UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle HTTP Server 12.1.3 Security Technical Implementation Guide


Overview

Date Finding Count (282)
2019-12-12 CAT I (High): 24 CAT II (Med): 226 CAT III (Low): 32
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-64147 High OHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
V-64139 High OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
V-64135 High OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
V-64133 High OHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
V-64621 High OHS must not have the directive PlsqlDatabasePassword set in clear text.
V-64689 High OHS administration must be performed over a secure path or at the local console.
V-64687 High Symbolic links must not be used in the web content directory tree.
V-64513 High OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
V-64515 High OHS must have the SSLCipherSuite directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
V-64449 High OHS accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.
V-64545 High OHS must have the SSLEngine, SSLProtocol, SSLWallet directives enabled and configured to prevent unauthorized disclosure of information during transmission.
V-64145 High OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
V-64141 High OHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
V-64143 High OHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
V-64511 High OHS must have the SSLFIPS directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
V-64413 High OHS must have the SSLCipherSuite directive enabled to encrypt passwords during transmission.
V-64411 High OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt passwords during transmission.
V-64541 High OHS must have the LoadModule ossl_module directive enabled to prevent unauthorized disclosure of information during transmission.
V-64543 High OHS must have the SSLFIPS directive enabled to prevent unauthorized disclosure of information during transmission.
V-64547 High OHS must have the SSLCipherSuite directive enabled to prevent unauthorized disclosure of information during transmission.
V-64661 High The version of the OHS installation must be vendor-supported.
V-64509 High OHS must have the LoadModule ossl_module directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
V-64407 High OHS must have the LoadModule ossl_module directive enabled to encrypt passwords during transmission.
V-64409 High OHS must use FIPS modules to encrypt passwords during transmission.
V-64261 Medium OHS must have the LoadModule include_module directive disabled.
V-64501 Medium OHS must provide the capability to immediately disconnect or disable remote access to the hosted applications.
V-64243 Medium OHS must have the LoadModule file_cache_module directive disabled.
V-64523 Medium OHS must have the SSLCipherSuite directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-64333 Medium OHS must have the LoadModule proxy_balancer_module directive disabled.
V-64521 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-64331 Medium OHS must have the LoadModule proxy_connect_module directive disabled.
V-64527 Medium OHS must use wallets that have only DoD certificate authorities defined.
V-64525 Medium OHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-64529 Medium OHS must be tuned to handle the operational requirements of the hosted application.
V-64137 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server.
V-64131 Medium OHS must limit the number of worker processes to limit the number of allowed simultaneous requests.
V-64431 Medium OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
V-64239 Medium The log information from OHS must be protected from unauthorized deletion.
V-64435 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
V-64437 Medium OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
V-64233 Medium OHS must have a log file defined for each site/virtual host to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-64231 Medium OHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-64237 Medium The log information from OHS must be protected from unauthorized modification.
V-64235 Medium OHS log files must only be accessible by privileged users.
V-64351 Medium OHS must have the Alias /icons/ directive disabled.
V-64393 Medium OHS must have the ScriptAlias /cgi-bin/ directive within a IfModule alias_module directive disabled.
V-64257 Medium OHS must have the LoadModule status_module directive disabled.
V-64199 Medium OHS must have a log format defined for log records generated to capture sufficient information to establish when an event occurred.
V-64499 Medium OHS must have the Order, Allow, and Deny directives set within the Location directives set to restrict inbound connections from nonsecure zones.
V-64259 Medium OHS must have the LoadModule info_module directive disabled.
V-64461 Medium OHS must have the MaxKeepAliveRequests directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-64197 Medium OHS must have a log file defined for each site/virtual host to capture sufficient information to establish what type of events occurred.
V-64599 Medium The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager.
V-64195 Medium OHS must have a SSL log format defined for log records generated to capture sufficient information to establish what type of events occurred.
V-64457 Medium OHS must have the KeepAlive directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-64359 Medium If mod_plsql is not in use with OHS, OHS must have the include moduleconf/* directive disabled.
V-64347 Medium OHS must have the LoadModule dumpio_module directive disabled.
