Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

V2R3 · · · Released 30 Jan 2025 · 280 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V2R2 · 26 Jan 2023 ✎ 1

Comparison against the immediately-prior release (V2R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Content changes 1

  • V-221449 High checkfix The version of the OHS installation must be vendor supported.
Sort by
b
OHS must have the mpm property set to use the worker Multi-Processing Module (MPM) as the preferred means to limit the number of allowed simultaneous requests.
AC-10 - Medium - CCI-000054 - V-221272 - SV-221272r960735_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
OH12-1X-000001
Vuln IDs
  • V-221272
  • V-63153
Rule IDs
  • SV-221272r960735_rule
  • SV-77643
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
Checks: C-22987r414499_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ohs.plugins.nodemanager.properties file with an editor. 2. Search for the "mpm" property. 3. If the "mpm" property is omitted or commented out, this is a finding. 4. If the "mpm" property is not set to "worker", this is a finding.

Fix: F-22976r414500_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ohs.plugins.nodemanager.properties with an editor. 2. Set the "mpm" property to a value of "worker", add the property if it does not exist.

b
OHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests.
AC-10 - Medium - CCI-000054 - V-221273 - SV-221273r960735_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
OH12-1X-000002
Vuln IDs
  • V-221273
  • V-64125
Rule IDs
  • SV-221273r960735_rule
  • SV-78615
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
Checks: C-22988r414502_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf file with an editor. 2. Search for the "&lt;IfModule mpm_prefork_module&gt;" directive at the OHS server configuration scope. 3. If this directive is found and not commented out, this is a finding.

Fix: F-22977r414503_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. Comment out the "<IfModule mpm_prefork_module>" directive and any directives that it contains.

b
OHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests.
AC-10 - Medium - CCI-000054 - V-221274 - SV-221274r960735_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
OH12-1X-000003
Vuln IDs
  • V-221274
  • V-64127
Rule IDs
  • SV-221274r960735_rule
  • SV-78617
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
Checks: C-22989r414505_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf file with an editor. 2. Search for the "MaxClients" directive within "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 3. If "MaxClients" is omitted or set greater than "2000", this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value. If the site has this documentation, this should be marked as not a finding.

Fix: F-22978r414506_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "MaxClients" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Within the "<IfModule mpm_worker_module>" directive, set the "MaxClients" directive to "2000" or less, add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b
OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests.
AC-10 - Medium - CCI-000054 - V-221275 - SV-221275r960735_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
OH12-1X-000004
Vuln IDs
  • V-221275
  • V-64129
Rule IDs
  • SV-221275r960735_rule
  • SV-78619
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
Checks: C-22990r414508_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf file with an editor. 2. Search for the "ThreadsPerChild" directive within "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 3. If "ThreadsPerChild" is omitted or set greater than "25", this is a finding. 4. Search for the "ThreadLimit" directive within "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 5. If "ThreadLimit" is omitted or set greater than "64", this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value. If the site has this documentation, this should be marked as not a finding.

Fix: F-22979r414509_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ThreadsPerChild" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Within the "<IfModule mpm_worker_module>" directive, set the "ThreadsPerChild" directive to "25", add the directive if it does not exist. 4. Search for the "ThreadLimit" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 5. Within the "<IfModule mpm_worker_module>" directive, set the "ThreadLimit" directive to "64", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b
OHS must limit the number of worker processes to limit the number of allowed simultaneous requests.
AC-10 - Medium - CCI-000054 - V-221276 - SV-221276r960735_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
OH12-1X-000005
Vuln IDs
  • V-221276
  • V-64131
Rule IDs
  • SV-221276r960735_rule
  • SV-78621
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to several types of Denial of Service attacks. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
Checks: C-22991r414511_chk

1. Open the $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf file with an editor. 2. Search for the "ServerLimit" directive within "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 3. If "ServerLimit" is omitted or set greater than the maximum of "16" and the calculation of "MaxClients"/"ThreadsPerChild", this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value. If the site has this documentation, this should be marked as not a finding.

Fix: F-22980r414512_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ServerLimit" directive within "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Within the "<IfModule mpm_worker_module>" directive, set the "ServerLimit" directive to the maximum of "16" and the calculation of "MaxClients"/"ThreadsPerChild" immediately before the "MaxClients" directive, add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

c
OHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-000068 - V-221277 - SV-221277r960759_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
OH12-1X-000007
Vuln IDs
  • V-221277
  • V-64133
Rule IDs
  • SV-221277r960759_rule
  • SV-78623
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.
Checks: C-22992r414514_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-22981r414515_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

c
OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-000068 - V-221278 - SV-221278r960759_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
OH12-1X-000008
Vuln IDs
  • V-221278
  • V-64135
Rule IDs
  • SV-221278r960759_rule
  • SV-78625
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.
Checks: C-22993r414517_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22982r414518_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-000068 - V-221279 - SV-221279r960759_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000068
Version
OH12-1X-000009
Vuln IDs
  • V-221279
  • V-64137
Rule IDs
  • SV-221279r960759_rule
  • SV-78627
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.
Checks: C-22994r881038_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-22983r881039_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

c
OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-000068 - V-221280 - SV-221280r960759_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
OH12-1X-000010
Vuln IDs
  • V-221280
  • V-64139
Rule IDs
  • SV-221280r960759_rule
  • SV-78629
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. Methods of communication are http for publicly displayed information, https to encrypt when user data is being transmitted, VPN tunneling, or other encryption methods to a database.
Checks: C-22995r414523_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-22984r414524_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be added or removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

c
OHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-001453 - V-221281 - SV-221281r960762_rule
RMF Control
AC-17
Severity
H
CCI
CCI-001453
Version
OH12-1X-000011
Vuln IDs
  • V-221281
  • V-64141
Rule IDs
  • SV-221281r960762_rule
  • SV-78631
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-22996r414526_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-22985r414527_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

c
OHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-001453 - V-221282 - SV-221282r960762_rule
RMF Control
AC-17
Severity
H
CCI
CCI-001453
Version
OH12-1X-000012
Vuln IDs
  • V-221282
  • V-64143
Rule IDs
  • SV-221282r960762_rule
  • SV-78633
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-22997r414529_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22986r414530_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

c
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-001453 - V-221283 - SV-221283r960762_rule
RMF Control
AC-17
Severity
H
CCI
CCI-001453
Version
OH12-1X-000013
Vuln IDs
  • V-221283
  • V-64145
Rule IDs
  • SV-221283r960762_rule
  • SV-78635
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-22998r881041_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-22987r881042_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

c
OHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
AC-17 - High - CCI-001453 - V-221284 - SV-221284r960762_rule
RMF Control
AC-17
Severity
H
CCI
CCI-001453
Version
OH12-1X-000014
Vuln IDs
  • V-221284
  • V-64147
Rule IDs
  • SV-221284r960762_rule
  • SV-78637
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-22999r414535_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-22988r414536_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b
OHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-001453 - V-221285 - SV-221285r960762_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
OH12-1X-000015
Vuln IDs
  • V-221285
  • V-64149
Rule IDs
  • SV-221285r960762_rule
  • SV-78639
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-23000r414538_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SecureProxy" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22989r414539_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "SecureProxy" directive to "On", add the directive if it does not exist.

b
OHS must have the WLSSLWallet directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-001453 - V-221286 - SV-221286r960762_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
OH12-1X-000016
Vuln IDs
  • V-221286
  • V-64151
Rule IDs
  • SV-221286r960762_rule
  • SV-78641
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-23001r414541_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WLSSLWallet" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to a folder containing a valid wallet, this is a finding.

Fix: F-22990r414542_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLSSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains the certificate chain served by the WebLogic host/port combination, add the directive if it does not exist.

b
OHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-001453 - V-221287 - SV-221287r960762_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
OH12-1X-000017
Vuln IDs
  • V-221287
  • V-64153
Rule IDs
  • SV-221287r960762_rule
  • SV-78643
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-23002r881044_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WebLogicSSLVersion" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "TLSv1.2", this is a finding.

Fix: F-22991r881045_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WebLogicSSLVersion" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WebLogicSSLVersion" directive to "TLSv1_2", add the directive if it does not exist.

b
OHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-001453 - V-221288 - SV-221288r960762_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
OH12-1X-000018
Vuln IDs
  • V-221288
  • V-64155
Rule IDs
  • SV-221288r960762_rule
  • SV-78645
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session.
Checks: C-23003r414547_chk

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WLProxySSL" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-22992r414548_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLProxySSL" directive to "On", add the directive if it does not exist.

b
OHS must have the LoadModule log_config_module directive enabled to generate information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221289 - SV-221289r960765_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
OH12-1X-000019
Vuln IDs
  • V-221289
  • V-64157
Rule IDs
  • SV-221289r960765_rule
  • SV-78647
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23004r414550_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-22993r414551_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. Set the "LoadModule log_config_module" directive to ""${PRODUCT_HOME}/modules/mod_log_config.so"", add the directive if it does not exist.

b
OHS must have the OraLogMode set to Oracle Diagnostic Logging text mode to generate information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221290 - SV-221290r960765_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
OH12-1X-000020
Vuln IDs
  • V-221290
  • V-64159
Rule IDs
  • SV-221290r960765_rule
  • SV-78649
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23005r414553_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "odl-text", this is a finding.

Fix: F-22994r414554_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. Set the "OraLogMode" directive to "odl-text", add the directive if it does not exist.

b
OHS must have a log directory location defined to generate information for use by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221291 - SV-221291r960765_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
OH12-1X-000021
Vuln IDs
  • V-221291
  • V-64161
Rule IDs
  • SV-221291r960765_rule
  • SV-78651
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23006r414556_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-22995r414557_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. Set the "OraLogDir" directive to an appropriate, protected location on a partition with sufficient space that is different from the partition on which the OHS software is installed; add the directive if it does not exist.

b
OHS must have the OraLogSeverity directive defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221292 - SV-221292r960765_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
OH12-1X-000022
Vuln IDs
  • V-221292
  • V-64163
Rule IDs
  • SV-221292r960765_rule
  • SV-78653
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23007r414559_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "NOTIFICATION:32", this is a finding.

Fix: F-22996r414560_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. Set the "OraLogSeverity" directive to "NOTIFICATION:32", add the directive if it does not exist.

b
OHS must have the log rotation parameter set to allow generated information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221293 - SV-221293r960765_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
OH12-1X-000023
Vuln IDs
  • V-221293
  • V-64165
Rule IDs
  • SV-221293r960765_rule
  • SV-78655
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23008r414562_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-22997r414563_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. As required, set the "OraLogRotationParams" directive to satisfy the NIST 800-92 logging requirements, add the directive if it does not exist.

b
OHS must have a log format defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221294 - SV-221294r960765_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
OH12-1X-000024
Vuln IDs
  • V-221294
  • V-64167
Rule IDs
  • SV-221294r960765_rule
  • SV-78657
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23009r414565_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-22998r414566_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined to allow generated information to be used by external applications or entities to monitor and control remote access in accordance with the categorization of data hosted by the web server.
AC-17 - Medium - CCI-000067 - V-221295 - SV-221295r960765_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
OH12-1X-000025
Vuln IDs
  • V-221295
  • V-64169
Rule IDs
  • SV-221295r960765_rule
  • SV-78659
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23010r414568_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-22999r414569_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture information to be used by external applications or entities to monitor and control remote access.
AC-17 - Medium - CCI-000067 - V-221296 - SV-221296r960765_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
OH12-1X-000026
Vuln IDs
  • V-221296
  • V-64171
Rule IDs
  • SV-221296r960765_rule
  • SV-78661
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. By providing remote access information to an external monitoring system, the organization can monitor for cyber attacks and monitor compliance with remote access policies. The organization can also look at data organization wide and determine an attack or anomaly is occurring on the organization which might not be noticed if the data were kept local to the web server. Examples of external applications used to monitor or control access would be audit log monitoring systems, dynamic firewalls, or infrastructure monitoring systems.
Checks: C-23011r414571_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23000r414572_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.
AC-17 - Medium - CCI-002314 - V-221297 - SV-221297r961278_rule
RMF Control
AC-17
Severity
M
CCI
CCI-002314
Version
OH12-1X-000030
Vuln IDs
  • V-221297
  • V-64493
Rule IDs
  • SV-221297r961278_rule
  • SV-78983
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Examples of the web server enforcing a remote access policy are implementing IP filtering rules, using https instead of http for communication, implementing secure tokens, and validating users.
Checks: C-23012r414574_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Review the directives (e.g., "&lt;VirtualHost&gt;", "&lt;Directory&gt;", and "&lt;Location&gt;") at the OHS server and virtual host configuration scopes. 3. If these directives do not contain the appropriate access protection via secure authentication, SSL-associated directives, or "Order", "Deny", and "Allow" directives to secure access or prohibit access from nonsecure zones, this is a finding.

Fix: F-23001r414575_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Review the directives (e.g., "<VirtualHost>", "<Directory>", and "<Location>") at the OHS server and virtual host configuration scopes. 3. Configure the web server to require secure authentication as required, use SSL, and/or restrict access from nonsecure zones via "Order", "Deny", and "Allow" directives. Note: A product such as Oracle Access Manager may facilitate satisfying these requirements.

b
OHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones.
AC-17 - Medium - CCI-002314 - V-221298 - SV-221298r961278_rule
RMF Control
AC-17
Severity
M
CCI
CCI-002314
Version
OH12-1X-000031
Vuln IDs
  • V-221298
  • V-64495
Rule IDs
  • SV-221298r961278_rule
  • SV-78985
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.
Checks: C-23013r414577_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Directory&gt;" directive at the OHS server and virtual host configuration scopes. Note: This check does not apply to the root directory, i.e. the &lt;Directory /&gt; directive. 3. If the "&lt;Directory&gt;" directive does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access from nonsecure zones, this is a finding.

Fix: F-23002r414578_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directive at the OHS server and virtual host configuration scopes. Note: This fix does not apply to the root directory, i.e. the <Directory /> directive. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Set "Allow" directives to "from all" or to an IP range (e.g., "from 123.123"), add the directives if they do not exist. 5. Set "Deny" directives to an IP range (e.g., "from 123.123") to specify nonsecure zones, add the directives if they do not exist.

b
OHS must have the Order, Allow, and Deny directives set within the Files directives set to restrict inbound connections from nonsecure zones.
AC-17 - Medium - CCI-002314 - V-221299 - SV-221299r961278_rule
RMF Control
AC-17
Severity
M
CCI
CCI-002314
Version
OH12-1X-000032
Vuln IDs
  • V-221299
  • V-64497
Rule IDs
  • SV-221299r961278_rule
  • SV-78987
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.
Checks: C-23014r414580_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Files&gt;" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the "&lt;Files&gt;" directive does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access from nonsecure zones, this is a finding.

Fix: F-23003r414581_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Files>" directive at the OHS server, virtual host, and directory configuration scopes. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Set "Allow" directives to "from all" or to an IP range (e.g., "from 123.123"), add the directives if they do not exist. 5. Set "Deny" directives to an IP range (e.g., "from 123.123") to specify nonsecure zones, add the directives if they do not exist.

b
OHS must have the Order, Allow, and Deny directives set within the Location directives set to restrict inbound connections from nonsecure zones.
AC-17 - Medium - CCI-002314 - V-221300 - SV-221300r961278_rule
RMF Control
AC-17
Severity
M
CCI
CCI-002314
Version
OH12-1X-000033
Vuln IDs
  • V-221300
  • V-64499
Rule IDs
  • SV-221300r961278_rule
  • SV-78989
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.
Checks: C-23015r414583_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Location&gt;" directive at the OHS server and virtual host configuration scopes. 3. If the "&lt;Location&gt;" directive does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access from nonsecure zones, this is a finding.

Fix: F-23004r414584_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Location>" directive at the OHS server and virtual host configuration scopes. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Set "Allow" directives to "from all" or to an IP range (e.g., "from 123.123"), add the directives if they do not exist. 5. Set "Deny" directives to an IP range (e.g., "from 123.123") to specify nonsecure zones, add the directives if they do not exist.

b
OHS must provide the capability to immediately disconnect or disable remote access to the hosted applications.
AC-17 - Medium - CCI-002322 - V-221301 - SV-221301r961281_rule
RMF Control
AC-17
Severity
M
CCI
CCI-002322
Version
OH12-1X-000034
Vuln IDs
  • V-221301
  • V-64501
Rule IDs
  • SV-221301r961281_rule
  • SV-78991
During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack. The web server must provide a capability to disconnect users to a hosted application without compromising other hosted applications unless deemed necessary to stop the attack. Methods to disconnect or disable connections are to stop the application service for a specified hosted application, stop the web server, or block all connections through web server access list. The web server capabilities used to disconnect or disable users from connecting to hosted applications and the web server must be documented to make certain that, during an attack, the proper action is taken to conserve connectivity to any other hosted application if possible and to make certain log data is conserved for later forensic analysis.
Checks: C-23016r414586_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Directory&gt;", "&lt;Files&gt;", or "&lt;Location&gt;" directive serving the application/content under attack at the OHS server, virtual host, or directory configuration scope. 3. If the "&lt;Directory&gt;", "&lt;Files&gt;", or "&lt;Location&gt;" directive serving the application/content under attack does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access, this is a finding.

Fix: F-23005r414587_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>", "<Files>", or "<Location>" directive serving the application/content under attack at the OHS server, virtual host, or directory configuration scope. 3. Set the "Order" directive to "allow,deny", add the directive if it does not exist. 4. Comment out any "Allow" directives to prohibit access to the application/content under attack if it exists. 5. Set "Deny" directives to "from all" to prohibit access to the application/content under attack, add the directive if it does not exist. 6. Issue a "nmSoftRestart(serverName='componentName',serverType='OHS') from the WLST shell prompt.

b
Non-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account.
AC-6 - Medium - CCI-002235 - V-221302 - SV-221302r961353_rule
RMF Control
AC-6
Severity
M
CCI
CCI-002235
Version
OH12-1X-000035
Vuln IDs
  • V-221302
  • V-64503
Rule IDs
  • SV-221302r961353_rule
  • SV-78993
By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged account to a privileged account when operating on the web server or on security-relevant information forces users to only operate as a web server administrator when necessary. Operating in this manner allows for better logging of changes and better forensic information and limits accidental changes to the web server.
Checks: C-23017r414589_chk

1. Check that sudo is properly configured for the account owning the OHS software. 2. If accounts other than the account that owns the OHS software can access the OHS software, this is a finding.

Fix: F-23006r414590_fix

1. Configure sudo such that only the account that owns the OHS software can access it from the hosting system.

b
OHS must have the client requests logging module loaded to generate log records for system startup and shutdown, system access, and system authentication logging.
AU-12 - Medium - CCI-000169 - V-221303 - SV-221303r960879_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
OH12-1X-000040
Vuln IDs
  • V-221303
  • V-64173
Rule IDs
  • SV-221303r960879_rule
  • SV-78663
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23018r414592_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exist. If the file does not exist, this is a finding.

Fix: F-23007r414593_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule log_config_module" directive at the OHS server configuration scope. 3. Set the "LoadModule log_config_module" directive to ""${PRODUCT_HOME}/modules/mod_log_config.so"", add the directive if it does not exist.

b
OHS must have OraLogMode set to Oracle Diagnostic Logging text mode to generate log records for system startup and shutdown, system access, and system authentication logging.
AU-12 - Medium - CCI-000169 - V-221304 - SV-221304r960879_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
OH12-1X-000041
Vuln IDs
  • V-221304
  • V-64175
Rule IDs
  • SV-221304r960879_rule
  • SV-78665
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23019r414595_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "odl-text", this is a finding.

Fix: F-23008r414596_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogMode" directive at the OHS server configuration scope. 3. Set the "OraLogMode" directive to "odl-text", add the directive if it does not exist.

b
OHS must have a log directory location defined to generate log records for system startup and shutdown, system access, and system authentication logging.
AU-12 - Medium - CCI-000169 - V-221305 - SV-221305r960879_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
OH12-1X-000042
Vuln IDs
  • V-221305
  • V-64177
Rule IDs
  • SV-221305r960879_rule
  • SV-78667
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23020r414598_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23009r414599_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. Set the "OraLogDir" directive to an appropriate, protected location on a partition with sufficient space that is different from the partition on which the OHS software is installed; add the directive if it does not exist.

b
OHS must have a log level severity defined to generate adequate log records for system startup and shutdown, system access, and system authentication events.
AU-12 - Medium - CCI-000169 - V-221306 - SV-221306r960879_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
OH12-1X-000043
Vuln IDs
  • V-221306
  • V-64179
Rule IDs
  • SV-221306r960879_rule
  • SV-78669
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23021r414601_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "NOTIFICATION:32", this is a finding.

