on a network share.
CM-6 - Medium - CCI-000366 - V-221461 - SV-221461r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000224
Vuln IDs
  • V-221461
  • V-64685
Rule IDs
  • SV-221461r879887_rule
  • SV-79175
Sharing of the web server directory where the executables are stored is a security risk when a web server is involved. Users that have access to the share may not be administrative users. These users could make changes to the web server without going through proper change control or the users could inadvertently delete executables that are key to the proper operation of the web server. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web server or cause web server performance problems.
Checks: C-23176r415066_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf. 2. Search for the "ServerRoot" directive at the OHS server configuration scope. 3. If the directive value is used as a network share (e.g., ps -ef | grep nfs, ps -ef | grep smb, etc.), this is a finding.

Fix: F-23165r415067_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf. 2. Search for the "ServerRoot" directive at the OHS server configuration scope. 3. Remove the share that is associated with the directory specified as a value for the "ServerRoot" directive.

c
Symbolic links must not be used in the web content directory tree.
CM-6 - High - CCI-000366 - V-221462 - SV-221462r879887_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
OH12-1X-000225
Vuln IDs
  • V-221462
  • V-64687
Rule IDs
  • SV-221462r879887_rule
  • SV-79177
A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory.
Checks: C-23177r415069_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Within the directory specified by each "DocumentRoot" directive, check recursively for any symbolic links (e.g., find . -type l -exec ls -ald {} \;). 4. If any symbolic links are found, this is a finding.

Fix: F-23166r415070_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Within the directory specified by each "DocumentRoot" directive, check recursively for any symbolic links (e.g., find . -type l -exec ls -ald {} \;). 4. Remove any symbolic links found in the "DocumentRoot" directory tree.

c
OHS administration must be performed over a secure path or at the local console.
CM-6 - High - CCI-000366 - V-221463 - SV-221463r879887_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
OH12-1X-000226
Vuln IDs
  • V-221463
  • V-64689
Rule IDs
  • SV-221463r879887_rule
  • SV-79179
Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used. An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server.
Checks: C-23178r415072_chk

1. Check that if server administration is performed remotely, it will only be performed securely by system administrators. 2. Check that if OHS administration has been delegated, those users will be documented and approved by the ISSO. 3. Check that remote administration is in compliance with any requirements contained within the Unix Server STIGs and any applicable network STIGs. 4. Check that remote administration of any kind will be restricted to documented and authorized personnel and that all users performing remote administration are authenticated. 5. Check that all remote sessions will be encrypted and utilize FIPS 140-2 approved protocols. 6. If any of the above conditions are not met, this is a finding.

Fix: F-23167r415073_fix

Ensure that both system and OHS administration are done through a secure path.

b
OHS must not contain any robots.txt files.
CM-6 - Medium - CCI-000366 - V-221464 - SV-221464r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000227
Vuln IDs
  • V-221464
  • V-64691
Rule IDs
  • SV-221464r879887_rule
  • SV-79181
Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user. To request that a well behaved search engine not crawl and catalog a server, the web server may contain a file called robots.txt for each web site hosted. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker’s time searching and traversing the web site to find files that might be relevant. If information on hosted web sites needs to be protected from search engines and public view, other methods must be used.
Checks: C-23179r415075_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directive value specifies a directory containing a robots.txt file, this is a finding.

Fix: F-23168r415076_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Remove any robots.txt files from the directories specified in the "DocumentRoot" directives.

b
OHS must prohibit anonymous FTP user access to interactive scripts.
CM-6 - Medium - CCI-000366 - V-221465 - SV-221465r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000228
Vuln IDs
  • V-221465
  • V-64693
Rule IDs
  • SV-221465r879887_rule
  • SV-79183
The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.
Checks: C-23180r415078_chk

1. Check that all ftp access is authenticated, authorized, and secure. 2. If not, this is a finding.

Fix: F-23169r415079_fix

Ensure that all file transfers to the server are authenticated, authorized, and secure.

b
The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory.
CM-6 - Medium - CCI-000366 - V-221466 - SV-221466r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000229
Vuln IDs
  • V-221466
  • V-64695
Rule IDs
  • SV-221466r879887_rule
  • SV-79185
Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion.
Checks: C-23181r415081_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Search for the "ServerRoot" directive at the OHS server configuration scope. 4. If the "DocumentRoot" directive value specifies a directory on the same partition as the directory specified in the "ServerRoot" directive, this is a finding.

Fix: F-23170r415082_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Search for the "ServerRoot" directive at the OHS server configuration scope. 4. Move the directory associated with the "DocumentRoot" directive to a partition different from the partition associated with the directory specified by the "ServerRoot" directive.

b
The OHS DocumentRoot directory must be on a separate partition from OS root partition.
CM-6 - Medium - CCI-000366 - V-221467 - SV-221467r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
OH12-1X-000230
Vuln IDs
  • V-221467
  • V-64697
Rule IDs
  • SV-221467r879887_rule
  • SV-79187
Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion.
Checks: C-23182r415084_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directory associated with the "DocumentRoot" directive is associated with the root partition, this is a finding.

Fix: F-23171r415085_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Move the directory associated with the "DocumentRoot" directive to a partition different from root partition.

b
Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
CM-6 - Medium - CCI-000366 - V-221468 - SV-221468r879887_rule