V-64229 Medium OHS must have a log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-64345 Medium OHS must have the BrowserMatch directive disabled.
V-64185 Medium OHS must have a SSL log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.
V-64701 Medium A public OHS server must use TLS if authentication is required to host web sites.
V-64187 Medium OHS must have a log file defined for each site/virtual host to capture logs generated by system startup and shutdown, system access, and system authentication events.
V-64429 Medium OHS must be integrated with a tool such as Oracle Access Manager to enforce a client-side certificate revocation check through the OCSP protocol.
V-64189 Medium OHS must capture, record, and log all content related to a user session.
V-64221 Medium OHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-64223 Medium OHS must have a log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-64633 Medium The OHS instance configuration must not reference directories that contain an .htaccess file.
V-64225 Medium OHS must have a SSL log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-64227 Medium OHS must have a log file defined for each site/virtual host to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-64691 Medium OHS must not contain any robots.txt files.
V-64693 Medium OHS must prohibit anonymous FTP user access to interactive scripts.
V-64695 Medium The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory.
V-64697 Medium The OHS DocumentRoot directory must be on a separate partition from OS root partition.
V-64699 Medium Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
V-64125 Medium OHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests.
V-64299 Medium OHS must have the cgi-bin directory disabled.
V-64443 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-64295 Medium OHS must have the ScriptAlias directive for CGI scripts disabled.
V-64129 Medium OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests.
V-64297 Medium OHS must have the ScriptSock directive disabled.
V-64215 Medium OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of the source of events.
V-64181 Medium OHS must have the log rotation parameter set to allow for the generation log records for system startup and shutdown, system access, and system authentication events.
V-64217 Medium OHS, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-64247 Medium OHS must have the LoadModule env_module directive disabled.
V-64211 Medium OHS must have a log format defined for log records that allow the establishment of the source of events.
V-64213 Medium OHS must have a SSL log format defined for log records that allow the establishment of the source of events.
V-64505 Medium OHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
V-64507 Medium OHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
V-64219 Medium OHS, behind a load balancer or proxy server, must have the SSL log format set correctly to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-64183 Medium OHS must have a log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.
V-64503 Medium Non-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account.
V-64585 Medium OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during reception.
V-64587 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SSLSecureProxy directive enabled to maintain the confidentiality and integrity of information during reception.
V-64357 Medium If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level.
V-64581 Medium OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during reception.
V-64629 Medium OHS must deny all access by default when considering whether to serve a file.
V-64583 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during reception.
V-64353 Medium OHS must have the path to the icons directory disabled.
V-64453 Medium OHS must have the Directory directive accompanying the DocumentRoot directive set to a separate partition from the OHS system files.
V-64625 Medium OHS must have the AllowOverride directive set properly.
V-64451 Medium OHS must have the DocumentRoot directive set to a separate partition from the OHS system files.
V-64627 Medium OHS must be set to evaluate deny directives first when considering whether to serve a file.
V-64589 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during reception.
V-64455 Medium OHS must have the Timeout directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-64191 Medium OHS must have a log level severity defined to produce sufficient log records to establish what type of events occurred.
V-64639 Medium OHS must restrict access methods.
V-64685 Medium The OHS server root directory must not be on a network share.
V-64683 Medium The OHS document root directory must not be on a network share.
V-64681 Medium OHS must have the ScoreBoardFile directive disabled.
V-64163 Medium OHS must have the OraLogSeverity directive defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
V-64637 Medium OHS must have the ServerAdmin directive set properly.
V-64161 Medium OHS must have a log directory location defined to generate information for use by external applications or entities to monitor and control remote access.
V-64289 Medium OHS must have the LoadModule cgid_module directive disabled for mpm workers.
V-64167 Medium OHS must have a log format defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
V-64165 Medium OHS must have the log rotation parameter set to allow generated information to be used by external applications or entities to monitor and control remote access.
V-64427 Medium OHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation.
V-64169 Medium OHS must have a SSL log format defined to allow generated information to be used by external applications or entities to monitor and control remote access in accordance with the categorization of data hosted by the web server.