Fix: F-23010r414602_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. Set the "OraLogSeverity" directive to "NOTIFICATION:32", add the directive if it does not exist.

b
OHS must have the log rotation parameter set to allow for the generation log records for system startup and shutdown, system access, and system authentication events.
AU-12 - Medium - CCI-000169 - V-221307 - SV-221307r960879_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
OH12-1X-000044
Vuln IDs
  • V-221307
  • V-64181
Rule IDs
  • SV-221307r960879_rule
  • SV-78671
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23022r414604_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23011r414605_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogRotationParams" directive at the OHS server configuration scope. 3. As required, set the "OraLogRotationParams" directive to satisfy the NIST 800-92 logging requirements, add the directive if it does not exist.

b
OHS must have a log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.
AU-12 - Medium - CCI-000169 - V-221308 - SV-221308r960879_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
OH12-1X-000045
Vuln IDs
  • V-221308
  • V-64183
Rule IDs
  • SV-221308r960879_rule
  • SV-78673
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23023r414607_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23012r414608_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.
AU-12 - Medium - CCI-000169 - V-221309 - SV-221309r960879_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
OH12-1X-000046
Vuln IDs
  • V-221309
  • V-64185
Rule IDs
  • SV-221309r960879_rule
  • SV-78675
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23024r414610_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23013r414611_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture logs generated by system startup and shutdown, system access, and system authentication events.
AU-12 - Medium - CCI-000169 - V-221310 - SV-221310r960879_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
OH12-1X-000047
Vuln IDs
  • V-221310
  • V-64187
Rule IDs
  • SV-221310r960879_rule
  • SV-78677
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. The web server must allow the definition of what events are to be logged. As conditions change, the number and types of events to be logged may change, and the web server must be able to facilitate these changes. The minimum list of logged events should be those pertaining to system startup and shutdown, system access, and system authentication events. If these events are not logged at a minimum, any type of forensic investigation would be missing pertinent information needed to replay what occurred.
Checks: C-23025r414613_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23014r414614_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log level severity defined to produce sufficient log records to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-221312 - SV-221312r962395_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
OH12-1X-000050
Vuln IDs
  • V-221312
  • V-64191
Rule IDs
  • SV-221312r962395_rule
  • SV-78681
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23027r414619_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "NOTIFICATION:32", this is a finding.

Fix: F-23016r414620_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogSeverity" directive at the OHS server configuration scope. 3. Set the "OraLogSeverity" directive to "NOTIFICATION:32", add the directive if it does not exist.

b
OHS must have a log format defined for log records generated to capture sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-221313 - SV-221313r962395_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
OH12-1X-000051
Vuln IDs
  • V-221313
  • V-64193
Rule IDs
  • SV-221313r962395_rule
  • SV-78683
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23028r414622_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23017r414623_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined for log records generated to capture sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-221314 - SV-221314r962395_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
OH12-1X-000052
Vuln IDs
  • V-221314
  • V-64195
Rule IDs
  • SV-221314r962395_rule
  • SV-78685
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23029r414625_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23018r414626_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-221315 - SV-221315r962395_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
OH12-1X-000053
Vuln IDs
  • V-221315
  • V-64197
Rule IDs
  • SV-221315r962395_rule
  • SV-78687
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient information establishing what type of log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23030r414628_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23019r414629_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log format defined for log records generated to capture sufficient information to establish when an event occurred.
AU-3 - Medium - CCI-000131 - V-221316 - SV-221316r960894_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000131
Version
OH12-1X-000054
Vuln IDs
  • V-221316
  • V-64199
Rule IDs
  • SV-221316r960894_rule
  • SV-78689
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23031r414631_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23020r414632_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined for log records generated to capture sufficient information to establish when an event occurred.
AU-3 - Medium - CCI-000131 - V-221317 - SV-221317r960894_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000131
Version
OH12-1X-000055
Vuln IDs
  • V-221317
  • V-64201
Rule IDs
  • SV-221317r960894_rule
  • SV-78691
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23032r414634_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23021r414635_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of when an event occurred.
AU-3 - Medium - CCI-000131 - V-221318 - SV-221318r960894_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000131
Version
OH12-1X-000056
Vuln IDs
  • V-221318
  • V-64203
Rule IDs
  • SV-221318r960894_rule
  • SV-78693
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23033r414637_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23022r414638_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log format defined for log records that allow the establishment of where within OHS the events occurred.
AU-3 - Medium - CCI-000132 - V-221319 - SV-221319r1022706_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000132
Version
OH12-1X-000057
Vuln IDs
  • V-221319
  • V-64205
Rule IDs
  • SV-221319r1022706_rule
  • SV-78695
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23034r414640_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23023r414641_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined for log records that allow the establishment of where within OHS the events occurred.
AU-3 - Medium - CCI-000132 - V-221320 - SV-221320r1022706_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000132
Version
OH12-1X-000058
Vuln IDs
  • V-221320
  • V-64207
Rule IDs
  • SV-221320r1022706_rule
  • SV-78697
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23035r414643_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23024r414644_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of where within OHS the events occurred.
AU-3 - Medium - CCI-000132 - V-221321 - SV-221321r1022706_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000132
Version
OH12-1X-000059
Vuln IDs
  • V-221321
  • V-64209
Rule IDs
  • SV-221321r1022706_rule
  • SV-78699
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged event. For example, an event that occurred during communication to a cgi module might be handled differently than an event that occurred during a communication session to a user. Without sufficient information establishing where the log event occurred within the web server, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23036r414646_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23025r414647_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log format defined for log records that allow the establishment of the source of events.
AU-3 - Medium - CCI-000133 - V-221322 - SV-221322r960900_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000133
Version
OH12-1X-000060
Vuln IDs
  • V-221322
  • V-64211
Rule IDs
  • SV-221322r960900_rule
  • SV-78701
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23037r414649_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23026r414650_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined for log records that allow the establishment of the source of events.
AU-3 - Medium - CCI-000133 - V-221323 - SV-221323r960900_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000133
Version
OH12-1X-000061
Vuln IDs
  • V-221323
  • V-64213
Rule IDs
  • SV-221323r960900_rule
  • SV-78703
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23038r414652_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23027r414653_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of the source of events.
AU-3 - Medium - CCI-000133 - V-221324 - SV-221324r960900_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000133
Version
OH12-1X-000062
Vuln IDs
  • V-221324
  • V-64215
Rule IDs
  • SV-221324r960900_rule
  • SV-78705
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23039r414655_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23028r414656_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
AU-3 - Medium - CCI-000133 - V-221325 - SV-221325r960900_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000133
Version
OH12-1X-000063
Vuln IDs
  • V-221325
  • V-64217
Rule IDs
  • SV-221325r960900_rule
  • SV-78707
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.
Checks: C-23040r414658_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23029r414659_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS, behind a load balancer or proxy server, must have the SSL log format set correctly to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
AU-3 - Medium - CCI-000133 - V-221326 - SV-221326r960900_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000133
Version
OH12-1X-000064
Vuln IDs
  • V-221326
  • V-64219
Rule IDs
  • SV-221326r960900_rule
  • SV-78709
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.
Checks: C-23041r414661_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23030r414662_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
AU-3 - Medium - CCI-000133 - V-221327 - SV-221327r960900_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000133
Version
OH12-1X-000065
Vuln IDs
  • V-221327
  • V-64221
Rule IDs
  • SV-221327r960900_rule
  • SV-78711
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.
Checks: C-23042r414664_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23031r414665_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
AU-3 - Medium - CCI-000134 - V-221328 - SV-221328r960903_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000134
Version
OH12-1X-000066
Vuln IDs
  • V-221328
  • V-64223
Rule IDs
  • SV-221328r960903_rule
  • SV-78713
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23043r414667_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23032r414668_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
AU-3 - Medium - CCI-000134 - V-221329 - SV-221329r960903_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000134
Version
OH12-1X-000067
Vuln IDs
  • V-221329
  • V-64225
Rule IDs
  • SV-221329r960903_rule
  • SV-78715
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23044r414670_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23033r414671_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
AU-3 - Medium - CCI-000134 - V-221330 - SV-221330r960903_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000134
Version
OH12-1X-000068
Vuln IDs
  • V-221330
  • V-64227
Rule IDs
  • SV-221330r960903_rule
  • SV-78717
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Checks: C-23045r414673_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23034r414674_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
AU-3 - Medium - CCI-001487 - V-221331 - SV-221331r960906_rule
RMF Control
AU-3
Severity
M
CCI
CCI-001487
Version
OH12-1X-000069
Vuln IDs
  • V-221331
  • V-64229
Rule IDs
  • SV-221331r960906_rule
  • SV-78719
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Checks: C-23046r414676_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23035r414677_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i" dod", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
AU-3 - Medium - CCI-001487 - V-221332 - SV-221332r960906_rule
RMF Control
AU-3
Severity
M
CCI
CCI-001487
Version
OH12-1X-000070
Vuln IDs
  • V-221332
  • V-64231
Rule IDs
  • SV-221332r960906_rule
  • SV-78721
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Checks: C-23047r414679_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-23036r414680_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with a nickname of "dod_ssl" at the OHS server and virtual host configuration scopes. 3. Set the "LogFormat" directive to ""%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" ecid:%E xfor:%{X-Forwarded-For}i sslprot:%{SSL_PROTOCOL}x ciph:%{SSL_CIPHER}x" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS must have a log file defined for each site/virtual host to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
AU-3 - Medium - CCI-001487 - V-221333 - SV-221333r960906_rule
RMF Control
AU-3
Severity
M
CCI
CCI-001487
Version
OH12-1X-000071
Vuln IDs
  • V-221333
  • V-64233
Rule IDs
  • SV-221333r960906_rule
  • SV-78723
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Checks: C-23048r414682_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23037r414683_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope.

b
OHS log files must only be accessible by privileged users.
AU-9 - Medium - CCI-000162 - V-221334 - SV-221334r960930_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
OH12-1X-000074
Vuln IDs
  • V-221334
  • V-64235
Rule IDs
  • SV-221334r960930_rule
  • SV-78725
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to their advantage since each event record might contain communication ports, protocols, services, trust relationships, user names, etc. The web server must protect the log data from unauthorized read, write, copy, etc. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from access by non-privileged users.
Checks: C-23049r414685_chk

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Verify that each log file that was returned has the owner and group set to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Verify that each log file that was returned has the permissions on the log file set to "640" or more restrictive. If the owner, group or permissions are set incorrectly on any of the log files, this is a finding.

Fix: F-23038r414686_fix

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Set the owner and group to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Set the permissions on all the log files returned to "640".

b
The log information from OHS must be protected from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-221335 - SV-221335r960933_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
OH12-1X-000075
Vuln IDs
  • V-221335
  • V-64237
Rule IDs
  • SV-221335r960933_rule
  • SV-78727
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of log records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized modification. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from modification by non-privileged users.
Checks: C-23050r414688_chk

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Verify that each log file that was returned has the owner and group set to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Verify that each log file that was returned has the permissions on the log file set to "640" or more restrictive. If the owner, group or permissions are set incorrectly on any of the log files, this is a finding.

Fix: F-23039r414689_fix

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Set the owner and group to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Set the permissions on all the log files returned to "640".

b
The log information from OHS must be protected from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-221336 - SV-221336r960936_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000164
Version
OH12-1X-000076
Vuln IDs
  • V-221336
  • V-64239
Rule IDs
  • SV-221336r960936_rule
  • SV-78729
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risks and may hinder the early discovery of a system compromise. One of the first steps an attacker will undertake is the modification or deletion of audit records to cover his tracks and prolong discovery. The web server must protect the log data from unauthorized deletion. This can be done by the web server if the web server is also doing the logging function. The web server may also use an external log system. In either case, the logs must be protected from deletion by non-privileged users.
Checks: C-23051r414691_chk

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Verify that each log file that was returned has the owner and group set to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Verify that each log file that was returned has the permissions on the log file set to "640" or more restrictive. If the owner, group or permissions are set incorrectly on any of the log files, this is a finding.

Fix: F-23040r414692_fix

1. Change to the ORACLE_HOME/user_projects/domains/base_domain/servers directory. 2. Execute the command: find . -name *.log 3. Set the owner and group to the user and group used to run the web server. The user and group are typically set to Oracle. 4. Set the permissions on all the log files returned to "640".

b
The log data and records from OHS must be backed up onto a different system or media.
AU-9 - Medium - CCI-001348 - V-221337 - SV-221337r960948_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001348
Version
OH12-1X-000077
Vuln IDs
  • V-221337
  • V-64241
Rule IDs
  • SV-221337r960948_rule
  • SV-78731
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.
Checks: C-23052r414694_chk

1. Verify that the System Administrator backs up the files located in the $DOMAIN_HOME/servers/&lt;componentName&gt;/logs directory. 2. If the files located in the $DOMAIN_HOME/servers/&lt;componentName&gt;/logs directory, this is a finding.

Fix: F-23041r414695_fix

Have the System Administrator back up the files located in the $DOMAIN_HOME/servers/<componentName>/logs directory.

b
OHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
AU-4 - Medium - CCI-001851 - V-221338 - SV-221338r961395_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
OH12-1X-000081
Vuln IDs
  • V-221338
  • V-64505
Rule IDs
  • SV-221338r961395_rule
  • SV-78995
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. Manual review of the web server logs may not occur in a timely manner, and each event logged is open to interpretation by a reviewer. By integrating the web server into an overall or organization-wide log review, a larger picture of events can be viewed, and analysis can be done in a timely and reliable manner.
Checks: C-23053r414697_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23042r414698_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "OraLogDir" directive at the OHS server configuration scope. 3. Set the "OraLogDir" directive to an appropriate, protected location on a partition with sufficient space that is different from the partition on which the OHS software is installed; add the directive if it does not exist.

b
OHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
AU-4 - Medium - CCI-001851 - V-221339 - SV-221339r961395_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
OH12-1X-000082
Vuln IDs
  • V-221339
  • V-64507
Rule IDs
  • SV-221339r961395_rule
  • SV-78997
A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring the availability and integrity of the hosted application. While it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur. Manual review of the web server logs may not occur in a timely manner, and each event logged is open to interpretation by a reviewer. By integrating the web server into an overall or organization-wide log review, a larger picture of events can be viewed, and analysis can be done in a timely and reliable manner.
Checks: C-23054r414700_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23043r414701_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "CustomLog" directive at the OHS server and virtual host configuration scopes. 3a. If the virtual host is NOT configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod", add the directive if it does not exist unless inherited from a larger scope and reference a location where other tools can access the log files for diagnostic/forensic purposes. 3b. If the virtual host is configured for SSL, set the "CustomLog" directive to ""||${PRODUCT_HOME}/bin/odl_rotatelogs <DESIRED_DIRECTORY_AND_FILE_NAME> 43200" dod_ssl", add the directive if it does not exist unless inherited from a larger scope and reference a location where other tools can access the log files for diagnostic/forensic purposes.

b
OHS must have the LoadModule file_cache_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221340 - SV-221340r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000093
Vuln IDs
  • V-221340
  • V-64243
Rule IDs
  • SV-221340r960963_rule
  • SV-78733
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23055r414703_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule file_cache_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23044r414704_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule file_cache_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule file_cache_module" directive if it exists.

a
OHS must have the LoadModule vhost_alias_module directive disabled.
CM-7 - Low - CCI-000381 - V-221341 - SV-221341r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000094
Vuln IDs
  • V-221341
  • V-64245
Rule IDs
  • SV-221341r960963_rule
  • SV-78735
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23056r414706_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule vhost_alias_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23045r414707_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule vhost_alias_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule vhost_alias_module" directive if it exists.

b
OHS must have the LoadModule env_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221342 - SV-221342r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000095
Vuln IDs
  • V-221342
  • V-64247
Rule IDs
  • SV-221342r960963_rule
  • SV-78737
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23057r414709_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule env_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23046r414710_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule env_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule env_module" directive if it exists.

a
OHS must have the LoadModule mime_magic_module directive disabled.
CM-7 - Low - CCI-000381 - V-221343 - SV-221343r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000096
Vuln IDs
  • V-221343
  • V-64249
Rule IDs
  • SV-221343r960963_rule
  • SV-78739
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23058r414712_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule mime_magic_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23047r414713_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule mime_magic_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule mime_magic_module" directive if it exists.

a
OHS must have the LoadModule negotiation_module directive disabled.
CM-7 - Low - CCI-000381 - V-221344 - SV-221344r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000097
Vuln IDs
  • V-221344
  • V-64251
Rule IDs
  • SV-221344r960963_rule
  • SV-78741
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23059r414715_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule negotiation_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23048r414716_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule negotiation_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule negotiation_module" directive if it exists.

a
OHS must not have the LanguagePriority directive enabled.
CM-7 - Low - CCI-000381 - V-221345 - SV-221345r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000098
Vuln IDs
  • V-221345
  • V-64253
Rule IDs
  • SV-221345r960963_rule
  • SV-78743
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23060r414718_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "LanguagePriority" directive. 2. Search for the "LanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23049r414719_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "LanguagePriority" directive. 2. Search for the "LanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "LanguagePriority" directive if it exists.

a
OHS must not have the ForceLanguagePriority directive enabled.
CM-7 - Low - CCI-000381 - V-221346 - SV-221346r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000099
Vuln IDs
  • V-221346
  • V-64255
Rule IDs
  • SV-221346r960963_rule
  • SV-78745
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23061r414721_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ForceLanguagePriority" directive. 2. Search for the "ForceLanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23050r414722_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ForceLanguagePriority" directive. 2. Search for the "ForceLanguagePriority" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "ForceLanguagePriority" directive if it exists.

b
OHS must have the LoadModule status_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221347 - SV-221347r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000100
Vuln IDs
  • V-221347
  • V-64257
Rule IDs
  • SV-221347r960963_rule
  • SV-78747
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23062r414724_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule status_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23051r414725_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule status_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule status_module" directive if it exists.

b
OHS must have the LoadModule info_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221348 - SV-221348r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000101
Vuln IDs
  • V-221348
  • V-64259
Rule IDs
  • SV-221348r960963_rule
  • SV-78749
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23063r414727_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule info_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23052r414728_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule info_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule info_module" directive if it exists.

b
OHS must have the LoadModule include_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221349 - SV-221349r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000102
Vuln IDs
  • V-221349
  • V-64261
Rule IDs
  • SV-221349r960963_rule
  • SV-78751
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23064r414730_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule include_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23053r414731_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule include_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule include_module" directive if it exists.

b
OHS must have the LoadModule autoindex_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221350 - SV-221350r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000103
Vuln IDs
  • V-221350
  • V-64263
Rule IDs
  • SV-221350r960963_rule
  • SV-78753
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23065r414733_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule autoindex_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23054r414734_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule autoindex_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule autoindex_module" directive if it exists.

b
OHS must have the IndexOptions directive disabled.
CM-7 - Medium - CCI-000381 - V-221351 - SV-221351r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000104
Vuln IDs
  • V-221351
  • V-64265
Rule IDs
  • SV-221351r960963_rule
  • SV-78755
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23066r414736_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexOptions" directive. 2. Search for the "IndexOptions" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23055r414737_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexOptions" directive. 2. Search for the "IndexOptions" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "IndexOptions" directive if it exists.

b
OHS must have the AddIconByEncoding directive disabled.
CM-7 - Medium - CCI-000381 - V-221352 - SV-221352r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000105
Vuln IDs
  • V-221352
  • V-64267
Rule IDs
  • SV-221352r960963_rule
  • SV-78757
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23067r414739_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByEncoding" directive. 2. Search for an "AddIconByEncoding" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23056r414740_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByEncoding" directive. 2. Search for an "AddIconByEncoding" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "AddIconByEncoding" directive if it exists.

b
OHS must have the AddIconByType directive disabled.
CM-7 - Medium - CCI-000381 - V-221353 - SV-221353r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000106
Vuln IDs
  • V-221353
  • V-64269
Rule IDs
  • SV-221353r960963_rule
  • SV-78759
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23068r414742_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByType" directive. 2. Search for an "AddIconByType" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23057r414743_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIconByType" directive. 2. Search for an "AddIconByType" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "AddIconByType" directive if it exists.

b
OHS must have the AddIcon directive disabled.
CM-7 - Medium - CCI-000381 - V-221354 - SV-221354r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000107
Vuln IDs
  • V-221354
  • V-64271
Rule IDs
  • SV-221354r960963_rule
  • SV-78761
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23069r414745_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIcon" directive. 2. Search for an "AddIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23058r414746_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "AddIcon" directive. 2. Search for an "AddIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "AddIcon" directive if it exists.

b
OHS must have the DefaultIcon directive disabled.
CM-7 - Medium - CCI-000381 - V-221355 - SV-221355r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000108
Vuln IDs
  • V-221355
  • V-64273
Rule IDs
  • SV-221355r960963_rule
  • SV-78763
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23070r414748_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DefaultIcon" directive. 2. Search for a "DefaultIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23059r414749_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DefaultIcon" directive. 2. Search for a "DefaultIcon" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "DefaultIcon" directive if it exists.

b
OHS must have the ReadmeName directive disabled.
CM-7 - Medium - CCI-000381 - V-221356 - SV-221356r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000109
Vuln IDs
  • V-221356
  • V-64275
Rule IDs
  • SV-221356r960963_rule
  • SV-78765
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23071r414751_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ReadmeName" directive. 2. Search for a "ReadmeName" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23060r414752_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "ReadmeName" directive. 2. Search for a "ReadmeName" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "ReadmeName" directive if it exists.

b
OHS must have the HeaderName directive disabled.
CM-7 - Medium - CCI-000381 - V-221357 - SV-221357r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000110
Vuln IDs
  • V-221357
  • V-64277
Rule IDs
  • SV-221357r960963_rule
  • SV-78767
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23072r414754_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "HeaderName" directive. 2. Search for a "HeaderName" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23061r414755_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "HeaderName" directive. 2. Search for a "HeaderName" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "HeaderName" directive if it exists.

b
OHS must have the IndexIgnore directive disabled.
CM-7 - Medium - CCI-000381 - V-221358 - SV-221358r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000111
Vuln IDs
  • V-221358
  • V-64279
Rule IDs
  • SV-221358r960963_rule
  • SV-78769
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23073r414757_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexIgnore" directive. 2. Search for an "IndexIgnore" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23062r414758_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains an "IndexIgnore" directive. 2. Search for an "IndexIgnore" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "IndexIgnore" directive if it exists.

a
OHS must have the LoadModule dir_module directive disabled.
CM-7 - Low - CCI-000381 - V-221359 - SV-221359r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000112
Vuln IDs
  • V-221359
  • V-64281
Rule IDs
  • SV-221359r960963_rule
  • SV-78771
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23074r414760_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule dir_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23063r414761_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule dir_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule dir_module" directive if it exists.

a
OHS must have the DirectoryIndex directive disabled.
CM-7 - Low - CCI-000381 - V-221360 - SV-221360r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000113
Vuln IDs
  • V-221360
  • V-64283
Rule IDs
  • SV-221360r960963_rule
  • SV-78773
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23075r414763_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DirectoryIndex" directive. 2. Search for the "DirectoryIndex" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive and any surrounding "&lt;IfModule dir_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23064r414764_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "DirectoryIndex" directive. 2. Search for the "DirectoryIndex" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "DirectoryIndex" directive and any surrounding "<IfModule dir_module>" directive if they exist.

b
OHS must have the LoadModule cgi_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221361 - SV-221361r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000114
Vuln IDs
  • V-221361
  • V-64285
Rule IDs
  • SV-221361r960963_rule
  • SV-78775
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23076r414766_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "&lt;IfModule mpm_prefork_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_prefork_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23065r414767_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_prefork_module>" directives if they exist.

b
OHS must have the LoadModule fastcgi_module disabled.
CM-7 - Medium - CCI-000381 - V-221362 - SV-221362r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000115
Vuln IDs
  • V-221362
  • V-64287
Rule IDs
  • SV-221362r960963_rule
  • SV-78777
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23077r414769_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule fastcgi_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23066r414770_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule fastcgi_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule fastcgi_module" directive if it exists.

b
OHS must have the LoadModule cgid_module directive disabled for mpm workers.
CM-7 - Medium - CCI-000381 - V-221363 - SV-221363r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000116
Vuln IDs
  • V-221363
  • V-64289
Rule IDs
  • SV-221363r960963_rule
  • SV-78779
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23078r414772_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_worker_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23067r414773_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgid_module" directive and surrounding "<IfModule mpm_worker_module>" directives if they exist.

a
OHS must have the IfModule cgid_module directive disabled.
CM-7 - Low - CCI-000381 - V-221364 - SV-221364r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000117
Vuln IDs
  • V-221364
  • V-64291
Rule IDs
  • SV-221364r960963_rule
  • SV-78781
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23079r414775_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;IfModule cgid_module&gt;" directive. 2. Search for the "&lt;IfModule cgid_module&gt;" directive at the OHS server, virtual host, and directory configuration scope. 3. If the directive and any directives that it may contain exist and are not commented out, this is a finding.

