Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-64493	OH12-1X-000030	SV-78983r1_rule		Medium

Description
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Examples of the web server enforcing a remote access policy are implementing IP filtering rules, using https instead of http for communication, implementing secure tokens, and validating users.

Description

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Examples of the web server enforcing a remote access policy are implementing IP filtering rules, using https instead of http for communication, implementing secure tokens, and validating users.

STIG	Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide	2019-01-04

Details

Check Text ( C-65245r1_chk )
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Review the directives (e.g., "", "", and "") at the OHS server and virtual host configuration scopes. 3. If these directives do not contain the appropriate access protection via secure authentication, SSL-associated directives, or "Order", "Deny", and "Allow" directives to secure access or prohibit access from nonsecure zones, this is a finding.

Check Text ( C-65245r1_chk )

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.

2. Review the directives (e.g., "", "", and "") at the OHS server and virtual host configuration scopes.

3. If these directives do not contain the appropriate access protection via secure authentication, SSL-associated directives, or "Order", "Deny", and "Allow" directives to secure access or prohibit access from nonsecure zones, this is a finding.

Fix Text (F-70423r1_fix)
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Review the directives (e.g., "", "", and "") at the OHS server and virtual host configuration scopes. 3. Configure the web server to require secure authentication as required, use SSL, and/or restrict access from nonsecure zones via "Order", "Deny", and "Allow" directives. Note: A product such as Oracle Access Manager may facilitate satisfying these requirements.

Fix Text (F-70423r1_fix)

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.

2. Review the directives (e.g., "", "", and "") at the OHS server and virtual host configuration scopes.

3. Configure the web server to require secure authentication as required, use SSL, and/or restrict access from nonsecure zones via "Order", "Deny", and "Allow" directives.

Note: A product such as Oracle Access Manager may facilitate satisfying these requirements.