Fix: F-23068r414776_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<IfModule cgid_module>" directive. 2. Search for the "<IfModule cgid_module>" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "<IfModule cgid_module>" directive and any directives it may contain.

a
OHS must have the LoadModule mpm_winnt_module directive disabled.
CM-7 - Low - CCI-000381 - V-221365 - SV-221365r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000118
Vuln IDs
  • V-221365
  • V-64293
Rule IDs
  • SV-221365r960963_rule
  • SV-78783
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23080r414778_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "&lt;IfModule mpm_winnt_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_winnt_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23069r414779_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_winnt_module>" directives if they exist.

b
OHS must have the ScriptAlias directive for CGI scripts disabled.
CM-7 - Medium - CCI-000381 - V-221366 - SV-221366r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000119
Vuln IDs
  • V-221366
  • V-64295
Rule IDs
  • SV-221366r960963_rule
  • SV-78785
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23081r414781_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "&lt;IfModule alias_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule alias_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23070r414782_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "<IfModule alias_module>" directive at the OHS server configuration scope. 3. Comment out the "ScriptAlias /cgi-bin/" directive and its surrounding "<IfModule alias_module>" directive if they exist.

b
OHS must have the ScriptSock directive disabled.
CM-7 - Medium - CCI-000381 - V-221367 - SV-221367r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000120
Vuln IDs
  • V-221367
  • V-64297
Rule IDs
  • SV-221367r960963_rule
  • SV-78787
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23082r414784_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "&lt;IfModule cgid_module&gt;" directive at the OHS server configuration scope. Note: “ScriptSock” may appear as “Scriptsock” within the httpd.conf file. 3. If the directive and its surrounding "&lt;IfModule cgid_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23071r414785_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "<IfModule cgid_module>" directive at the OHS server configuration scope. Note: “ScriptSock” may appear as “Scriptsock” within the httpd.conf file. 3. Comment out the "ScriptSock" directive and its surrounding "<IfModule cgid_module>" directive if they exist.

b
OHS must have the cgi-bin directory disabled.
CM-7 - Medium - CCI-000381 - V-221368 - SV-221368r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000121
Vuln IDs
  • V-221368
  • V-64299
Rule IDs
  • SV-221368r960963_rule
  • SV-78789
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23083r414787_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for a "&lt;Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin"&gt;" directive at the OHS server and virtual host configuration scopes. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23072r414788_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive at the OHS server and virtual host configuration scopes. 3. Comment out the "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive and any directives it contains if they exist.

b
OHS must have directives pertaining to certain scripting languages removed from virtual hosts.
CM-7 - Medium - CCI-000381 - V-221369 - SV-221369r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000122
Vuln IDs
  • V-221369
  • V-64301
Rule IDs
  • SV-221369r960963_rule
  • SV-78791
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23084r414790_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for a "&lt;FilesMatch "\.(cgi|shtml|phtml|php)$"&gt;" directive at the virtual host configuration scope. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23073r414791_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive at the OHS server configuration scope. 3. Comment out the "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive and any directives it contains if they exist.

a
OHS must have the LoadModule asis_module directive disabled.
CM-7 - Low - CCI-000381 - V-221370 - SV-221370r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000123
Vuln IDs
  • V-221370
  • V-64303
Rule IDs
  • SV-221370r960963_rule
  • SV-78793
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23085r414793_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule asis_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23074r414794_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule asis_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule asis_module" directive if it exists.

a
OHS must have the LoadModule imagemap_module directive disabled.
CM-7 - Low - CCI-000381 - V-221371 - SV-221371r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000124
Vuln IDs
  • V-221371
  • V-64305
Rule IDs
  • SV-221371r960963_rule
  • SV-78795
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23086r414796_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule imagemap_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23075r414797_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule imagemap_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule imagemap_module" directive if it exists.

b
OHS must have the LoadModule actions_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221372 - SV-221372r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000125
Vuln IDs
  • V-221372
  • V-64307
Rule IDs
  • SV-221372r960963_rule
  • SV-78797
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23087r414799_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule actions_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23076r414800_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule actions_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule actions_module" directive if it exists.

a
OHS must have the LoadModule speling_module directive disabled.
CM-7 - Low - CCI-000381 - V-221373 - SV-221373r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000126
Vuln IDs
  • V-221373
  • V-64309
Rule IDs
  • SV-221373r960963_rule
  • SV-78799
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23088r414802_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule speling_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23077r414803_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule speling_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule speling_module" directive if it exists.

b
OHS must have the LoadModule userdir_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221374 - SV-221374r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000127
Vuln IDs
  • V-221374
  • V-64311
Rule IDs
  • SV-221374r960963_rule
  • SV-78801
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23089r414805_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule userdir_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23078r414806_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule userdir_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule userdir_module" directive if it exists.

b
OHS must have the AliasMatch directive pertaining to the OHS manuals disabled.
CM-7 - Medium - CCI-000381 - V-221375 - SV-221375r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000128
Vuln IDs
  • V-221375
  • V-64313
Rule IDs
  • SV-221375r960963_rule
  • SV-78803
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23090r414808_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23079r414809_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for an "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. Comment out the "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive if it exists.

b
OHS must have the Directory directive pointing to the OHS manuals disabled.
CM-7 - Medium - CCI-000381 - V-221376 - SV-221376r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000129
Vuln IDs
  • V-221376
  • V-64315
Rule IDs
  • SV-221376r960963_rule
  • SV-78805
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23091r414811_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "&lt;Directory "${PRODUCT_HOME}/manual"&gt;" directive at the OHS server configuration scope. 3. If the directive and the directives it contains exists and is not commented out, this is a finding.

Fix: F-23080r414812_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/manual">" directive at the OHS server configuration scope. 3. Comment out the "<Directory "${PRODUCT_HOME}/manual">" directive and any directives it contains if they exist.

b
OHS must have the LoadModule auth_basic_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221377 - SV-221377r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000130
Vuln IDs
  • V-221377
  • V-64317
Rule IDs
  • SV-221377r960963_rule
  • SV-78807
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23092r414814_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule auth_basic_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23081r414815_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule auth_basic_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule auth_basic_module" directive if it exists.

b
OHS must have the LoadModule authz_user_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221378 - SV-221378r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000131
Vuln IDs
  • V-221378
  • V-64319
Rule IDs
  • SV-221378r960963_rule
  • SV-78809
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance. This module provides authorization capabilities so authenticated users can be allowed or denied access to portions of the web site. This requirement is meant to disable an unneeded service; it is not intended to restrict the use of authorization when data access restrictions specify the use of authorization. Refer to the system security plan to determine if authorization is required based on data access requirements.
Checks: C-23093r539626_chk

If the AO approved system security plan for web server configuration specifies using the OHS authz_user_module in order to meet application architecture requirements, this requirement can be marked NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule authz_user_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23082r457166_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authz_user_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule authz_user_module" directive if it exists.

b
OHS must have the LoadModule authn_file_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221379 - SV-221379r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000132
Vuln IDs
  • V-221379
  • V-64321
Rule IDs
  • SV-221379r960963_rule
  • SV-78811
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23094r414820_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule authn_file_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23083r414821_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authn_file_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule authn_file_module" directive if it exists.

b
OHS must have the LoadModule authn_anon_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221380 - SV-221380r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000133
Vuln IDs
  • V-221380
  • V-64323
Rule IDs
  • SV-221380r960963_rule
  • SV-78813
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23095r414823_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule authn_anon_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23084r414824_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule authn_anon_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule authn_anon_module" directive if it exists.

b
OHS must have the LoadModule proxy_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221381 - SV-221381r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000134
Vuln IDs
  • V-221381
  • V-64325
Rule IDs
  • SV-221381r960963_rule
  • SV-78815
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23096r457168_chk

If the AO-approved system security plan for web server configuration specifies using the proxy_module directive in order to meet application architecture requirements and authentication is enforced, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23085r457169_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_module" directive if it exists.

b
OHS must have the LoadModule proxy_http_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221382 - SV-221382r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000135
Vuln IDs
  • V-221382
  • V-64327
Rule IDs
  • SV-221382r960963_rule
  • SV-78817
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance. The proxy_http_module requires the service of mod_proxy. It provides the features used for proxying HTTP and HTTPS requests. If proxy services are required, the proxy configuration must be approved by the AO.
Checks: C-23097r539628_chk

If the AO approved system security plan for the web server configuration specifies using the proxy_http_module directive in order to meet application architecture requirements and authentication is enforced, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23086r457157_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_http_module" directive if it exists.

b
OHS must have the LoadModule proxy_ftp_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221383 - SV-221383r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000136
Vuln IDs
  • V-221383
  • V-64329
Rule IDs
  • SV-221383r960963_rule
  • SV-78819
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23098r414832_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23087r414833_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_ftp_module" directive if it exists.

b
OHS must have the LoadModule proxy_connect_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221384 - SV-221384r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000137
Vuln IDs
  • V-221384
  • V-64331
Rule IDs
  • SV-221384r960963_rule
  • SV-78821
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23099r414835_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23088r414836_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_connnect_module" directive if it exists.

b
OHS must have the LoadModule proxy_balancer_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221385 - SV-221385r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000138
Vuln IDs
  • V-221385
  • V-64333
Rule IDs
  • SV-221385r960963_rule
  • SV-78823
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23100r414838_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23089r414839_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_balancer_module" directive if it exists.

a
OHS must have the LoadModule cern_meta_module directive disabled.
CM-7 - Low - CCI-000381 - V-221386 - SV-221386r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000139
Vuln IDs
  • V-221386
  • V-64335
Rule IDs
  • SV-221386r960963_rule
  • SV-78825
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23101r414841_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cern_meta_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23090r414842_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cern_meta_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cern_meta_module" directive if it exists.

a
OHS must have the LoadModule expires_module directive disabled.
CM-7 - Low - CCI-000381 - V-221387 - SV-221387r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000140
Vuln IDs
  • V-221387
  • V-64337
Rule IDs
  • SV-221387r960963_rule
  • SV-78827
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23102r414844_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule expires_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23091r414845_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule expires_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule expires_module" directive if it exists.

a
OHS must have the LoadModule usertrack_module directive disabled.
CM-7 - Low - CCI-000381 - V-221388 - SV-221388r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000141
Vuln IDs
  • V-221388
  • V-64339
Rule IDs
  • SV-221388r960963_rule
  • SV-78829
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23103r414847_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule usertrack_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23092r414848_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule usertrack_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule usertrack_module" directive if it exists.

a
OHS must have the LoadModule uniqueid_module directive disabled.
CM-7 - Low - CCI-000381 - V-221389 - SV-221389r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000142
Vuln IDs
  • V-221389
  • V-64341
Rule IDs
  • SV-221389r960963_rule
  • SV-78831
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23104r414850_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule unique_id_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23093r414851_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule unique_id_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule unique_id_module" directive if it exists.

b
OHS must have the LoadModule setenvif_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221390 - SV-221390r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000143
Vuln IDs
  • V-221390
  • V-64343
Rule IDs
  • SV-221390r960963_rule
  • SV-78833
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23105r414853_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule setenvif_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23094r414854_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule setenvif_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule setenvif_module" directive if it exists.

b
OHS must have the BrowserMatch directive disabled.
CM-7 - Medium - CCI-000381 - V-221391 - SV-221391r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000144
Vuln IDs
  • V-221391
  • V-64345
Rule IDs
  • SV-221391r960963_rule
  • SV-78835
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23106r414856_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "BrowserMatch" directive. 2. Search for the "BrowserMatch" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive and any surrounding "BrowserMatch" directive exist and are not commented out, this is a finding.

Fix: F-23095r414857_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "BrowserMatch" directive. 2. Search for the "BrowserMatch" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "BrowserMatch" directive and any surrounding "<IfModule dir_module>" directive if they exist.

b
OHS must have the LoadModule dumpio_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221392 - SV-221392r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000145
Vuln IDs
  • V-221392
  • V-64347
Rule IDs
  • SV-221392r960963_rule
  • SV-78837
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23107r414859_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule dumpio_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23096r414860_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule dumpio_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule dumpio_module" directive if it exists.

a
OHS must have the IfModule dumpio_module directive disabled.
CM-7 - Low - CCI-000381 - V-221393 - SV-221393r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000146
Vuln IDs
  • V-221393
  • V-64349
Rule IDs
  • SV-221393r960963_rule
  • SV-78839
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23108r414862_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "&lt;IfModule dumpio_module&gt;" directive at the OHS server configuration scope. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23097r414863_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<IfModule dumpio_module>" directive at the OHS server configuration scope. 3. Comment out the "<IfModule dumpio_module>" directive and any directives it contains if they exist.

b
OHS must have the Alias /icons/ directive disabled.
CM-7 - Medium - CCI-000381 - V-221394 - SV-221394r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000147
Vuln IDs
  • V-221394
  • V-64351
Rule IDs
  • SV-221394r960963_rule
  • SV-78841
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23109r414865_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for an "Alias /icons/" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23098r414866_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for an "Alias /icons/" directive at the OHS server configuration scope. 3. Comment out the "Alias /icons/" directive if it exists.

b
OHS must have the path to the icons directory disabled.
CM-7 - Medium - CCI-000381 - V-221395 - SV-221395r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000148
Vuln IDs
  • V-221395
  • V-64353
Rule IDs
  • SV-221395r960963_rule
  • SV-78843
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23110r414868_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "&lt;Directory "${PRODUCT_HOME}/icons"&gt;" directive at the OHS server configuration scope. 3. If the directive exists and any directives that it contains are not commented out, this is a finding.

Fix: F-23099r414869_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/icons">" directive at the OHS server configuration scope. 3. Comment out the "<Directory "$PRODUCT_HOME}/icons">" directive and any directives that it contains if they exist.

a
OHS must have the IfModule mpm_winnt_module directive disabled.
CM-7 - Low - CCI-000381 - V-221396 - SV-221396r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000149
Vuln IDs
  • V-221396
  • V-64355
Rule IDs
  • SV-221396r960963_rule
  • SV-78845
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23111r414871_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "&lt;IfModule mpm_winnt_module&gt;" directive at the OHS server configuration scope. 3. If the directive and any directives it contains exist and are not commented out, this is a finding.

Fix: F-23100r414872_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. Comment out the "<IfModule mpm_winnt_module>" directive and any directives it contains if they exist.

b
OHS must have the LoadModule proxy_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221397 - SV-221397r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000150
Vuln IDs
  • V-221397
  • V-64361
Rule IDs
  • SV-221397r960963_rule
  • SV-78851
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.
Checks: C-23112r539630_chk

If the AO-approved system security plan for the web server configuration specifies using proxy_module directive in order to meet application architecture requirements, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23101r457160_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_module" directive if it exists.

b
OHS must have the LoadModule proxy_http_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221398 - SV-221398r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000151
Vuln IDs
  • V-221398
  • V-64363
Rule IDs
  • SV-221398r960963_rule
  • SV-78853
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.
Checks: C-23113r539632_chk

If the AO-approved system security plan for the web server configuration specifies using the proxy_http_module directive in order to meet application architecture requirements, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23102r457163_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_http_module" directive if it exists.

b
OHS must have the LoadModule proxy_ftp_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221399 - SV-221399r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000152
Vuln IDs
  • V-221399
  • V-64365
Rule IDs
  • SV-221399r960963_rule
  • SV-78855
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.
Checks: C-23114r414880_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23103r414881_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_ftp_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_ftp_module" directive if it exists.

b
OHS must have the LoadModule proxy_connect_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221400 - SV-221400r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000153
Vuln IDs
  • V-221400
  • V-64375
Rule IDs
  • SV-221400r960963_rule
  • SV-78865
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.
Checks: C-23115r414883_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23104r414884_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_connect_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_connnect_module" directive if it exists.

b
OHS must have the LoadModule proxy_balancer_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221401 - SV-221401r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000154
Vuln IDs
  • V-221401
  • V-64377
Rule IDs
  • SV-221401r960963_rule
  • SV-78867
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.
Checks: C-23116r414886_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23105r414887_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule proxy_balancer_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_balancer_module" directive if it exists.

a
OHS must disable the directive pointing to the directory containing the OHS manuals.
CM-7 - Low - CCI-000381 - V-221402 - SV-221402r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000156
Vuln IDs
  • V-221402
  • V-64379
Rule IDs
  • SV-221402r960963_rule
  • SV-78869
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.
Checks: C-23117r414889_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "&lt;Directory "${PRODUCT_HOME}/manual"&gt;" directive at the OHS server configuration scope. 3. If the directive and the directives it contains exists and is not commented out, this is a finding.

Fix: F-23106r414890_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "<Directory "${PRODUCT_HOME}/manual">" directive at the OHS server configuration scope. 3. Comment out the "<Directory "${PRODUCT_HOME}/manual">" directive and any directives it contains if they exist.

b
OHS must have the AliasMatch directive disabled for the OHS manuals.
CM-7 - Medium - CCI-000381 - V-221403 - SV-221403r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000157
Vuln IDs
  • V-221403
  • V-64381
Rule IDs
  • SV-221403r960963_rule
  • SV-78871
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.
Checks: C-23118r414892_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23107r414893_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for an "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive at the OHS server configuration scope. 3. Comment out the "AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "${PRODUCT_HOME}/manual$1"" directive if it exists.

b
OHS must have the AddHandler directive disabled.
CM-7 - Medium - CCI-000381 - V-221404 - SV-221404r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000160
Vuln IDs
  • V-221404
  • V-64383
Rule IDs
  • SV-221404r960963_rule
  • SV-78873
Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A shell is a program that serves as the basic interface between the user and the operating system, so hosted application users must not have access to these programs. Shell programs may execute shell escapes and can then perform unauthorized activities that could damage the security posture of the web server.
Checks: C-23119r414895_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "AddHandler" directives at the OHS server, virtual host, and directory configuration scopes. 3. If an "AddHandler" directive exists, this is a finding.

Fix: F-23108r414896_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "AddHandler" directives at the OHS server, virtual host, and directory configuration scopes. 3. If an "AddHandler" directive exists, remove it.

b
OHS must have the LoadModule cgi_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221405 - SV-221405r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000161
Vuln IDs
  • V-221405
  • V-64385
Rule IDs
  • SV-221405r960963_rule
  • SV-78875
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23120r414898_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "&lt;IfModule mpm_prefork_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_prefork_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23109r414899_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_prefork_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_prefork_module>" directives if they exist.

b
OHS must have the LoadModule cgid_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221406 - SV-221406r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000162
Vuln IDs
  • V-221406
  • V-64387
Rule IDs
  • SV-221406r960963_rule
  • SV-78877
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23121r414901_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "&lt;IfModule mpm_worker_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_worker_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23110r414902_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgid_module" directive within the "<IfModule mpm_worker_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgid_module" directive and surrounding "<IfModule mpm_worker_module>" directives if they exist.

b
OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration.
CM-7 - Medium - CCI-000381 - V-221407 - SV-221407r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000163
Vuln IDs
  • V-221407
  • V-64389
Rule IDs
  • SV-221407r960963_rule
  • SV-78879
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23122r414904_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;IfModule cgid_module&gt;" directive. 2. Search for the "&lt;IfModule cgid_module&gt;" directive at the OHS server, virtual host, and directory configuration scope. 3. If the directive and any directives that it may contain exist and are not commented out, this is a finding.

Fix: F-23111r414905_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<IfModule cgid_module>" directive. 2. Search for the "<IfModule cgid_module>" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "<IfModule cgid_module>" directive and any directives it may contain.

a
OHS must have the LoadModule cgi_module directive disabled within the IfModule mpm_winnt_module directive.
CM-7 - Low - CCI-000381 - V-221408 - SV-221408r960963_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OH12-1X-000164
Vuln IDs
  • V-221408
  • V-64391
Rule IDs
  • SV-221408r960963_rule
  • SV-78881
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23123r414907_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "&lt;IfModule mpm_winnt_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule mpm_winnt_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23112r414908_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule cgi_module" directive within the "<IfModule mpm_winnt_module>" directive at the OHS server configuration scope. 3. Comment out the "LoadModule cgi_module" directive and surrounding "<IfModule mpm_winnt_module>" directives if they exist.

b
OHS must have the ScriptAlias /cgi-bin/ directive within a IfModule alias_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221409 - SV-221409r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000165
Vuln IDs
  • V-221409
  • V-64393
Rule IDs
  • SV-221409r960963_rule
  • SV-78883
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23124r414910_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "&lt;IfModule alias_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule alias_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23113r414911_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptAlias /cgi-bin/" directive within a "<IfModule alias_module>" directive at the OHS server configuration scope. 3. Comment out the "ScriptAlias /cgi-bin/" directive and its surrounding "<IfModule alias_module>" directive if they exist.

b
OHS must have the ScriptSock directive within a IfModule cgid_module directive disabled.
CM-7 - Medium - CCI-000381 - V-221410 - SV-221410r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000166
Vuln IDs
  • V-221410
  • V-64395
Rule IDs
  • SV-221410r960963_rule
  • SV-78885
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23125r414913_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "&lt;IfModule cgid_module&gt;" directive at the OHS server configuration scope. 3. If the directive and its surrounding "&lt;IfModule cgid_module&gt;" directive exist and are not commented out, this is a finding.

Fix: F-23114r414914_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for a "ScriptSock" directive within a "<IfModule cgid_module>" directive at the OHS server configuration scope. 3. Comment out the "ScriptSock" directive and its surrounding "<IfModule cgid_module>" directive if they exist.

b
OHS must have the cgi-bin directory disabled.
CM-7 - Medium - CCI-000381 - V-221411 - SV-221411r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000167
Vuln IDs
  • V-221411
  • V-64397
Rule IDs
  • SV-221411r960963_rule
  • SV-78887
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23126r810867_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for a "&lt;Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin"&gt;" directive at the OHS server and virtual host configuration scopes. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23115r810868_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive at the OHS server and virtual host configuration scopes. 3. Comment out the "<Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/cgi-bin">" directive and any directives it contains if they exist.

b
OHS must have directives pertaining to certain scripting languages removed from virtual hosts.
CM-7 - Medium - CCI-000381 - V-221412 - SV-221412r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000168
Vuln IDs
  • V-221412
  • V-64399
Rule IDs
  • SV-221412r960963_rule
  • SV-78889
Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operation or deemed vulnerable helps to secure the web server. To assure scripts are not added to the web server and run maliciously, those script mappings that are not needed or used by the web server for hosted application operation must be removed.
Checks: C-23127r414919_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for a "&lt;FilesMatch "\.(cgi|shtml|phtml|php)$"&gt;" directive at the virtual host configuration scope. 3. If the directive and any directives that it contains exist and are not commented out, this is a finding.

Fix: F-23116r414920_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive at the OHS server configuration scope. 3. Comment out the "<FilesMatch "\.(cgi|shtml|phtml|php)$">" directive and any directives it contains if they exist.

b
OHS must have resource mappings set to disable the serving of certain file types.
CM-7 - Medium - CCI-000381 - V-221413 - SV-221413r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000169
Vuln IDs
  • V-221413
  • V-64401
Rule IDs
  • SV-221413r960963_rule
  • SV-78891
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. The web server must only allow hosted application file types to be served to a user and all other types must be disabled.
Checks: C-23128r414922_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "&lt;FilesMatch&gt;" directives beyond the "&lt;FilesMatch"^\.ht"&gt;" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the "&lt;FilesMatch&gt;" directive is omitted or it and/or any directives it contains are set improperly, this is a finding.

Fix: F-23117r414923_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "<FilesMatch>" directives beyond the "<FilesMatch"^\.ht">" directive at the OHS server, virtual host, and directory configuration scopes. 3. Set the "<FilesMatch>" directive to ""^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$"" or other value appropriate for the server/site to prevent inappropriate file access, add the directive if it does not exist. 4a. Within the "<FilesMatch "^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$">" directive, set the "Order" directive to "allow,deny", add the directive if it does not exist. 4b. Within the "<FilesMatch "^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$">" directive, set the "Deny" directive to "from all", add the directive if it does not exist. 4c. Within the "<FilesMatch "^(?!.*\.(gif|jpe?g|png|html?|js|css)).*$">" directive, set the "Satisfy" directive to "All", add the directive if it does not exist.

b
Users and scripts running on behalf of users must be contained to the document root or home directory tree of OHS.
CM-7 - Medium - CCI-000381 - V-221414 - SV-221414r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000172
Vuln IDs
  • V-221414
  • V-64403
Rule IDs
  • SV-221414r960963_rule
  • SV-78893
A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and applications guarantees that the user is not accessing information protected outside the application's realm. The web server must also prohibit users from jumping outside the hosted application directory tree through access to the user's home directory, symbolic links or shortcuts, or through search paths for missing files.
Checks: C-23129r414925_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Directory&gt;" directive at OHS server and virtual host configuration scopes. 3. If the "Options" directive within the "&lt;Directory&gt;" directive is omitted or is set improperly, this is a finding.

Fix: F-23118r414926_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directive at OHS server and virtual host configuration scopes. 3. Set the "Options" directive within the "<Directory>" directive to "None", add the directive if it does not exist.

b
OHS must be configured to use a specified IP address, port, and protocol.
CM-7 - Medium - CCI-000382 - V-221415 - SV-221415r1043177_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
OH12-1X-000173
Vuln IDs
  • V-221415
  • V-64405
Rule IDs
  • SV-221415r1043177_rule
  • SV-78895
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.
Checks: C-23130r414928_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for a "Listen" directive at the OHS server configuration scope. 3. If the directive is set without an IP address, port, and protocol specified, this is a finding.

Fix: F-23119r414929_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for a "Listen" directive at the OHS server configuration scope. 3. Set the "Listen" directive to a value containing an IP address, port, and protocol (e.g., "Listen 123.123.123.123:80 http" or "Listen 456.456.456.456:443 https").

b
The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc.
CM-6 - Medium - CCI-000366 - V-221416 - SV-221416r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000176
Vuln IDs
  • V-221416
  • V-64593
Rule IDs
  • SV-221416r961863_rule
  • SV-79083
During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user community. The first things an attacker will try when presented with a login screen are the default user identifiers with default passwords. Installed applications may also install accounts with no password, making the login even easier. Once the web server is installed, the passwords for any created accounts should be changed and documented. The new passwords must meet the requirements for all passwords, i.e., upper/lower characters, numbers, special characters, time until change, reuse policy, etc. Service accounts or system accounts that have no login capability do not need to have passwords set or changed.
Checks: C-23131r414931_chk

1. If the password for Node Manager does not meet DoD requirements for password complexity, this is a finding. 2. Open $DOMAIN_HOME/config/nodemanager/nm_password.properties with an editor. 3. If the "username" property and value are still present, this is a finding. 4. If the "password" property and value are still present, this is a finding.

Fix: F-23120r414932_fix

1. Open $DOMAIN_HOME/config/nodemanager/nm_password.properties with an editor. 2. Remove the "hashed" property and value. 3. Set the "username" property to the account name to use for Node Manager, add the property if it does not exist. 4. Set the "password" property to a password compliant with DoD requirements for password complexity to use for Node Manager, add the property if it does not exist. 5. Start/Restart Node Manager so that the password contained within $DOMAIN_HOME/config/nodemanager/nm_password.properties is encrypted. 6. Remove the "username" and "password" properties and along with their values from within $DOMAIN_HOME/config/nodemanager/nm_password.properties, but leave the new "hashed" property and value.

b
OHS must have Entity tags (ETags) disabled.
CM-6 - Medium - CCI-000366 - V-221417 - SV-221417r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000178
Vuln IDs
  • V-221417
  • V-64595
Rule IDs
  • SV-221417r961863_rule
  • SV-79085
Entity tags (ETags) are used for cache management to save network bandwidth by not sending a web page to the requesting client if the cached version on the client is current. When the client only has the ETag information, the client will make a request to the server with the ETag. The server will then determine if the client can use the client cached version of the web page or if a new version is required. As part of the ETag information, the server sends to the client the index node (inode) information for the file being requested. The inode information gives an attacker sensitive information like inode number, multipart MIME boundaries and makes certain NFS attacks much simpler to execute.
Checks: C-23132r414934_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Header" and "FileETag" directives at the OHS server, virtual host, or directory configuration scope. 3. If the "Header" and "FileETag" directives are omitted or set improperly, this is a finding.

Fix: F-23121r414935_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Header" and "FileETag" directives at the OHS server, virtual host, or directory configuration scopes. 3a. Set the "Header" directive to "unset ETag", add the directive if it does not exist. 3b. Set the "FileETag" directive to "none", add the directive if it does not exist.

b
The SecureListener property of the Node Manager configured to support OHS must be enabled for secure communication.
CM-6 - Medium - CCI-000366 - V-221418 - SV-221418r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000179
Vuln IDs
  • V-221418
  • V-64597
Rule IDs
  • SV-221418r961863_rule
  • SV-79087
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. To protect the information being sent between WebLogic Scripting Tool and Node Manager, the Node Manager listening address must be secured.
Checks: C-23133r414937_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "SecureListener" property. 3. If the property is not set to "True", this is a finding.

Fix: F-23122r414938_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "SecureListener" property. 3. Set the "SecureListener" property to "True".

b
The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager.
CM-6 - Medium - CCI-000366 - V-221419 - SV-221419r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000180
Vuln IDs
  • V-221419
  • V-64599
Rule IDs
  • SV-221419r961863_rule
  • SV-79089
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. For connections to be made to the Node Manager, it must listen on an assigned address. When this parameter is not set, the Node Manager will listen on all available addresses on the server. This may lead to the Node Manager listening on networks, i.e., public network space, where Node Manager may become susceptible to attack instead of being limited to listening for connections on a controlled and secure management network. It is also important that the address specified matches the CN of the Node Manager.
Checks: C-23134r414940_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "ListenAddress" property. 3. If the property does not exist or is not set to the CN of the Node Manager certificate, this is a finding.

Fix: F-23123r414941_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "ListenAddress" property. 3. Set the "ListenAddress" property to the CN of the Node Manager certificate, add the property if it does not exist.

b
The AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication.
CM-6 - Medium - CCI-000366 - V-221420 - SV-221420r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000181
Vuln IDs
  • V-221420
  • V-64601
Rule IDs
  • SV-221420r961863_rule
  • SV-79091
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. To accept connections from the WebLogic Scripting Tool, the Node Manager can be setup to authenticate the connections or not. If connections are not authenticated, a hacker could connect to the Node Manager and initiate commands to OHS to gain further access, cause a DoS, or view protected information. To protect against unauthenticated connections, the "AuthenticationEnabled" directive must be set to "true".
Checks: C-23135r414943_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "AuthenticationEnabled" property. 3. If the property does not exist or is not set "True", this is a finding.

Fix: F-23124r414944_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "AuthenticationEnabled" property. 3. Set the "AuthenticationEnabled" property "True", add the property if it does not exist.

b
The KeyStores property of the Node Manager configured to support OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221421 - SV-221421r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000182
Vuln IDs
  • V-221421
  • V-64603
Rule IDs
  • SV-221421r961863_rule
  • SV-79093
Oracle Node Manager is a utility that can be used to perform common operational tasks across Managed Servers. These servers can be distributed across multiple machines and geographical locations. The "KeyStores" property is used to configure the keystore configuration that will be used by Node Manager to locate its identity (private key and digital certificate) and trust (trusted CA certificates). The property must be set to "CustomIdentityAndCustomTrust", which causes Node Manager to use an identity and trust keystore created by the SA.
Checks: C-23136r414946_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "KeyStores" property. 3. If the property does not exist or is not set to "CustomIdentityAndCustomTrust", this is a finding.

Fix: F-23125r414947_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "KeyStores" property. 3. Set the "KeyStores" property to "CustomIdentityAndCustomTrust", add the property if it does not exist.

b
The CustomIdentityKeyStoreFileName property of the Node Manager configured to support OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221422 - SV-221422r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000183
Vuln IDs
  • V-221422
  • V-64605
Rule IDs
  • SV-221422r961863_rule
  • SV-79095
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityKeyStoreFileName" property specifies the file name of the identity keystore. This property is required when the "KeyStores" property is set to "CustomIdentityAndCustomTrust". Without specifying the "CustomIdentityKeyStoreFileName" property, the Node Manager will not operate properly and may cause the system to fail into an unsecure state.
Checks: C-23137r414949_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStoreFileName" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23126r414950_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStoreFileName" property. 3. Set the "CustomIdentityKeyStoreFileName" property to a keystore location that contains a valid DoD certificate for the Node Manager identity, add the property if it does not exist.

b
The CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221423 - SV-221423r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000184
Vuln IDs
  • V-221423
  • V-64607
Rule IDs
  • SV-221423r961863_rule
  • SV-79097
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityKeyStorePassPhrase" property is used to protect the data within the keystore. Without protection, the data within the keystore could be compromised allowing an attacker to use the certificates to gain trusted access to other systems or processes.
Checks: C-23138r414952_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStorePassPhrase" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23127r414953_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityKeyStorePassPhrase" property. 3. Set the "CustomIdentityKeyStorePassPhrase" property to the password of the keystore that contains a valid DoD certificate for the Node Manager identity, add the property if it does not exist.

b
The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221424 - SV-221424r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000185
Vuln IDs
  • V-221424
  • V-64609
Rule IDs
  • SV-221424r961863_rule
  • SV-79099
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityAlias" specifies the alias when loading the private key into the keystore. This property is required when the "KeyStores" property is set to "CustomIdentityAndCustomTrust". Without specifying the "CustomIdentityKeyStoreFileName" property, the Node Manager will not operate properly and may cause the system to fail into an unsecure state.
Checks: C-23139r414955_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityAlias" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23128r414956_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityAlias" property. 3. Set the "CustomIdentityAlias" property to the alias of the keystore PrivateKeyEntry containing the Node Manager identity, add the property if it does not exist.

b
The CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221425 - SV-221425r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000186
Vuln IDs
  • V-221425
  • V-64611
Rule IDs
  • SV-221425r961863_rule
  • SV-79101
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. The "CustomIdentityPrivateKeyPassPhrase" is the password that protects the private key when creating certificates. If a password is not used, the private key is not protected and can be used by any user or attacker that can get access to the private key.
Checks: C-23140r414958_chk

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityPrivateKeyPassPhrase" property. 3. If the property does not exist or is set improperly, this is a finding.

Fix: F-23129r414959_fix

1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor. 2. Search for the "CustomIdentityPrivateKeyPassPhrase" property. 3. Set the "CustomIdentityPrivateKeyPassPhrase" property to the password protecting the Private Key of the Node Manager identity, add the property if it does not exist.

b
The listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221426 - SV-221426r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000187
Vuln IDs
  • V-221426
  • V-64613
Rule IDs
  • SV-221426r961863_rule
  • SV-79103
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml file to setup the communication to the Node Manager. If the IP address to be used for communication is not specified, the WebLogic Scripting tool will not be able to setup a secure connection to Node Manager.
Checks: C-23141r414961_chk

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "&lt;listen-address&gt;" element within the "&lt;node-manager&gt;" element. 3. If the element does not exist or is not set to the CN of the Node Manager certificate, this is a finding.

Fix: F-23130r414962_fix

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "<listen-address>" element within the "<node-manager>" element. 3. Set the "<listen-address>" element to the CN of the Node Manager certificate, add the element if it does not exist.

b
The listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication.
CM-6 - Medium - CCI-000366 - V-221427 - SV-221427r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000188
Vuln IDs
  • V-221427
  • V-64615
Rule IDs
  • SV-221427r961863_rule
  • SV-79105
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml file to setup the communication to the Node Manager. If the port to be used for communication is not specified, the WebLogic Scripting tool will not be able to setup a secure connection to Node Manager.
Checks: C-23142r414964_chk

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "&lt;listen-port&gt;" element within the "&lt;node-manager&gt;" element. 3. If the element does not exist or is not set to the same value as the "ListenPort" property found in $DOMAIN_HOME/nodemanager/nodemanager.properties, this is a finding.

Fix: F-23131r414965_fix

1. Open $DOMAIN_HOME/config/config.xml with an editor. 2. Search for the "<listen-port>" element within the "<node-manager>" element. 3. Set the "<listen-port>" element to same value as the "ListenPort" property found in $DOMAIN_HOME/nodemanager/nodemanager.properties, add the element if it does not exist.

b
The WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
CM-6 - Medium - CCI-000366 - V-221428 - SV-221428r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000189
Vuln IDs
  • V-221428
  • V-64617
Rule IDs
  • SV-221428r961863_rule
  • SV-79107
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "OHS" WebLogic Scripting Tool needs to trust the certificate presented by the Node Manager in order to setup secure communication with it. If the "OHS" WLST does not trust the certificate presented by Node Manager, the "OHS" WebLogic Scripting tool will not be able to setup a secure connection to it.
Checks: C-23143r414967_chk

1. Check for the existence of $ORACLE_HOME/ohs/common/bin/setWlstEnv.sh. 2a. If the setWlstEnv.sh does not exist or does not contain the "WLST_PROPERTIES" environment variable set to a valid trust keystore containing the Certificate Authority and Chain of the Node Manager identity, this is a finding. 2b. If the setWlstenv.sh file does not exist, this is a finding. 2c. If the setWlstenv.sh file has permissions more permissive than 750, this is a finding.

Fix: F-23132r414968_fix

1. Open $ORACLE_HOME/ohs/common/bin/setWlstEnv.sh. with an editor. If the file does not exist, create the file. 2. Set "WLST_PROPERTIES" environment variable to a valid trust keystore containing the Certificate Authority and Chain of Node Manager identity, add the property if it does not exist. 3. Issue a "chmod 750 $ORACLE_HOME/ohs/common/bin/setWlstEnv.sh' to modify the permissions of the script.

b
The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
CM-6 - Medium - CCI-000366 - V-221429 - SV-221429r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000190
Vuln IDs
  • V-221429
  • V-64619
Rule IDs
  • SV-221429r961863_rule
  • SV-79109
Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. When starting an OHS instance, the "Fusion Middleware" WebLogic Scripting Tool needs to trust the certificate presented by the Node Manager in order to setup secure communication with it. If the "Fusion Middleware" WLST does not trust the certificate presented by Node Manager, the "Fusion Middleware" WebLogic Scripting tool will not be able to setup a secure connection to it.
Checks: C-23144r414970_chk

1. Check for the existence of $ORACLE_HOME/oracle_common/common/bin/setWlstEnv.sh. 2a. If the setWlstEnv.sh does not exist or does not contain the "WLST_PROPERTIES" environment variable set to a valid trust keystore containing the Certificate Authority and Chain of the Node Manager identity, this is a finding. 2b. If the setWlstenv.sh file does not exist, this is a finding. 2c. If the setWlstenv.sh file has permissions more permissive than 750, this is a finding.

Fix: F-23133r414971_fix

1. Open $ORACLE_HOME/oracle_common/common/bin/setWlstEnv.sh. with an editor. If the file does not exist, create the file. 2. Set "WLST_PROPERTIES" environment variable to a valid trust keystore containing the Certificate Authority and Chain of Node Manager identity, add the property if it does not exist. 3. Issue a "chmod 750 $ORACLE_HOME/oracle_common/common/bin/setWlstEnv.sh' to modify the permissions of the script.

b
OHS must limit access to the Dynamic Monitoring Service (DMS).
CM-6 - Medium - CCI-000366 - V-221430 - SV-221430r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000192
Vuln IDs
  • V-221430
  • V-64623
Rule IDs
  • SV-221430r961863_rule
  • SV-79113
The Oracle Dynamic Monitoring Service (DMS) enables application developers, support analysts, system administrators, and others to measure application specific performance information. If OHS allows any machine to connect and monitor performance, an attacker could connect and gather information that could be used to cause a DoS for OHS. Information that is shared could also be used to further an attack to other servers and devices through trusted relationships.
Checks: C-23145r414973_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/admin.conf in it with an editor. 2. Search for the "Allow" directive within the "&lt;Location /dms/&gt;" directive at the virtual host configuration scope. 3. If the "Allow" directive is set to "from all", this is a finding.

Fix: F-23134r414974_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/admin.conf with an editor. 2. Search for the "Allow" directive within the "<Location /dms/>" virtual host configuration scope. 3. Set the "Allow" directive to "from 127.0.0.1".

b
OHS must have the AllowOverride directive set properly.
CM-6 - Medium - CCI-000366 - V-221431 - SV-221431r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000193
Vuln IDs
  • V-221431
  • V-64625
Rule IDs
  • SV-221431r961863_rule
  • SV-79115
The property "AllowOverride" is used to allow directives to be set differently than those set for the overall architecture. When the property is not set to "None", OHS will check for directives in the htaccess files at each directory level until the requested resource is found for each URL request. Allowing parameters to be overridden at different levels of an application becomes a security risk as the overall security of the hosted application can change dependencies on the URL being accessed. Security management also becomes difficult as a misconfiguration can be mistakenly made.
Checks: C-23146r414976_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "AllowOverride" directive at the directory configuration scope. 3. If the "AllowOverride" directive is omitted or is not set to "None", this is a finding.

Fix: F-23135r414977_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "AllowOverride" directive at the directory configuration scope. 3. Set the "AllowOverride" directive to "None", add the directive if it does not exist.

b
OHS must be set to evaluate deny directives first when considering whether to serve a file.
CM-6 - Medium - CCI-000366 - V-221432 - SV-221432r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000194
Vuln IDs
  • V-221432
  • V-64627
Rule IDs
  • SV-221432r961863_rule
  • SV-79117
Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the evaluation is reversed. By ordering the access as first deny and then allow, OHS will deny all access first and then look at the allow clauses to see who may access the server. By structuring the evaluation in this manner, a misconfiguration will more likely deny a valid user than allow an illegitimate user that may compromise the system.
Checks: C-23147r414979_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "&lt;Directory /&gt;" directive within the OHS server configuration scope. 3. If the "Order" directive within the "&lt;Directory /&gt;" directive is omitted or is set improperly, this is a finding.

Fix: F-23136r414980_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "<Directory />" directive within the OHS server configuration scope. 3. Set the "Order" directive within the "<Directory />" directive to "deny,allow", add the directive if it does not exist.

b
OHS must deny all access by default when considering whether to serve a file.
CM-6 - Medium - CCI-000366 - V-221433 - SV-221433r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000195
Vuln IDs
  • V-221433
  • V-64629
Rule IDs
  • SV-221433r961863_rule
  • SV-79119
Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the evaluation is reversed. By ordering the access as first deny and then allow, OHS will deny all access first and then look at the allow clauses to see who may access the server. By structuring the evaluation in this manner, a misconfiguration will more likely deny a valid user than allow an illegitimate user that may compromise the system.
Checks: C-23148r414982_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "&lt;Directory /&gt;" directive within the OHS server configuration scope. 3. If the "Deny" directive within the "&lt;Directory /&gt;" directive is omitted or is set improperly, this is a finding.

Fix: F-23137r414983_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "<Directory />" directive within the OHS server configuration scope. 3. Set the "Deny" directive within the "<Directory />" directive to "from all", add the directive if it does not exist.

b
The OHS instance installation must not contain an .htaccess file.
CM-6 - Medium - CCI-000366 - V-221434 - SV-221434r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000196
Vuln IDs
  • V-221434
  • V-64631
Rule IDs
  • SV-221434r961863_rule
  • SV-79121
.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .htaccess files, the hosted application security posture and overall OHS posture could change dependent on the URL being accessed. Allowing the override of parameters in .htaccess files makes it difficult to truly know the security posture of the system and it also makes it difficult to understand what the security posture may have been if an attack is successful. To thwart the overriding of parameters, .htaccess files must not be used and the "AllowOverride" parameter must be set to "none".
Checks: C-23149r414985_chk

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS 2. find . -name .htaccess -print 3. If any .htaccess files are found, this is a finding.

Fix: F-23138r414986_fix

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS 2. find . -name .htaccess -exec rm {} \;

b
The OHS instance configuration must not reference directories that contain an .htaccess file.
CM-6 - Medium - CCI-000366 - V-221435 - SV-221435r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000197
Vuln IDs
  • V-221435
  • V-64633
Rule IDs
  • SV-221435r961863_rule
  • SV-79123
.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .htaccess files, the hosted application security posture and overall OHS posture could change dependent on the URL being accessed. Allowing the override of parameters in .htaccess files makes it difficult to truly know the security posture of the system and it also makes it difficult to understand what the security posture may have been if an attack is successful. To thwart the overriding of parameters, .htaccess files must not be used and the "AllowOverride" parameter must be set to "none".
Checks: C-23150r414988_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;Directory&gt;" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "&lt;Directory&gt;" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs). 4. Check for the existence of any .htaccess files in the aforementioned locations (e.g., find . -name .htaccess -print). 5. If any .htaccess files are found, this is a finding.

Fix: F-23139r414989_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory>" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "<Directory>" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs). 4. find . -name .htaccess -exec rm {} \;

a
OHS must have the HostnameLookups directive enabled.
CM-6 - Low - CCI-000366 - V-221436 - SV-221436r961863_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OH12-1X-000198
Vuln IDs
  • V-221436
  • V-64635
Rule IDs
  • SV-221436r961863_rule
  • SV-79125
Setting the "HostnameLookups" to "On" allows for more information to be logged in the event of an attack and subsequent investigation. This information can be added to other information gathered to narrow the attacker location. The DNS name can also be used for filtering access to the OHS hosted applications by denying particular types of hostnames.
Checks: C-23151r414991_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "HostnameLookups" directive at the server, virtual host, and directory configuration scopes. 3. If the "HostnameLookups" directive is omitted or is not set to "On", this is a finding.

Fix: F-23140r414992_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "HostnameLookups" directive at the server, virtual host, and directory configuration scopes. 3. Set the "HostnameLookups" directive to "On", add the directive if it does not exist.

b
OHS must have the ServerAdmin directive set properly.
CM-6 - Medium - CCI-000366 - V-221437 - SV-221437r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000199
Vuln IDs
  • V-221437
  • V-64637
Rule IDs
  • SV-221437r961863_rule
  • SV-79127
Making sure that information is given to the system administrator in a timely fashion is important. This information can be system status, warnings that may need attention before system failure or actual failure notification. Having this information sent to the system administrator when the issue arises allows for the system administrator to quickly take action and avoid potential DoS for customers.
Checks: C-23152r414994_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "ServerAdmin" directive at the server and virtual host configuration scopes. 3. If the "ServerAdmin" directive is omitted or is set improperly, this is a finding.

Fix: F-23141r414995_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "ServerAdmin" directive at the virtual host and directory configuration scopes. 3. Set the "ServerAdmin" directive to an appropriate service-based email address for the organization, add the directive if it does not exist.

b
OHS must restrict access methods.
CM-6 - Medium - CCI-000366 - V-221438 - SV-221438r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000200
Vuln IDs
  • V-221438
  • V-64639
Rule IDs
  • SV-221438r961863_rule
  • SV-79129
The directive "" allows the system administrator to restrict what users may use which methods. An example of methods would be GET, POST and DELETE. These three are the most common used by applications and should be allowed. Methods such as TRACE, if allowed, give an attacker a way to map the system so that vulnerabilities to the system can be researched and developed.
Checks: C-23153r414997_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "&lt;LimitExcept&gt;" directive at the directory configuration scope. 3. If the "&lt;LimitExcept&gt;" directive is omitted (with the exception of the "&lt;Directory /&gt;" directive) or is set improperly, this is a finding.

Fix: F-23142r414998_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<LimitExcept>" directive at the directory configuration scope. 3. Set the "<LimitExcept>" directive to "GET POST", add the directive if it does not exist. 4. Within the "<LimitExcept GET POST>" directives, add the directive "Deny" and set it to "from all".

b
The OHS htdocs directory must not contain any default files.
CM-6 - Medium - CCI-000366 - V-221439 - SV-221439r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000201
Vuln IDs
  • V-221439
  • V-64641
Rule IDs
  • SV-221439r961863_rule
  • SV-79131
Default files from the OHS installation should not be part of the htdocs directory. These files are not always patched or supported and may become an attacker vector in the future.
Checks: C-23154r415000_chk

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs 2. Check for the existence of the OracleHTTPServer12c_files directory (e.g., ls). 3. If there is an OracleHTTPServer12c_files directory exists, this is a finding.

Fix: F-23143r415001_fix

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs 2. rm –rf OracleHTTPServer12c_files.

b
OHS must have the SSLSessionCacheTimeout directive set properly.
CM-6 - Medium - CCI-000366 - V-221440 - SV-221440r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000202
Vuln IDs
  • V-221440
  • V-64643
Rule IDs
  • SV-221440r961863_rule
  • SV-79133
During an SSL session, information about the session is stored in the global/inter-process SSL Session Cache, the OpenSSL internal memory cache and for sessions resumed by TLS session resumption (RFC 5077). This information must not be allowed to live forever, but expire and become invalid so that an attacker cannot hijack the session if not closed by the hosted application properly.
Checks: C-23155r415003_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLSessionCacheTimeout" directive at the OHS server configuration scope. 3. If the directive is omitted or is set greater than 60, this is a finding.

Fix: F-23144r415004_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLSessionCacheTimeout" directive at the OHS server configuration scope. 3. Set the "SSLSessionCacheTimeout" directive to "60", add the directive if it does not exist.

a
OHS must have the RewriteEngine directive enabled.
CM-6 - Low - CCI-000366 - V-221441 - SV-221441r961863_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OH12-1X-000203
Vuln IDs
  • V-221441
  • V-64645
Rule IDs
  • SV-221441r961863_rule
  • SV-79135
The rewrite engine is used to evaluate URL requests and modify the requests on the fly. Enabling this engine gives the system administrator the capability to trap potential attacks before reaching the hosted applications or to modify the URL to fix issues in the request before forwarding to the applications. The rewrite engine becomes a pre-filtering tool to fix data issues before reaching the hosted applications where the URL format or data within the URL could cause buffer overflows, redirection or mobile code snippets that could become an issue if not filtered.
Checks: C-23156r415006_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "RewriteEngine" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "On", this is a finding unless inherited from a larger scope.

Fix: F-23145r415007_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteEngine" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteEngine" directive to "On", add the directive if it does not exist unless inherited from a larger scope.

a
OHS must have the RewriteOptions directive set properly.
CM-6 - Low - CCI-000366 - V-221442 - SV-221442r961863_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OH12-1X-000204
Vuln IDs
  • V-221442
  • V-64647
Rule IDs
  • SV-221442r961863_rule
  • SV-79137
The rules for the rewrite engine can be configured to inherit those from the parent and build upon that set of rules, to copy the rules from the parent if there are none defined or to only process the rules if the input is a URL. Of these, the most secure is to inherit from the parent because of how this implemented. The rules for the current configuration, process or directory, are loaded and then the parent are overlaid. This means that the parent rule will always override the child rule. This gives the server a more consistent security configuration.
Checks: C-23157r415009_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "RewriteOptions" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "inherit", this is a finding unless inherited from a larger scope.

Fix: F-23146r415010_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteOptions" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteOptions" directive to "inherit", add the directive if it does not exist unless inherited from a larger scope.

a
OHS must have the RewriteLogLevel directive set to the proper log level.
CM-6 - Low - CCI-000366 - V-221443 - SV-221443r961863_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OH12-1X-000205
Vuln IDs
  • V-221443
  • V-64649
Rule IDs
  • SV-221443r961863_rule
  • SV-79139
Logging must not contain sensitive information or more information necessary than that needed to administer the system. The log levels from the rewrite engine range from 0 to 9 where 0 is no logging and 9 being the most verbose. A log level that gives enough information for an investigation if an attack occurs of enough information to troubleshoot issues should be selected. Too much information makes the system vulnerable and may give attacker information to other resources or data within the hosted applications.
Checks: C-23158r415012_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "RewriteLogLevel" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "3", this is a finding unless inherited from a larger scope.

Fix: F-23147r415013_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteLogLevel" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteLogLevel" directive to "3"; add the directive if it does not exist unless inherited from a larger scope.

a
OHS must have the RewriteLog directive set properly.
CM-6 - Low - CCI-000366 - V-221444 - SV-221444r961863_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OH12-1X-000206
Vuln IDs
  • V-221444
  • V-64651
Rule IDs
  • SV-221444r961863_rule
  • SV-79141
Specifying where the log files are written gives the system administrator the capability to store the files in a location other than the default, with system files or in a globally accessible location. The system administrator can also specify a location that is accessible by any enterprise tools that may use the logged data to give a picture of the overall enterprise security posture. If a file is not specified, OHS will still generate the log data, but it is not written and therefore, cannot be used to monitor the system or for forensic analysis.
Checks: C-23159r415015_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "RewriteLog" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding unless inherited from a larger scope. 4. Validate that the folder specified exists. If the folder does not exist, this is a finding.

Fix: F-23148r415016_fix

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "RewriteLog" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteLog" directive to the same location as the "CustomLog" directive; add the directive if it does not exist unless inherited from a larger scope.

b
All accounts installed with the web server software and tools must have passwords assigned and default passwords changed.
CM-6 - Medium - CCI-000366 - V-221445 - SV-221445r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000207
Vuln IDs
  • V-221445
  • V-64653
Rule IDs
  • SV-221445r961863_rule
  • SV-79143
During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user community. The first things an attacker will try when presented with a login screen are the default user identifiers with default passwords. Installed applications may also install accounts with no password, making the login even easier. Once the web server is installed, the passwords for any created accounts should be changed and documented. The new passwords must meet the requirements for all passwords, i.e., upper/lower characters, numbers, special characters, time until change, reuse policy, etc. Normally, a service account is established for OHS. This is because a privileged account is not desirable and the server is designed to run for long uninterrupted periods of time. The SA or Web Manager will need password access to OHS to restart the service in the event of an emergency as OHS is not to restart automatically after an unscheduled interruption. If the password is not entrusted to an SA or web manager the ability to ensure the availability of OHS is compromised. Service accounts or system accounts that have no login capability do not need to have passwords set or changed.
Checks: C-23160r415018_chk

NOTE: Service accounts or system accounts that have no login capability do not need to have passwords set or changed. Review the web server documentation and deployment configuration to determine what non-service/system accounts were installed by the web server installation process. Verify the passwords for these accounts have been set and/or changed from the default passwords. Verify the SA/Web manager are notified of the changed password. If these accounts still have no password or have default passwords, this is a finding. If the SA/web manager does not know the changed password, this is a finding.

Fix: F-23149r415019_fix

Inform the OHS Administrator as to what the password is for the OS account that owns the OHS Software.

b
A production OHS Installation must prohibit the installation of a compiler.
CM-6 - Medium - CCI-000366 - V-221446 - SV-221446r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000208
Vuln IDs
  • V-221446
  • V-64655
Rule IDs
  • SV-221446r961863_rule
  • SV-79145
The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker’s code can be uploaded and compiled on the server under attack.
Checks: C-23161r415021_chk

1. Ask the System Administrator if a compiler is installed on the system. 2. If it is, this is a finding.

Fix: F-23150r415022_fix

Ask the System Administrator to remove any compilers installed on the system.

b
A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
CM-6 - Medium - CCI-000366 - V-221447 - SV-221447r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000209
Vuln IDs
  • V-221447
  • V-64657
Rule IDs
  • SV-221447r961863_rule
  • SV-79147
To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from publically based sources, such as the public Internet. Once compromised, a public web server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DoD DMZ Extension, if hosted on the NIPRNet, with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources.
Checks: C-23162r415024_chk

1. As required, confirm with the OHS Administrator that OHS is installed in a DMZ and isolated from internal systems. 2. If not, this is a finding.

Fix: F-23151r415025_fix

1. Relocate the OHS server to be in a DMZ, isolated from internal systems. 2. Confirm that the OHS server only has connections to supporting Application and Database Servers.

b
A private OHS installation must be located on a separate controlled access subnet.
CM-6 - Medium - CCI-000366 - V-221448 - SV-221448r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000210
Vuln IDs
  • V-221448
  • V-64659
Rule IDs
  • SV-221448r961863_rule
  • SV-79149
Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but, in either case, can cause a disruption in service of the web server. To protect the private web server from these threats, it must be located on a separate controlled access subnet and must not be a part of the public DMZ that houses the public web servers. It also cannot be located inside the enclave as part of the local general population LAN.
Checks: C-23163r415027_chk

1. As required, confirm with the OHS Administrator that OHS is installed on a separately controlled access subnet, not part of any DMZ. 2. Confirm that the OHS server is isolated from access by the LAN's general population. 3. If not, this is a finding.

Fix: F-23152r415028_fix

1. Relocate the OHS server to be on a local subnet, isolated from the DMZ. 2. Remove access to the OHS server from the LAN's general population.

c
The version of the OHS installation must be vendor supported.
SI-2 - High - CCI-002605 - V-221449 - SV-221449r1067472_rule
RMF Control
SI-2
Severity
H
CCI
CCI-002605
Version
OH12-1X-000211
Vuln IDs
  • V-221449
  • V-64661
Rule IDs
  • SV-221449r1067472_rule
  • SV-79151
Many vulnerabilities are associated with older versions of software. As hot fixes and patches are issued, these solutions are included in the next version of the server software. Maintaining OHS at a current version makes the efforts of a malicious user to exploit the web service more difficult.
Checks: C-23164r1067471_chk

OHS 12.1.X is no longer supported by the vendor. If the system is running OHS 12.1.X, this is a finding.

Fix: F-23153r1051412_fix

Upgrade to a supported version.

b
OHS must be certified with accompanying Fusion Middleware products.
CM-6 - Medium - CCI-000366 - V-221450 - SV-221450r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000212
Vuln IDs
  • V-221450
  • V-64663
Rule IDs
  • SV-221450r961863_rule
  • SV-79153
OHS is capable of being used with other Oracle products. For the products to work properly and not introduce vulnerabilities or errors, Oracle certifies which versions work with each other. Insisting that the certified versions be installed together in a production environment reduces the possibility of successful attacks, DoS through software system downtime and easier patch management for the SA.
Checks: C-23165r415033_chk

1. If OHS is used with other Fusion Middleware products, check to see if the combination is certified per http://www.oracle.com/technetwork/middleware/fusion-middleware/documentation/fmw-1213certmatrix-2226694.xls. 2. If not a certified configuration, this is a finding.

Fix: F-23154r415034_fix

Upgrade or patch OHS or other Oracle Fusion Middleware products to achieve a certified configuration per http://www.oracle.com/technetwork/middleware/fusion-middleware/documentation/fmw-1213certmatrix-2226694.xls.

b
OHS tools must be restricted to the web manager and the web managers designees.
CM-6 - Medium - CCI-000366 - V-221451 - SV-221451r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000214
Vuln IDs
  • V-221451
  • V-64665
Rule IDs
  • SV-221451r961863_rule
  • SV-79155
All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or damage that may ultimately compromise the mission. Adequate protection ensures that server administration operates with less risk of losses or operations outages. The key web service administrative and configuration tools must be accessible only by the authorized web server administrators. All users granted this authority must be documented and approved by the ISSO. Access to OHS must be limited to authorized users and administrators.
Checks: C-23166r415036_chk

1. Determine whether anyone other than the System Administrator or the OHS Administrator has inappropriate access to modify the OHS configuration. This includes the ability to use the OS account that owns OHS, root, or a tool with OHS management or monitoring capability such as Oracle Enterprise Manager (OEM). 2. If so, this is a finding.

Fix: F-23155r415037_fix

Restrict access to the OS account that owns OHS, root, or tool with OHS management or monitoring capability such as Oracle Enterprise Manager (OEM).

a
All utility programs, not necessary for operations, must be removed or disabled.
CM-6 - Low - CCI-000366 - V-221452 - SV-221452r961863_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OH12-1X-000215
Vuln IDs
  • V-221452
  • V-64667
Rule IDs
  • SV-221452r961863_rule
  • SV-79157
Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and graphical editors are examples of such programs that are troublesome. Individual productivity tools have no legitimate place or use on an enterprise, production web server and they are also prone to their own security risks.
Checks: C-23167r415039_chk

1. Check the server for software that is unnecessary for OHS operation. 2. If the software is unnecessary for OHS, other organization requirements, or is not appropriately patched or supported, this is a finding.

Fix: F-23156r415040_fix

Remove any software that is unnecessary for OHS operation, other organization requirements, or is not appropriately patched or supported.

b
The OHS htpasswd files (if present) must reflect proper ownership and permissions.
CM-6 - Medium - CCI-000366 - V-221453 - SV-221453r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000216
Vuln IDs
  • V-221453
  • V-64669
Rule IDs
  • SV-221453r961863_rule
  • SV-79159
In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition to allowing or denying all access rights, a rule can be specified that allows or denies partial access rights. For example, users can be given read-only access rights to files, to view the information but not change the files. This check verifies that the htpasswd file is only accessible by system administrators or web managers, with the account running the web service having group permissions of read and execute. Htpasswd is a utility used by OHS to provide for password access to designated web sites.
Checks: C-23168r415042_chk

1. Check the permissions of the htpasswd file. (e.g., ls -l $ORACLE_HOME/ohs/bin/htpasswd). 2. If the file has permissions beyond "-rwxr-----" (i.e., 740), this is a finding.

Fix: F-23157r415043_fix

Set permissions on htpasswd to 740 (i.e., chmod 740 $ORACLE_HOME/ohs/bin/htpasswd).

b
A public OHS installation must limit email to outbound only.
CM-6 - Medium - CCI-000366 - V-221454 - SV-221454r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000217
Vuln IDs
  • V-221454
  • V-64671
Rule IDs
  • SV-221454r961863_rule
  • SV-79161
Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, Email represents the main use of the Internet. It is specialized application that requires the dedication of server resources. To combine this type of transaction processing function with the file serving role of the web server creates an inherent conflict. Supporting mail services on a web server opens the server to the risk of abuse as an email relay. This check verifies, by checking the OS, that incoming e-mail is not supported.
Checks: C-23169r415045_chk

1. Check whether the OHS server is configured to accept SMTP connections. (e.g., telnet localhost 25). 2. If it is, this is a finding.

Fix: F-23158r415046_fix

Configure the server to disallow inbound SMTP connections.

a
OHS content and configuration files must be part of a routine backup program.
CM-6 - Low - CCI-000366 - V-221455 - SV-221455r961863_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OH12-1X-000218
Vuln IDs
  • V-221455
  • V-64673
Rule IDs
  • SV-221455r961863_rule
  • SV-79163
Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to determine and recover from subsequent unauthorized changes to the software and data. A tested and verifiable backup strategy will be implemented for web server software as well as all web server data files. Backup and recovery procedures will be documented and the Web Manager or SA for the specific application will be responsible for the design, test, and implementation of the procedures. The site will have a contingency processing plan/disaster recovery plan that includes web servers. The contingency plan will be periodically tested in accordance with DoDI 8500.2 requirements. The site will identify an off-site storage facility in accordance with DoDI 8500.2 requirements. Off-site backups will be updated on a regular basis and the frequency will be documented in the contingency plan.
Checks: C-23170r415048_chk

1. Check that the following files and directories are backed up on a regular basis: a) /etc/oraInst.loc b) Directory identified by inventory_loc parameter within /etc/oraInst.loc c) /etc/cap.ora d) $MW_HOME 2. Confirm the ability to restore the above files and directories successfully. 3. Confirm the successful operation of OHS upon a successful restoration of the files and directories. 4. If the files aren't backed up on a regular schedule or the backups haven't been tested, this is a finding.

Fix: F-23159r415049_fix

1. Backup the following files on a regular basis: a) /etc/oraInst.loc b) Directory identified by inventory_loc parameter within /etc/oraInst.loc c) /etc/cap.ora d) $MW_HOME 2. Perform a restore and start the restored OHS server on a test machine. 3. Test the functionality of the restored OHS software on the test machine.

b
OHS must be segregated from other services.
CM-6 - Medium - CCI-000366 - V-221456 - SV-221456r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000219
Vuln IDs
  • V-221456
  • V-64675
Rule IDs
  • SV-221456r961863_rule
  • SV-79165
The web server installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server that is providing the web publishing service. By separating these services, physically or logically, additional defensive layers are established between the web service and the applicable application should either be compromised. Disallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system that supports a web server will not provide other services (e.g., domain controller, e-mail server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements.
Checks: C-23171r415051_chk

1. Obtain a copy of the OHS installation and configuration plan. 2. Ask the System Administrator whether any additional services (e.g., database, DNS, mail, application server, etc.) are installed with OHS that do not directly support operation or management of OHS. Separation of services may be physical or logical. 3. If so, this is a finding.

Fix: F-23160r415052_fix

Move any software from the OHS installation that is not required for the operation or management of the OHS server to another physical or logical server.

b
OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM).
CM-6 - Medium - CCI-000366 - V-221457 - SV-221457r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000220
Vuln IDs
  • V-221457
  • V-64677
Rule IDs
  • SV-221457r961863_rule
  • SV-79167
The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services available to notify users of known security threats. The site needs to be aware of these fixes and make determinations based on local policy and what software features are installed, if these patches need to be applied. In some cases, patches also apply to middleware and database systems. Maintaining the security of web servers requires frequent reviews of security notices. Many security notices mandate the installation of a software patch to overcome security vulnerabilities. SAs and ISSOs should regularly check the vendor support web site for patches and information related to the web server software. All applicable security patches will be applied to the operating system and to the web server software. Security patches are deemed applicable if the product is installed, even if it is not used or is disabled.
Checks: C-23172r415054_chk

1. Obtain the list of patches that have been applied to OHS (e.g., $ORACLE_HOME/OPatch/opatch lsinventory). 2. In reviewing the list, also review the latest Oracle CPU at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates. Specifically, review the My Oracle Support note specified for Oracle Fusion Middleware to see whether there are patches available for Oracle HTTP Server 12.1.3. 3. If there are patches listed for Oracle HTTP Server 12.1.3 in the support note and they do not show in the list from Step 1 above, this is a finding.

Fix: F-23161r415055_fix

1. Obtain the latest Fusion Middleware Patches applicable for Oracle HTTP Server from the My Oracle Support note associated with the latest Oracle CPU at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates. 2. Follow the instructions associated with each patch to successfully apply.

b
A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
CM-6 - Medium - CCI-000366 - V-221458 - SV-221458r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000221
Vuln IDs
  • V-221458
  • V-64679
Rule IDs
  • SV-221458r961863_rule
  • SV-79169
A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of authenticity. Most web browsers perform server authentication automatically; the user is notified only if the authentication fails. The authentication process between the server and the client is performed using the SSL/TLS protocol. Digital certificates are authenticated, issued, and managed by a trusted Certification Authority (CA). The use of a trusted certificate validation hierarchy is crucial to the ability to control access to the server and prevent unauthorized access. This hierarchy needs to lead to the DoD PKI Root CA or to an approved External Certificate Authority (ECA) or are required for the server to function.
Checks: C-23173r415057_chk

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet &lt;wallet_directory&gt;". b) Confirm that only the appropriate DoD Certificate Authorities are listed as Trusted Certificates and that the Identity Certificate has been issued by a DoD Certificate authority. 3. If any of the Trusted Certificates are not appropriate DoD Certificate Authorities or the Identity Certificate has not been issued by a DoD Certificate authority, this is a finding.

Fix: F-23162r415058_fix

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet <wallet_directory>". b) Remove the Identity Certificate if it was not issued by a DoD Certificate authority. c) Remove each Trusted Certificate from the wallet that is not an appropriate DoD Certificate Authority with the command "$ORACLE_HOME/oracle_common/bin/orapki wallet remove -wallet <wallet_directory> -dn <dn_of_the_trusted_certificate> -trusted_cert".

b
OHS must have the ScoreBoardFile directive disabled.
CM-6 - Medium - CCI-000366 - V-221459 - SV-221459r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000222
Vuln IDs
  • V-221459
  • V-64681
Rule IDs
  • SV-221459r961863_rule
  • SV-79171
The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apache processes. If the directive is specified, then Apache will use the configured file for the inter-process communication. Therefore if it is specified it needs to be located in a secure directory. If the ScoreBoard file is placed in openly writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a file with the same name, and or users could monitor and disrupt the communication between the processes by reading and writing to the file.
Checks: C-23174r415060_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "ScoreBoardFile" directive at the server configuration scope. 3. If the "ScoreBoardFile" directive exists, this is a finding.

Fix: F-23163r415061_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ScoreBoardFile" directive at the server configuration scope. 3. Remove the "ScoreBoardFile" directive.

b
The OHS document root directory must not be on a network share.
CM-6 - Medium - CCI-000366 - V-221460 - SV-221460r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000223
Vuln IDs
  • V-221460
  • V-64683
Rule IDs
  • SV-221460r961863_rule
  • SV-79173
Sharing of web server content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their contents to unnecessary access. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web content or cause web server performance problems.
Checks: C-23175r415063_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directive value is used as a network share (e.g., ps -ef | grep nfs, ps -ef | grep smb, etc.), this is a finding.

Fix: F-23164r415064_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Remove the shares that are associated with any directory specified as a value for the "DocumentRoot" directives.

b
The OHS server root directory must not be on a network share.
CM-6 - Medium - CCI-000366 - V-221461 - SV-221461r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000224
Vuln IDs
  • V-221461
  • V-64685
Rule IDs
  • SV-221461r961863_rule
  • SV-79175
Sharing of the web server directory where the executables are stored is a security risk when a web server is involved. Users that have access to the share may not be administrative users. These users could make changes to the web server without going through proper change control or the users could inadvertently delete executables that are key to the proper operation of the web server. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web server or cause web server performance problems.
Checks: C-23176r415066_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf. 2. Search for the "ServerRoot" directive at the OHS server configuration scope. 3. If the directive value is used as a network share (e.g., ps -ef | grep nfs, ps -ef | grep smb, etc.), this is a finding.

Fix: F-23165r415067_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf. 2. Search for the "ServerRoot" directive at the OHS server configuration scope. 3. Remove the share that is associated with the directory specified as a value for the "ServerRoot" directive.

c
Symbolic links must not be used in the web content directory tree.
CM-6 - High - CCI-000366 - V-221462 - SV-221462r961863_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
OH12-1X-000225
Vuln IDs
  • V-221462
  • V-64687
Rule IDs
  • SV-221462r961863_rule
  • SV-79177
A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory.
Checks: C-23177r415069_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Within the directory specified by each "DocumentRoot" directive, check recursively for any symbolic links (e.g., find . -type l -exec ls -ald {} \;). 4. If any symbolic links are found, this is a finding.

Fix: F-23166r415070_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Within the directory specified by each "DocumentRoot" directive, check recursively for any symbolic links (e.g., find . -type l -exec ls -ald {} \;). 4. Remove any symbolic links found in the "DocumentRoot" directory tree.

c
OHS administration must be performed over a secure path or at the local console.
CM-6 - High - CCI-000366 - V-221463 - SV-221463r961863_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
OH12-1X-000226
Vuln IDs
  • V-221463
  • V-64689
Rule IDs
  • SV-221463r961863_rule
  • SV-79179
Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used. An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server.
Checks: C-23178r415072_chk

1. Check that if server administration is performed remotely, it will only be performed securely by system administrators. 2. Check that if OHS administration has been delegated, those users will be documented and approved by the ISSO. 3. Check that remote administration is in compliance with any requirements contained within the Unix Server STIGs and any applicable network STIGs. 4. Check that remote administration of any kind will be restricted to documented and authorized personnel and that all users performing remote administration are authenticated. 5. Check that all remote sessions will be encrypted and utilize FIPS 140-2 approved protocols. 6. If any of the above conditions are not met, this is a finding.

Fix: F-23167r415073_fix

Ensure that both system and OHS administration are done through a secure path.

b
OHS must not contain any robots.txt files.
CM-6 - Medium - CCI-000366 - V-221464 - SV-221464r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000227
Vuln IDs
  • V-221464
  • V-64691
Rule IDs
  • SV-221464r961863_rule
  • SV-79181
Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user. To request that a well behaved search engine not crawl and catalog a server, the web server may contain a file called robots.txt for each web site hosted. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker’s time searching and traversing the web site to find files that might be relevant. If information on hosted web sites needs to be protected from search engines and public view, other methods must be used.
Checks: C-23179r415075_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directive value specifies a directory containing a robots.txt file, this is a finding.

Fix: F-23168r415076_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Remove any robots.txt files from the directories specified in the "DocumentRoot" directives.

b
OHS must prohibit anonymous FTP user access to interactive scripts.
CM-6 - Medium - CCI-000366 - V-221465 - SV-221465r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000228
Vuln IDs
  • V-221465
  • V-64693
Rule IDs
  • SV-221465r961863_rule
  • SV-79183
The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.
Checks: C-23180r415078_chk

1. Check that all ftp access is authenticated, authorized, and secure. 2. If not, this is a finding.

Fix: F-23169r415079_fix

Ensure that all file transfers to the server are authenticated, authorized, and secure.

b
The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory.
CM-6 - Medium - CCI-000366 - V-221466 - SV-221466r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000229
Vuln IDs
  • V-221466
  • V-64695
Rule IDs
  • SV-221466r961863_rule
  • SV-79185
Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion.
Checks: C-23181r415081_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Search for the "ServerRoot" directive at the OHS server configuration scope. 4. If the "DocumentRoot" directive value specifies a directory on the same partition as the directory specified in the "ServerRoot" directive, this is a finding.

Fix: F-23170r415082_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Search for the "ServerRoot" directive at the OHS server configuration scope. 4. Move the directory associated with the "DocumentRoot" directive to a partition different from the partition associated with the directory specified by the "ServerRoot" directive.

b
The OHS DocumentRoot directory must be on a separate partition from OS root partition.
CM-6 - Medium - CCI-000366 - V-221467 - SV-221467r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000230
Vuln IDs
  • V-221467
  • V-64697
Rule IDs
  • SV-221467r961863_rule
  • SV-79187
Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion.
Checks: C-23182r415084_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directory associated with the "DocumentRoot" directive is associated with the root partition, this is a finding.

Fix: F-23171r415085_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Move the directory associated with the "DocumentRoot" directive to a partition different from root partition.

b
Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
CM-6 - Medium - CCI-000366 - V-221468 - SV-221468r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000231
Vuln IDs
  • V-221468
  • V-64699
Rule IDs
  • SV-221468r961863_rule
  • SV-79189
Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code. A remote web user whose agency has a Memorandum of Agreement (MOA) with the hosting agency and has submitted a DoD form 2875 (System Authorization Access Request (SAAR)) or an equivalent document will be allowed to post files to a temporary location on the server. All posted files to this temporary location will be scanned for viruses and content checked for malicious or mobile code. Only files free of viruses and malicious or mobile code will be posted to the appropriate Document Root directory.
Checks: C-23183r415087_chk

1. Check that any files uploaded to the OHS environment are checked for viruses, malicious code, and mobile code. 2. If there is not anti-virus software on the system with auto-protect enabled or if there is not a process in place to ensure all files being posted to the OHS sites are being scanned, this is a finding.

Fix: F-23172r415088_fix

Install anti-virus software on the OHS server and configure it to automatically scan for any viruses, malicious code, and mobile code.

b
A public OHS server must use TLS if authentication is required to host web sites.
CM-6 - Medium - CCI-000366 - V-221469 - SV-221469r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OH12-1X-000232
Vuln IDs
  • V-221469
  • V-64701
Rule IDs
  • SV-221469r961863_rule
  • SV-79191
Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
Checks: C-23184r881077_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23173r881078_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

a
OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines.
CM-6 - Low - CCI-000366 - V-221470 - SV-221470r961863_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OH12-1X-000233
Vuln IDs
  • V-221470
  • V-64703
Rule IDs
  • SV-221470r961863_rule
  • SV-79193
Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the automated information system (AIS). The ISSM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List.
Checks: C-23185r415093_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Listen" directive at the OHS server configuration scope. 3. If the "Listen" directive port specified is not "80" or "443", this is a finding.

Fix: F-23174r415094_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Listen" directive at the OHS server configuration scope. 3. Set the "Listen" directive to "80" for http ports and "443" for https ports.

c
OHS must not have the directive PlsqlDatabasePassword set in clear text.
CM-6 - High - CCI-000366 - V-221471 - SV-221471r961863_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
OH12-1X-000234
Vuln IDs
  • V-221471
  • V-64621
Rule IDs
  • SV-221471r961863_rule
  • SV-79111
OHS supports the use of the module mod_plsql, which allows applications to be hosted that are PL/SQL-based. To access the database, the module must have a valid username, password and database name. To keep the password from an attacker, the password must not be stored in plain text, but instead, obfuscated.
Checks: C-23186r415096_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., dads.conf) included in it with an editor. 2. Search for the "PlsqlDatabasePassword" directive. 3. If the directive is set in clear text, this is a finding.

Fix: F-23175r415097_fix

1. At shell prompt, set "ORACLE_HOME" environment variable to $ORACLE_HOME location and export the variable. 2. At shell prompt, set "PATH" environment variable to "$ORACLE_HOME/ohs/bin:$ORACLE_HOME/bin:$ORACLE_HOME/perl/bin:$PATH" and export the variable. 3a. If AIX OS, at shell prompt, set "LIBPATH" environment variable to "$ORACLE_HOME/lib:$LIBPATH" and export the variable. 3b. If HP-UX OS, at shell prompt, set "SHLIB_PATH" environment variable to "$ORACLE_HOME/lib:$SHLIB_PATH" and export the variable. 3c. If Solaris OS, at shell prompt, set "LD_LIBRARY_PATH" environment variable to "$ORACLE_HOME/lib32:$LD_LIBRARY_PATH" and export the variable. 3d. If Linux or Other Unix OS, at shell prompt, set "LD_LIBRARY_PATH" environment variable to "$ORACLE_HOME/lib:$LD_LIBRARY_PATH" and export the variable. 4. Change the present working directory to "$ORACLE_HOME/ohs/bin" (e.g., cd $ORACLE_HOME/ohs/bin). 5. For each .conf file found to be at fault, execute dadTool.pl script (e.g., "perl dadTool.pl -f $DOMAIN_HOME/config/fmwconfig/compoennts/OHS/<componentName>/mod_plsql/dads.conf").

b
If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level.
CM-7 - Medium - CCI-000381 - V-221472 - SV-221472r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000235
Vuln IDs
  • V-221472
  • V-64357
Rule IDs
  • SV-221472r960963_rule
  • SV-78847
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23187r415099_chk

If not using the WebLogic Web Server Proxy Plugin: 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "include mod_wl_ohs.conf" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23176r415100_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "include mod_wl_ohs.conf" directive at the OHS server configuration scope. 3. Comment out the "include mod_wl_ohs.conf" directive if it exists.

b
If mod_plsql is not in use with OHS, OHS must have the include moduleconf/* directive disabled.
CM-7 - Medium - CCI-000381 - V-221473 - SV-221473r960963_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OH12-1X-000236
Vuln IDs
  • V-221473
  • V-64359
Rule IDs
  • SV-221473r960963_rule
  • SV-78849
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.
Checks: C-23188r415102_chk

If not using mod_plsql: 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "include moduleconf/*" directive at the OHS server configuration scope. Note: The complete line may be "include moduleconf/*.conf*". 3. If the directive exists and is not commented out, this is a finding.

Fix: F-23177r415103_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "include moduleconf/*" directive at the OHS server configuration scope. Note: The complete line may be "include moduleconf/*.conf*". 3. Comment out the "include moduleconf/*" directive if it exists.

c
OHS must have the LoadModule ossl_module directive enabled to encrypt passwords during transmission.
IA-5 - High - CCI-000197 - V-221474 - SV-221474r961029_rule
RMF Control
IA-5
Severity
H
CCI
CCI-000197
Version
OH12-1X-000240
Vuln IDs
  • V-221474
  • V-64407
Rule IDs
  • SV-221474r961029_rule
  • SV-78897
Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update.
Checks: C-23189r415105_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23178r415106_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

c
OHS must use FIPS modules to encrypt passwords during transmission.
IA-5 - High - CCI-000197 - V-221475 - SV-221475r961029_rule
RMF Control
IA-5
Severity
H
CCI
CCI-000197
Version
OH12-1X-000241
Vuln IDs
  • V-221475
  • V-64409
Rule IDs
  • SV-221475r961029_rule
  • SV-78899
Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update.
Checks: C-23190r415108_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23179r415109_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

c
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt passwords during transmission.
IA-5 - High - CCI-000197 - V-221476 - SV-221476r961029_rule
RMF Control
IA-5
Severity
H
CCI
CCI-000197
Version
OH12-1X-000242
Vuln IDs
  • V-221476
  • V-64411
Rule IDs
  • SV-221476r961029_rule
  • SV-78901
Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update.
Checks: C-23191r881047_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23180r881048_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On", add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2", add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

c
OHS must have the SSLCipherSuite directive enabled to encrypt passwords during transmission.
IA-5 - High - CCI-000197 - V-221477 - SV-221477r961029_rule
RMF Control
IA-5
Severity
H
CCI
CCI-000197
Version
OH12-1X-000243
Vuln IDs
  • V-221477
  • V-64413
Rule IDs
  • SV-221477r961029_rule
  • SV-78903
Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the web server for many reasons. Examples include data passed from a user to the web server through an HTTPS connection for authentication, the web server authenticating to a backend database for data retrieval and posting, and the web server authenticating to a clustered web server manager for an update.
Checks: C-23192r415114_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23181r415115_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b
OHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation.
IA-5 - Medium - CCI-000185 - V-221478 - SV-221478r961038_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OH12-1X-000244
Vuln IDs
  • V-221478
  • V-64415
Rule IDs
  • SV-221478r961038_rule
  • SV-78905
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Checks: C-23193r415117_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23182r415118_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b
OHS must use FIPS modules to perform RFC 5280-compliant certification path validation.
IA-5 - Medium - CCI-000185 - V-221479 - SV-221479r961038_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OH12-1X-000245
Vuln IDs
  • V-221479
  • V-64417
Rule IDs
  • SV-221479r961038_rule
  • SV-78907
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Checks: C-23194r415120_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23183r415121_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation.
IA-5 - Medium - CCI-000185 - V-221480 - SV-221480r961038_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OH12-1X-000246
Vuln IDs
  • V-221480
  • V-64419
Rule IDs
  • SV-221480r961038_rule
  • SV-78909
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Checks: C-23195r881050_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23184r881051_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities; add the directive if it does not exist.

b
OHS must have the SSLCipherSuite directive enabled to perform RFC 5280-compliant certification path validation.
IA-5 - Medium - CCI-000185 - V-221481 - SV-221481r961038_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OH12-1X-000247
Vuln IDs
  • V-221481
  • V-64421
Rule IDs
  • SV-221481r961038_rule
  • SV-78911
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Checks: C-23196r415126_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23185r415127_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b
OHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation.
IA-5 - Medium - CCI-000185 - V-221482 - SV-221482r961038_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OH12-1X-000248
Vuln IDs
  • V-221482
  • V-64423
Rule IDs
  • SV-221482r961038_rule
  • SV-78913
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Checks: C-23197r415129_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLVerifyClient" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If this directive is omitted or set improperly, this is a finding.

Fix: F-23186r415130_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLVerifyClient" directive at the OHS server, virtual host, and/or directory configuration scope. 3. Set the "SSLVerifyClient" directive to "require", add the directive if it does not exist.

b
OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation.
IA-5 - Medium - CCI-000185 - V-221483 - SV-221483r961038_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OH12-1X-000249
Vuln IDs
  • V-221483
  • V-64425
Rule IDs
  • SV-221483r961038_rule
  • SV-78915
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Checks: C-23198r415132_chk

1. If using a single, certification revocation list file for revocation checks that is &lt; 1 MB in size, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCARevocationFile" and "SSLCRLCheck" directives at the OHS server and virtual host configuration scopes. 3. If these directives are omitted or set improperly, this is a finding.

Fix: F-23187r415133_fix

1. Place the certificate revocation list file within the wallet directory (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores). 2. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 3. Search for the "SSLCARevocationFile" directive at the OHS server and virtual host configuration scopes. 4. Set the "SSLCARevocationFile" directive to the location (i.e., file within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the combined .crl file issued by the DoD CAs, add the directive if it does not exist. 5. Set the "SSLCRLCheck" directive to "On", add the directive if it does not exist.

b
OHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation.
IA-5 - Medium - CCI-000185 - V-221484 - SV-221484r961038_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OH12-1X-000250
Vuln IDs
  • V-221484
  • V-64427
Rule IDs
  • SV-221484r961038_rule
  • SV-78917
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Checks: C-23199r415135_chk

1. If using multiple certificate revocation list files for revocation checks, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCARevocationPath" and "SSLCRLCheck" directives at the OHS server and virtual host configuration scopes. 3. If these directives are omitted or set improperly, this is a finding.

Fix: F-23188r415136_fix

1. Place the certificate revocation list files within the wallet directory (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores). 2. After confirming that the Certificate Authorities that signed the certificate revocation list files are in the Oracle wallet, create the hash symbolic link files for each of the certificate revocation list files (e.g., $ORACLE_HOME/oracle_common/bin/orapki crl hash -crl $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores/wallet/<my_base64.crl> -symlink $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores/wallet -wallet $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores/wallet). 3. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 4. Search for the "SSLCARevocationPath" directive at the OHS server and virtual host configuration scopes. 5. Set the "SSLCARevocationPath" directive to the path (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) that contains the hash symbolic links that point to the certificate revocation list files issued by the DoD CAs that are in Base64 format; add the directive if it does not exist. 6. Set the "SSLCRLCheck" directive to "On", add the directive if it does not exist.

b
OHS must be integrated with a tool such as Oracle Access Manager to enforce a client-side certificate revocation check through the OCSP protocol.
IA-5 - Medium - CCI-000185 - V-221485 - SV-221485r961038_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OH12-1X-000251
Vuln IDs
  • V-221485
  • V-64429
Rule IDs
  • SV-221485r961038_rule
  • SV-78919
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Checks: C-23200r415138_chk

1. Check to see if a product such as Oracle Access Manager that could be used for authentication, could also provide OCSP validation. 2. If not, this is a finding.

Fix: F-23189r415139_fix

1. Use a product such as Oracle Access Manager for authentication. 2. Implement OCSP validation within that product.

b
OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
IA-7 - Medium - CCI-000803 - V-221486 - SV-221486r961050_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
OH12-1X-000253
Vuln IDs
  • V-221486
  • V-64431
Rule IDs
  • SV-221486r961050_rule
  • SV-78921
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.
Checks: C-23201r415141_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23190r415142_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b
OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
IA-7 - Medium - CCI-000803 - V-221487 - SV-221487r961050_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
OH12-1X-000254
Vuln IDs
  • V-221487
  • V-64433
Rule IDs
  • SV-221487r961050_rule
  • SV-78923
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.
Checks: C-23202r415144_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23191r415145_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
IA-7 - Medium - CCI-000803 - V-221488 - SV-221488r961050_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
OH12-1X-000255
Vuln IDs
  • V-221488
  • V-64435
Rule IDs
  • SV-221488r961050_rule
  • SV-78925
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.
Checks: C-23203r881053_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23192r881054_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2”; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities; add the directive if it does not exist.

b
OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
IA-7 - Medium - CCI-000803 - V-221489 - SV-221489r961050_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
OH12-1X-000256
Vuln IDs
  • V-221489
  • V-64437
Rule IDs
  • SV-221489r961050_rule
  • SV-78927
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.
Checks: C-23204r415150_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23193r415151_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b
OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
IA-7 - Medium - CCI-000803 - V-221490 - SV-221490r961050_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
OH12-1X-000257
Vuln IDs
  • V-221490
  • V-64439
Rule IDs
  • SV-221490r961050_rule
  • SV-78929
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when authenticating users and processes.
Checks: C-23205r415153_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23194r415154_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b
OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
IA-7 - Medium - CCI-000803 - V-221491 - SV-221491r961050_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
OH12-1X-000258
Vuln IDs
  • V-221491
  • V-64441
Rule IDs
  • SV-221491r961050_rule
  • SV-78931
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when authenticating users and processes.
Checks: C-23206r415156_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23195r415157_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
IA-7 - Medium - CCI-000803 - V-221492 - SV-221492r961050_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
OH12-1X-000259
Vuln IDs
  • V-221492
  • V-64443
Rule IDs
  • SV-221492r961050_rule
  • SV-78933
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when authenticating users and processes.
Checks: C-23207r881056_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23196r881057_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities; add the directive if it does not exist.

b
OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
IA-7 - Medium - CCI-000803 - V-221493 - SV-221493r961050_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
OH12-1X-000260
Vuln IDs
  • V-221493
  • V-64445
Rule IDs
  • SV-221493r961050_rule
  • SV-78935
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The web server must provide FIPS-compliant encryption modules when authenticating users and processes.
Checks: C-23208r415162_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23197r415163_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b
OHS utilizing mobile code must meet DoD-defined mobile code requirements.
SC-18 - Medium - CCI-001166 - V-221494 - SV-221494r961083_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001166
Version
OH12-1X-000265
Vuln IDs
  • V-221494
  • V-64447
Rule IDs
  • SV-221494r961083_rule
  • SV-78937
Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid, as opposed to a static web page. The data presentation becomes more appealing to the user, is easier to analyze, and navigation through the hosted application and data is much less complicated. Some mobile code technologies in use in today's applications are: Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. The DoD has created policies that define the usage of mobile code on DoD systems. The usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. The web server may host applications that contain mobile code and therefore, must meet the DoD-defined requirements regarding the deployment and/or use of mobile code. This includes digitally signing applets in order to provide a means for the client to establish application authenticity.
Checks: C-23209r415165_chk

1. Check to see whether OHS is hosting any applications that use mobile code. 2. If so, check that the mobile code follows DoD policies regarding the acquisition, development, and/or use of mobile code. 3. If not, this is a finding.

Fix: F-23198r415166_fix

Ensure that any mobile code used by any of the applications hosted on OHS follow DoD policies regarding the acquisition, development, and/or use.

c
OHS accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.
SC-2 - High - CCI-001082 - V-221495 - SV-221495r961095_rule
RMF Control
SC-2
Severity
H
CCI
CCI-001082
Version
OH12-1X-000266
Vuln IDs
  • V-221495
  • V-64449
Rule IDs
  • SV-221495r961095_rule
  • SV-78939
As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled. Only the system administrator needs access to all the system's capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files.
Checks: C-23210r415168_chk

1. Get list of OS accounts, with associated privileges, from System Administrator. 2. Confirm that all accounts and privileges are needed and documented. 3. If not, this is a finding.

Fix: F-23199r415169_fix

Remove any accounts and privileges that are unnecessary for OHS to run or for other functionality provided by the server.

b
OHS must have the DocumentRoot directive set to a separate partition from the OHS system files.
SC-3 - Medium - CCI-001084 - V-221496 - SV-221496r961131_rule
RMF Control
SC-3
Severity
M
CCI
CCI-001084
Version
OH12-1X-000281
Vuln IDs
  • V-221496
  • V-64451
Rule IDs
  • SV-221496r961131_rule
  • SV-78941
A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.
Checks: C-23211r415171_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding. 4. Validate that the directory specified exists. If the directory does not exist, this is a finding.

Fix: F-23200r415172_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Set the "DocumentRoot" directive to a location that is on a separate drive from the $ORACLE_HOME and $DOMAIN_HOME directories.

b
OHS must have the Directory directive accompanying the DocumentRoot directive set to a separate partition from the OHS system files.
SC-3 - Medium - CCI-001084 - V-221497 - SV-221497r961131_rule
RMF Control
SC-3
Severity
M
CCI
CCI-001084
Version
OH12-1X-000282
Vuln IDs
  • V-221497
  • V-64453
Rule IDs
  • SV-221497r961131_rule
  • SV-78943
A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.
Checks: C-23212r810870_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for a "&lt;Directory ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/htdocs"&gt;" directive or "&lt;Directory&gt;" directive pointing to the location of the directory specified in the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set improperly, this is a finding. 4. Validate that the directory specified exists. If the directory does not exist, this is a finding.

Fix: F-23201r810871_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for a "<Directory ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/htdocs">" directive or "<Directory>" directive pointing to the location of the directory specified in the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Set the "<Directory>" directive to the location specified in the "DocumentRoot" directive; add the directive along with appropriate enclosed directives if it does not exist.

b
OHS must have the Timeout directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SC-5 - Medium - CCI-001094 - V-221498 - SV-221498r961152_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
OH12-1X-000283
Vuln IDs
  • V-221498
  • V-64455
Rule IDs
  • SV-221498r961152_rule
  • SV-78945
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Checks: C-23213r415177_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Timeout" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or set greater than 30, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23202r415178_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Timeout" directive at the OHS server and virtual host configuration scopes. 3. Set the "Timeout" directive to a value of "30", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b
OHS must have the KeepAlive directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SC-5 - Medium - CCI-001094 - V-221499 - SV-221499r961152_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
OH12-1X-000284
Vuln IDs
  • V-221499
  • V-64457
Rule IDs
  • SV-221499r961152_rule
  • SV-78947
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Checks: C-23214r415180_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "KeepAlive" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23203r415181_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "KeepAlive" directive at the OHS server and virtual host configuration scopes. 3. Set the "KeepAlive" directive to a value of "On", add the directive if it does not exist.

b
OHS must have the KeepAliveTimeout properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SC-5 - Medium - CCI-001094 - V-221500 - SV-221500r961152_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
OH12-1X-000285
Vuln IDs
  • V-221500
  • V-64459
Rule IDs
  • SV-221500r961152_rule
  • SV-78949
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Checks: C-23215r415183_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "KeepAliveTimeout" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 5, this is a finding.

Fix: F-23204r415184_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "KeepAliveTimeout" directive at the OHS server and virtual host configuration scopes. 3. Set the "KeepAliveTimeout" directive to a value of "5", add the directive if it does not exist.

b
OHS must have the MaxKeepAliveRequests directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SC-5 - Medium - CCI-001094 - V-221501 - SV-221501r961152_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
OH12-1X-000286
Vuln IDs
  • V-221501
  • V-64461
Rule IDs
  • SV-221501r961152_rule
  • SV-78951
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Checks: C-23216r415186_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "MaxKeepAliveRequests" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 500, this is a finding.

Fix: F-23205r415187_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "MaxKeepAliveRequests" directive at the OHS server and virtual host configuration scopes. 3. Set the "MaxKeepAliveRequests" directive to a value of "500", add the directive if it does not exist.

b
OHS must have the ListenBacklog properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SC-5 - Medium - CCI-001094 - V-221502 - SV-221502r961152_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
OH12-1X-000287
Vuln IDs
  • V-221502
  • V-64463
Rule IDs
  • SV-221502r961152_rule
  • SV-78953
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Checks: C-23217r415189_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "ListenBacklog" directive at the OHS server configuration scope. 3. If the directive is omitted or set less than the value of the Maximum Syn Connection Backlog network parameter of the OS, this is a finding.

Fix: F-23206r415190_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ListenBacklog" directive at the OHS server configuration scope. 3. Set the "ListenBacklog" directive to a value equal to the Maximum Syn Connection Backlog network parameter of the OS; add the directive if it does not exist.

b
OHS must have the LimitRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SC-5 - Medium - CCI-001094 - V-221503 - SV-221503r961152_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
OH12-1X-000288
Vuln IDs
  • V-221503
  • V-64465
Rule IDs
  • SV-221503r961152_rule
  • SV-78955
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Checks: C-23218r415192_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestBody" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive is omitted or is set greater than 10240, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23207r415193_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestBody" directive at the OHS server, virtual host, and directory configuration scopes. 3. Set the "LimitRequestBody" directive to a value of "10240", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b
OHS must have the LimitRequestFields directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SC-5 - Medium - CCI-001094 - V-221504 - SV-221504r961152_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
OH12-1X-000289
Vuln IDs
  • V-221504
  • V-64467
Rule IDs
  • SV-221504r961152_rule
  • SV-78957
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Checks: C-23219r415195_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestFields" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 40, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23208r415196_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestFields" directive at the OHS server and virtual host configuration scopes. 3. Set the "LimitRequestFields" directive to a value of "40", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b
OHS must have the LimitRequestFieldSize directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SC-5 - Medium - CCI-001094 - V-221505 - SV-221505r961152_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
OH12-1X-000290
Vuln IDs
  • V-221505
  • V-64469
Rule IDs
  • SV-221505r961152_rule
  • SV-78959
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Checks: C-23220r415198_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestFieldSize" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 1024, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23209r415199_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestFieldSize" directive at the OHS server and virtual host configuration scopes. 3. Set the "LimitRequestFieldSize" directive to a value of "1024", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b
OHS must have the LimitRequestLine directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SC-5 - Medium - CCI-001094 - V-221506 - SV-221506r961152_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
OH12-1X-000291
Vuln IDs
  • V-221506
  • V-64471
Rule IDs
  • SV-221506r961152_rule
  • SV-78961
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Checks: C-23221r415201_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestLine" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 512, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23210r415202_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitRequestLine" directive at the OHS server and virtual host configuration scopes. 3. Set the "LimitRequestLine" directive to a value of "512", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b
OHS must have the LimitXMLRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SC-5 - Medium - CCI-001094 - V-221507 - SV-221507r961152_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
OH12-1X-000292
Vuln IDs
  • V-221507
  • V-64473
Rule IDs
  • SV-221507r961152_rule
  • SV-78963
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Checks: C-23222r415204_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitXMLRequestBody" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is set greater than 10240, this is a finding. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

Fix: F-23211r415205_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitXMLRequestBody" directive at the OHS server and virtual host configuration scopes. 3. Set the "LimitXMLRequestBody" directive to a value of "10240", add the directive if it does not exist. Note: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of a higher value.

b
OHS must have the LimitInternalRecursion directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SC-5 - Medium - CCI-001094 - V-221508 - SV-221508r961152_rule
RMF Control
SC-5
Severity
M
CCI
CCI-001094
Version
OH12-1X-000293
Vuln IDs
  • V-221508
  • V-64475
Rule IDs
  • SV-221508r961152_rule
  • SV-78965
A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for proper operation. An example setting that could be used to limit the ability of the web server being used in a DoS attack is bandwidth throttling.
Checks: C-23223r415207_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitInternalRecursion" directive at the server, virtual host, and directory configuration scopes. 3. If the "LimitInternalRecursion" directive is omitted or is set greater than 55, this is a finding.

Fix: F-23212r415208_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "LimitInternalRecursion" directive at the server and virtual host configuration scopes. 3. Set the "LimitInternalRecursion" directive to "55", add the directive if it does not exist.

b
OHS must have the LoadModule ossl_module directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SC-23 - Medium - CCI-002470 - V-221513 - SV-221513r965407_rule
RMF Control
SC-23
Severity
M
CCI
CCI-002470
Version
OH12-1X-000298
Vuln IDs
  • V-221513
  • V-64517
Rule IDs
  • SV-221513r965407_rule
  • SV-79007
Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.
Checks: C-23228r415218_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23217r415219_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b
OHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SC-23 - Medium - CCI-002470 - V-221514 - SV-221514r965407_rule
RMF Control
SC-23
Severity
M
CCI
CCI-002470
Version
OH12-1X-000299
Vuln IDs
  • V-221514
  • V-64519
Rule IDs
  • SV-221514r965407_rule
  • SV-79009
Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.
Checks: C-23229r415221_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23218r415222_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SC-23 - Medium - CCI-002470 - V-221515 - SV-221515r965407_rule
RMF Control
SC-23
Severity
M
CCI
CCI-002470
Version
OH12-1X-000300
Vuln IDs
  • V-221515
  • V-64521
Rule IDs
  • SV-221515r965407_rule
  • SV-79011
Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.
Checks: C-23230r881059_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "on", or "SSLProtocol" is not set to TLSv1.2, this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23219r881060_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

b
OHS must have the SSLCipherSuite directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SC-23 - Medium - CCI-002470 - V-221516 - SV-221516r965407_rule
RMF Control
SC-23
Severity
M
CCI
CCI-002470
Version
OH12-1X-000301
Vuln IDs
  • V-221516
  • V-64523
Rule IDs
  • SV-221516r965407_rule
  • SV-79013
Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.
Checks: C-23231r415227_chk

1. As required, open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23220r415228_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b
OHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SC-23 - Medium - CCI-002470 - V-221517 - SV-221517r965407_rule
RMF Control
SC-23
Severity
M
CCI
CCI-002470
Version
OH12-1X-000302
Vuln IDs
  • V-221517
  • V-64525
Rule IDs
  • SV-221517r965407_rule
  • SV-79015
Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.
Checks: C-23232r415230_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLVerifyClient" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If this directive is omitted or is not set to "require", this is a finding.

Fix: F-23221r415231_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLVerifyClient" directive at the OHS server, virtual host, and/or directory configuration scope. 3. Set the "SSLVerifyClient" directive to "require", add the directive if it does not exist.

b
OHS must use wallets that have only DoD certificate authorities defined.
SC-23 - Medium - CCI-002470 - V-221518 - SV-221518r965407_rule
RMF Control
SC-23
Severity
M
CCI
CCI-002470
Version
OH12-1X-000303
Vuln IDs
  • V-221518
  • V-64527
Rule IDs
  • SV-221518r965407_rule
  • SV-79017
Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.
Checks: C-23233r415233_chk

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet &lt;wallet_directory&gt;". b) Confirm that only the appropriate DoD Certificate Authorities are listed as Trusted Certificates. 3. If any of the Trusted Certificates are not appropriate DoD Certificate Authorities, this is a finding.

Fix: F-23222r415234_fix

1. Go to the location of the OHS keystores (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/keystores). 2. For each wallet directory located there, do the following: a) Issue the command "$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet <wallet_directory>". b) Remove each Trusted Certificate from the wallet that is not an appropriate DoD Certificate Authority with the command "$ORACLE_HOME/oracle_common/bin/orapki wallet remove -wallet <wallet_directory> -dn <dn_of_the_trusted_certificate> -trusted_cert".

b
OHS must be tuned to handle the operational requirements of the hosted application.
SC-5 - Medium - CCI-002385 - V-221519 - SV-221519r961620_rule
RMF Control
SC-5
Severity
M
CCI
CCI-002385
Version
OH12-1X-000307
Vuln IDs
  • V-221519
  • V-64529
Rule IDs
  • SV-221519r961620_rule
  • SV-79019
A Denial of Service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a DoS condition even with expected traffic from users. To avoid a DoS, the web server must be tuned to handle the expected traffic for the hosted applications.
Checks: C-23234r415236_chk

1. Check to see if the following directives have been set appropriately for the server and application: MaxClients MPM Module -worker (StartServers, MinSpareThreads, MaxSpareThreads, ThreadsPerChild) Timeout KeepAlive KeepAliveTimeout MaxKeepAliveRequests ListenBacklog LimitRequestBody LimitRequestFields LimitRequestFieldSize LimitRequestLine LimitXMLRequestBody LimitInternalRecursion 2. If the above directives have not been set to address the specific needs of the web server and applications, this is a finding.

Fix: F-23223r415237_fix

Set the following directives appropriately for the server and application: MaxClients MPM Module -worker (StartServers, MinSpareThreads, MaxSpareThreads, ThreadsPerChild) Timeout KeepAlive KeepAliveTimeout MaxKeepAliveRequests ListenBacklog LimitRequestBody LimitRequestFields LimitRequestFieldSize LimitRequestLine LimitXMLRequestBody LimitInternalRecursion

c
OHS must have the LoadModule ossl_module directive enabled to prevent unauthorized disclosure of information during transmission.
SC-8 - High - CCI-002418 - V-221520 - SV-221520r961632_rule
RMF Control
SC-8
Severity
H
CCI
CCI-002418
Version
OH12-1X-000308
Vuln IDs
  • V-221520
  • V-64541
Rule IDs
  • SV-221520r961632_rule
  • SV-79031
Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.
Checks: C-23235r415239_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23224r415240_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

c
OHS must have the SSLFIPS directive enabled to prevent unauthorized disclosure of information during transmission.
SC-8 - High - CCI-002418 - V-221521 - SV-221521r961632_rule
RMF Control
SC-8
Severity
H
CCI
CCI-002418
Version
OH12-1X-000309
Vuln IDs
  • V-221521
  • V-64543
Rule IDs
  • SV-221521r961632_rule
  • SV-79033
Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.
Checks: C-23236r415242_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23225r415243_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

c
OHS must have the SSLEngine, SSLProtocol, SSLWallet directives enabled and configured to prevent unauthorized disclosure of information during transmission.
SC-8 - High - CCI-002418 - V-221522 - SV-221522r961632_rule
RMF Control
SC-8
Severity
H
CCI
CCI-002418
Version
OH12-1X-000310
Vuln IDs
  • V-221522
  • V-64545
Rule IDs
  • SV-221522r961632_rule
  • SV-79035
Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.
Checks: C-23237r881062_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23226r881063_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

c
OHS must have the SSLCipherSuite directive enabled to prevent unauthorized disclosure of information during transmission.
SC-8 - High - CCI-002418 - V-221523 - SV-221523r961632_rule
RMF Control
SC-8
Severity
H
CCI
CCI-002418
Version
OH12-1X-000311
Vuln IDs
  • V-221523
  • V-64547
Rule IDs
  • SV-221523r961632_rule
  • SV-79037
Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.
Checks: C-23238r415248_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23227r415249_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b
If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to prevent unauthorized disclosure of information during transmission.
SC-8 - Medium - CCI-002418 - V-221524 - SV-221524r961632_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
OH12-1X-000312
Vuln IDs
  • V-221524
  • V-64549
Rule IDs
  • SV-221524r961632_rule
  • SV-79039
Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.
Checks: C-23239r415251_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SecureProxy" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23228r415252_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "SecureProxy" directive to "On", add the directive if it does not exist.

b
OHS must have the WLSSLWallet directive enabled to prevent unauthorized disclosure of information during transmission.
SC-8 - Medium - CCI-002418 - V-221525 - SV-221525r961632_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
OH12-1X-000313
Vuln IDs
  • V-221525
  • V-64551
Rule IDs
  • SV-221525r961632_rule
  • SV-79041
Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.
Checks: C-23240r415254_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WLSSLWallet" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to a valid wallet folder, this is a finding.

Fix: F-23229r415255_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLSSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains the certificate chain served by the WebLogic host/port combination, add the directive if it does not exist.

b
If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WebLogicSSLVersion directive enabled to prevent unauthorized disclosure of information during transmission.
SC-8 - Medium - CCI-002418 - V-221526 - SV-221526r961632_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
OH12-1X-000314
Vuln IDs
  • V-221526
  • V-64553
Rule IDs
  • SV-221526r961632_rule
  • SV-79043
Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.
Checks: C-23241r881065_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WebLogicSSLVersion" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "TLSv1.2", this is a finding.

Fix: F-23230r881066_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WebLogicSSLVersion" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WebLogicSSLVersion" directive to "TLSv1_2", add the directive if it does not exist.

b
If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to prevent unauthorized disclosure of information during transmission.
SC-8 - Medium - CCI-002418 - V-221527 - SV-221527r961632_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
OH12-1X-000315
Vuln IDs
  • V-221527
  • V-64555
Rule IDs
  • SV-221527r961632_rule
  • SV-79045
Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.
Checks: C-23242r415260_chk

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WLProxySSL" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23231r415261_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLProxySSL" directive to "On", add the directive if it does not exist.

b
OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
SC-8 - Medium - CCI-002418 - V-221528 - SV-221528r961632_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
OH12-1X-000320
Vuln IDs
  • V-221528
  • V-64557
Rule IDs
  • SV-221528r961632_rule
  • SV-79047
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications.
Checks: C-23243r415263_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23232r415264_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b
OHS must have the SSLFIPS directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
SC-8 - Medium - CCI-002418 - V-221529 - SV-221529r961632_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
OH12-1X-000321
Vuln IDs
  • V-221529
  • V-64559
Rule IDs
  • SV-221529r961632_rule
  • SV-79049
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications.
Checks: C-23244r415266_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23233r415267_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
SC-8 - Medium - CCI-002418 - V-221530 - SV-221530r961632_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
OH12-1X-000322
Vuln IDs
  • V-221530
  • V-64561
Rule IDs
  • SV-221530r961632_rule
  • SV-79051
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications.
Checks: C-23245r881068_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23234r881069_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

b
OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
SC-8 - Medium - CCI-002418 - V-221531 - SV-221531r961632_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
OH12-1X-000323
Vuln IDs
  • V-221531
  • V-64563
Rule IDs
  • SV-221531r961632_rule
  • SV-79053
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications.
Checks: C-23246r415272_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23235r415273_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b
OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SC-8 - Medium - CCI-002420 - V-221532 - SV-221532r961638_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002420
Version
OH12-1X-000324
Vuln IDs
  • V-221532
  • V-64565
Rule IDs
  • SV-221532r961638_rule
  • SV-79055
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.
Checks: C-23247r415275_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23236r415276_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b
OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SC-8 - Medium - CCI-002420 - V-221533 - SV-221533r961638_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002420
Version
OH12-1X-000325
Vuln IDs
  • V-221533
  • V-64567
Rule IDs
  • SV-221533r961638_rule
  • SV-79057
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.
Checks: C-23248r415278_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23237r415279_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during preparation for transmission.
SC-8 - Medium - CCI-002420 - V-221534 - SV-221534r961638_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002420
Version
OH12-1X-000326
Vuln IDs
  • V-221534
  • V-64569
Rule IDs
  • SV-221534r961638_rule
  • SV-79059
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.
Checks: C-23249r881071_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23238r881072_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

b
OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SC-8 - Medium - CCI-002420 - V-221535 - SV-221535r961638_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002420
Version
OH12-1X-000327
Vuln IDs
  • V-221535
  • V-64571
Rule IDs
  • SV-221535r961638_rule
  • SV-79061
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.
Checks: C-23250r415284_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23239r415285_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b
If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SC-8 - Medium - CCI-002420 - V-221536 - SV-221536r961638_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002420
Version
OH12-1X-000328
Vuln IDs
  • V-221536
  • V-64573
Rule IDs
  • SV-221536r961638_rule
  • SV-79063
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.
Checks: C-23251r415287_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SecureProxy" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23240r415288_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "SecureProxy" directive to "On", add the directive if it does not exist.

b
If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SC-8 - Medium - CCI-002420 - V-221537 - SV-221537r961638_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002420
Version
OH12-1X-000329
Vuln IDs
  • V-221537
  • V-64575
Rule IDs
  • SV-221537r961638_rule
  • SV-79065
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.
Checks: C-23252r415290_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WLSSLWallet" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to a valid wallet folder, this is a finding.

Fix: F-23241r415291_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLSSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains the certificate chain served by the WebLogic host/port combination, add the directive if it does not exist.

b
If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLSProxySSL directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SC-8 - Medium - CCI-002420 - V-221538 - SV-221538r961638_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002420
Version
OH12-1X-000330
Vuln IDs
  • V-221538
  • V-64577
Rule IDs
  • SV-221538r961638_rule
  • SV-79067
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.
Checks: C-23253r415293_chk

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WLProxySSL" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23242r415294_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLProxySSL" directive to "On", add the directive if it does not exist.

b
OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-221539 - SV-221539r961641_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002422
Version
OH12-1X-000331
Vuln IDs
  • V-221539
  • V-64579
Rule IDs
  • SV-221539r961641_rule
  • SV-79069
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.
Checks: C-23254r415296_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-23243r415297_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

b
OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-221540 - SV-221540r961641_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002422
Version
OH12-1X-000332
Vuln IDs
  • V-221540
  • V-64581
Rule IDs
  • SV-221540r961641_rule
  • SV-79071
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.
Checks: C-23255r415299_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23244r415300_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.

b
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-221541 - SV-221541r961641_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002422
Version
OH12-1X-000333
Vuln IDs
  • V-221541
  • V-64583
Rule IDs
  • SV-221541r961641_rule
  • SV-79073
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.
Checks: C-23256r881074_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. Note: Does not apply to admin.conf. 2. Search for the following directive at the OHS server, virtual host, and/or directory configuration scopes: "SSLEngine" "SSLProtocol" "SSLWallet" 3. If any of these directives are omitted, this is a finding. 4. If "SSLEngine" is not set to "On", or "SSLProtocol" is not set to "TLSv1.2", this is a finding. 5. Validate that the folder specified in the "SSLWallet" directive exists. If the folder does not exist or contain a valid wallet, this is a finding.

Fix: F-23245r881075_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. Note: Does not apply to admin.conf. 2a. Search for the "SSLEngine" directive at the OHS server, virtual host, and/or directory configuration scopes. 2b. Set the "SSLEngine" directive to "On"; add the directive if it does not exist. 3a. Search for the "SSLProtocol" directive at the OHS server configuration, virtual host, and/or directory levels. 3b. Set the "SSLProtocol" directive to "TLSv1.2"; add the directive if it does not exist. 4a. Search for the "SSLWallet" directive at the OHS server configuration, virtual host, and/or directory levels. 4b. Set the "SSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.

b
OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-221542 - SV-221542r961641_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002422
Version
OH12-1X-000334
Vuln IDs
  • V-221542
  • V-64585
Rule IDs
  • SV-221542r961641_rule
  • SV-79075
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.
Checks: C-23257r415305_chk

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that requires an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. If the directive is omitted or set improperly, this is a finding.

Fix: F-23246r415306_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SSLCipherSuite" directive at the OHS server, virtual host, and/or directory configuration scopes. 3. Set the "SSLCipherSuite" directive to "SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA", add the directive if it does not exist. Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.

b
If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SSLSecureProxy directive enabled to maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-221543 - SV-221543r961641_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002422
Version
OH12-1X-000335
Vuln IDs
  • V-221543
  • V-64587
Rule IDs
  • SV-221543r961641_rule
  • SV-79077
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.
Checks: C-23258r415308_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "SecureProxy" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23247r415309_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "SecureProxy" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "SecureProxy" directive to "On", add the directive if it does not exist.

b
If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-221544 - SV-221544r961641_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002422
Version
OH12-1X-000336
Vuln IDs
  • V-221544
  • V-64589
Rule IDs
  • SV-221544r961641_rule
  • SV-79079
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.
Checks: C-23259r415311_chk

If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WLSSLWallet" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to a valid wallet folder, this is a finding.

Fix: F-23248r415312_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLSSLWallet" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLSSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains the certificate chain served by the WebLogic host/port combination, add the directive if it does not exist.

b
If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-221545 - SV-221545r961641_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002422
Version
OH12-1X-000337
Vuln IDs
  • V-221545
  • V-64591
Rule IDs
  • SV-221545r961641_rule
  • SV-79081
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. The web server must utilize approved encryption when receiving transmitted data.
Checks: C-23260r415314_chk

If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS: 1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor that contains an SSL-enabled "&lt;VirtualHost&gt;" directive. 2. Search for the "WLProxySSL" directive within an "&lt;IfModule weblogic_module&gt;" at the virtual host configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-23249r415315_fix

1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that contains an SSL-enabled "<VirtualHost>" directive. 2. Search for the "WLProxySSL" directive within an "<IfModule weblogic_module>" at the virtual host configuration scope. 3. Set the "WLProxySSL" directive to "On", add the directive if it does not exist.

a
OHS must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.
SI-11 - Low - CCI-001312 - V-221546 - SV-221546r961167_rule
RMF Control
SI-11
Severity
L
CCI
CCI-001312
Version
OH12-1X-000346
Vuln IDs
  • V-221546
  • V-64477
Rule IDs
  • SV-221546r961167_rule
  • SV-78967
The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version.
Checks: C-23261r415317_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "DocumentRoot" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "DocumentRoot" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs). 4. Check for the existence of any index.html file in the directory specified as the "DocumentRoot" and its subdirectories (e.g., find . -type d, find . -type f -name index.html, cat index.html). 5. If an index.html files is not found or there is content in the file that is irrelevant to the website, this is a finding.

Fix: F-23250r415318_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "DocumentRoot" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "DocumentRoot" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs) and its subdirectories. 4. Create a standard or empty index.html file (e.g., echo > index.html) in the directory specified for "DocumentRoot" and any subdirectories it may have.

b
OHS must have the ServerSignature directive disabled.
SI-11 - Medium - CCI-001312 - V-221547 - SV-221547r961167_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001312
Version
OH12-1X-000347
Vuln IDs
  • V-221547
  • V-64479
Rule IDs
  • SV-221547r961167_rule
  • SV-78969
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.
Checks: C-23262r415320_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "ServerSignature" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive is omitted or is not set to "Off", this is a finding.

Fix: F-23251r415321_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "ServerSignature" directive at the OHS server, virtual host, and directory configuration scopes. 3. Set the "ServerSignature" directive to a value of "Off", add the directive if it does not exist.

a
OHS must have the ServerTokens directive set to limit the response header.
SI-11 - Low - CCI-001312 - V-221548 - SV-221548r961167_rule
RMF Control
SI-11
Severity
L
CCI
CCI-001312
Version
OH12-1X-000348
Vuln IDs
  • V-221548
  • V-64481
Rule IDs
  • SV-221548r961167_rule
  • SV-78971
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.
Checks: C-23263r415323_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "ServerTokens" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "Custom DoD-Web-Server", this is a finding.

Fix: F-23252r415324_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "ServerTokens" directive at the OHS server configuration scope. 3. Set the "ServerTokens" directive to a value of "Custom DoD-Web-Server", add the directive if it does not exist.

b
OHS must have the Alias /error directive defined to reference the directory accompanying the ErrorDocument directives to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.
SI-11 - Medium - CCI-001312 - V-221549 - SV-221549r961167_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001312
Version
OH12-1X-000349
Vuln IDs
  • V-221549
  • V-64483
Rule IDs
  • SV-221549r961167_rule
  • SV-78973
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.
Checks: C-23264r415326_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Alias /error/ "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error/"" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted, this is a finding. 4. Validate that the folder where the directive is pointing is valid. If the folder is not valid, this is a finding.

Fix: F-23253r415327_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Alias /error/ "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error/"" directive at the OHS server and virtual host configuration scopes. 3. Set the "Alias" directive to "/error/ "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error/"", add the directive if it does not exist.

b
OHS must have the permissions set properly via the Directory directive accompanying the ErrorDocument directives to minimize improper access to the warning and error messages displayed to clients.
SI-11 - Medium - CCI-001312 - V-221550 - SV-221550r961167_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001312
Version
OH12-1X-000350
Vuln IDs
  • V-221550
  • V-64485
Rule IDs
  • SV-221550r961167_rule
  • SV-78975
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.
Checks: C-23265r415329_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every.conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted, this is a finding. 4. Validate that the folder where the directive is pointing is valid. If the folder is not valid, this is a finding.

Fix: F-23254r415330_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every.conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive at the OHS server and virtual host configuration scopes. 3. Set the "<Directory>" directive to "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"", add the directive if it does not exist. 4a. Within the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive, set the "AllowOverride" directive to "None", add the directive if it does not exist. 4b. Within the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive, set the "Options" directive to "None", add the directive if it does not exist. 4c. Within the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive, set the "Order" directive to "allow, deny", add the directive if it does not exist. 4d. Within the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive, set the "Allow" directive to "from all", add the directive if it does not exist. 4e. Within the "<Directory> "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error"" directive, set the "<LimitExcept>" directive to "GET POST", add the directive if it does not exist. 4e1. Within the "<LimitExcept GET POST>" directive, set the "Deny" directive to "from all", add the directive if it does not exist.

a
OHS must have defined error pages for common error codes that minimize the identity of the web server, patches, loaded modules, and directory paths.
SI-11 - Low - CCI-001312 - V-221551 - SV-221551r961167_rule
RMF Control
SI-11
Severity
L
CCI
CCI-001312
Version
OH12-1X-000351
Vuln IDs
  • V-221551
  • V-64487
Rule IDs
  • SV-221551r961167_rule
  • SV-78977
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.
Checks: C-23266r415332_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "ErrorDocument" directives at the OHS server, virtual host, and directory configuration scopes. 3. If the directives are omitted or set improperly for HTTP errors 400, 401, 403 - 405, 408, 410 - 415, 500 - 503, or 506, this is a finding. 4. Validate that the folder and files where the "ErrorDocument" directive are pointing are valid. If the folder or file is not valid, this is a finding.

Fix: F-23255r415333_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for "ErrorDocument" directives at the OHS server, virtual host, and directory configuration scopes. 3. Set the "ErrorDocument" directives for HTTP errors 400, 401, 403 - 405, 408, 410 - 415, 500 - 503, and 506 (e.g., ErrorDocument 400 HTTP_BAD_REQUEST_en.html) to files that minimize the identity of the web server, patches, loaded modules, and directory paths, add the directive if it does not exist.

a
OHS must have production information removed from error documents to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.
SI-11 - Low - CCI-001312 - V-221552 - SV-221552r961167_rule
RMF Control
SI-11
Severity
L
CCI
CCI-001312
Version
OH12-1X-000352
Vuln IDs
  • V-221552
  • V-64489
Rule IDs
  • SV-221552r961167_rule
  • SV-78979
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or modules being used. Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. The information given to users must be minimized to not aid in the blueprinting of the web server.
Checks: C-23267r415335_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "Alias /error/ "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error/"", "Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/{COMPONENT_NAME}/error"", and "ErrorDocument" directives at the OHS server, virtual host, and directory configuration scopes. 3. For every file specified by an "ErrorDocument" directive, check the file exists and its contents to determine whether any OHS product information is present. 4. If OHS product information is present in the file(s), this is a finding.

Fix: F-23256r415336_fix

1. Go to the directory specified by the "Alias /error/" directive in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf. (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/error). 2. Change the extension of each file located in $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/error from .html.var to .html (e.g., mv HTTP_NOT_FOUND.hmtl.var HTTP_NOT_FOUND_en.html). 3. Modify the content of each file to be static such that mod_include and mod_negotiation are not needed and that no OHS product information is discernable by a user encountering the error. 4. Set the appropriate "ErrorDocument" directives in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf to reference the appropriate file in $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/httpd.conf, add the directives if they do not exist.

b
Debugging and trace information used to diagnose OHS must be disabled.
SI-11 - Medium - CCI-001312 - V-221553 - SV-221553r961167_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001312
Version
OH12-1X-000353
Vuln IDs
  • V-221553
  • V-64491
Rule IDs
  • SV-221553r961167_rule
  • SV-78981
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information.
Checks: C-23268r415338_chk

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "TraceEnable" directive at the OHS server and virtual host configuration scopes. 3. If the directive not set to "Off", this is a finding.

Fix: F-23257r415339_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "TraceEnable" directive at the OHS server and virtual host configuration scopes. 3. Set the "TraceEnable" directive to a value of "Off", add the directive if it does not exist.

b
OHS must capture, record, and log all content related to a user session.
AC-10 - Medium - CCI-000054 - V-252204 - SV-252204r961863_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
OH12-1X-000049
Vuln IDs
  • V-252204
  • V-63153
Rule IDs
  • SV-252204r961863_rule
  • SV-77643
A user session to a web server is in the context of a user accessing a hosted application that extends to any plug-ins/modules and services that may execute on behalf of the user. The web server must be capable of enabling a setting for troubleshooting, debugging, or forensic gathering purposes which will log all user session information related to the hosted application session. Without the capability to capture, record, and log all content related to a user session, investigations into suspicious user activity would be hampered.
Checks: C-55660r816502_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "&lt;VirtualHost&gt;" directive. 2. Search for the "LogFormat" directive with nicknames of "dod" and "dod_ssl" at the OHS server and virtual host configuration scopes. 3. If either of these directives is omitted or set improperly, this is a finding unless inherited from a larger scope.

Fix: F-55610r816503_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive. 2. Search for the "LogFormat" directive with nicknames of "dod" and "dod_ssl" at the OHS server and virtual host configuration scopes. 3a. If the session id is contained within a cookie, modify the "LogFormat" directive with nicknames of "dod" and "dod_ssl" to include "sess:%{JSESSIONID}C", add the directive if it does not exist unless inherited from a larger scope. 3b. If the session id is contained within a header variable, modify the "LogFormat" directives with nicknames of "dod" and "dod_ssl" to include "sess:%{X-JSESSIONID}o" dod", add the directive if it does not exist unless inherited from a larger scope.

c
OHS must have the LoadModule ossl_module directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
AC-10 - High - CCI-000054 - V-252205 - SV-252205r962034_rule
RMF Control
AC-10
Severity
H
CCI
CCI-000054
Version
OH12-1X-000294
Vuln IDs
  • V-252205
  • V-64125
Rule IDs
  • SV-252205r962034_rule
  • SV-78615
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: "Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms are used to protect systems requiring the most stringent protection mechanisms." Although persons may have a security clearance, they may not have a "need-to-know" and are required to be separated from the information in question. The web server must employ NSA-approved cryptography to protect classified information from those individuals who have no "need-to-know" or when encryption of compartmentalized data is required by data classification.
Checks: C-55661r816505_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. If the directive is omitted, this is a finding. 4. Validate that the file specified exists. If the file does not exist, this is a finding.

Fix: F-55611r816506_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor. 2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope. 3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.

c
OHS must have the SSLFIPS directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
SC-13 - High - CCI-002450 - V-252546 - SV-252546r962034_rule
RMF Control
SC-13
Severity
H
CCI
CCI-002450
Version
OH12-1X-000295
Vuln IDs
  • V-252546
  • V-64511
Rule IDs
  • SV-252546r962034_rule
  • SV-79001
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: "Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms are used to protect systems requiring the most stringent protection mechanisms." Although persons may have a security clearance, they may not have a "need-to-know" and are required to be separated from the information in question. The web server must employ NSA-approved cryptography to protect classified information from those individuals who have no "need-to-know" or when encryption of compartmentalized data is required by data classification.
Checks: C-56002r816513_chk

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/&lt;componentName&gt;/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. If the directive is omitted or is not set to "On", this is a finding.

Fix: F-55952r816514_fix

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/ssl.conf with an editor. 2. Search for the "SSLFIPS" directive at the OHS server configuration scope. 3. Set the "SSLFIPS" directive to "On", add the directive if it does not exist.