V-64287 Medium OHS must have the LoadModule fastcgi_module disabled.
V-64203 Medium OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of when an event occurred.
V-64425 Medium OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation.
V-64207 Medium OHS must have a SSL log format defined for log records that allow the establishment of where within OHS the events occurred.
V-64205 Medium OHS must have a log format defined for log records that allow the establishment of where within OHS the events occurred.
V-64209 Medium OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of where within OHS the events occurred.
V-64517 Medium OHS must have the LoadModule ossl_module directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-64361 Medium OHS must have the LoadModule proxy_module directive disabled.
V-64363 Medium OHS must have the LoadModule proxy_http_module directive disabled.
V-64591 Medium If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to maintain the confidentiality and integrity of information during reception.
V-64365 Medium OHS must have the LoadModule proxy_ftp_module directive disabled.
V-64597 Medium The SecureListener property of the Node Manager configured to support OHS must be enabled for secure communication.
V-64643 Medium OHS must have the SSLSessionCacheTimeout directive set properly.
V-64611 Medium The CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
V-64441 Medium OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-64613 Medium The listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication.
V-64421 Medium OHS must have the SSLCipherSuite directive enabled to perform RFC 5280-compliant certification path validation.
V-64615 Medium The listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication.
V-64445 Medium OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-64617 Medium The WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
V-64447 Medium OHS utilizing mobile code must meet DoD-defined mobile code requirements.
V-64419 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation.
V-64171 Medium OHS must have a log file defined for each site/virtual host to capture information to be used by external applications or entities to monitor and control remote access.
V-64173 Medium OHS must have the client requests logging module loaded to generate log records for system startup and shutdown, system access, and system authentication logging.
V-64175 Medium OHS must have OraLogMode set to Oracle Diagnostic Logging text mode to generate log records for system startup and shutdown, system access, and system authentication logging.
V-64177 Medium OHS must have a log directory location defined to generate log records for system startup and shutdown, system access, and system authentication logging.
V-64179 Medium OHS must have a log level severity defined to generate adequate log records for system startup and shutdown, system access, and system authentication events.
V-64475 Medium OHS must have the LimitInternalRecursion directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-64607 Medium The CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
V-64605 Medium The CustomIdentityKeyStoreFileName property of the Node Manager configured to support OHS must be configured for secure communication.
V-64471 Medium OHS must have the LimitRequestLine directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-64603 Medium The KeyStores property of the Node Manager configured to support OHS must be configured for secure communication.
V-64473 Medium OHS must have the LimitXMLRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-64601 Medium The AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication.
V-64479 Medium OHS must have the ServerSignature directive disabled.
V-64433 Medium OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
V-64609 Medium The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication.
V-64277 Medium OHS must have the HeaderName directive disabled.
V-64275 Medium OHS must have the ReadmeName directive disabled.
V-64273 Medium OHS must have the DefaultIcon directive disabled.
V-64271 Medium OHS must have the AddIcon directive disabled.
V-64567 Medium OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-64377 Medium OHS must have the LoadModule proxy_balancer_module directive disabled.
V-64565 Medium OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-64285 Medium OHS must have the LoadModule cgi_module directive disabled.
V-64563 Medium OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
V-64279 Medium OHS must have the IndexIgnore directive disabled.
V-64569 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during preparation for transmission.
V-64383 Medium OHS must have the AddHandler directive disabled.
V-64193 Medium OHS must have a log format defined for log records generated to capture sufficient information to establish what type of events occurred.
V-64381 Medium OHS must have the AliasMatch directive disabled for the OHS manuals.
V-64201 Medium OHS must have a SSL log format defined for log records generated to capture sufficient information to establish when an event occurred.
V-64387 Medium OHS must have the LoadModule cgid_module directive disabled.
V-64385 Medium OHS must have the LoadModule cgi_module directive disabled.
V-64321 Medium OHS must have the LoadModule authn_file_module directive disabled.
V-64389 Medium OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration.
V-64463 Medium OHS must have the ListenBacklog properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-64671 Medium A public OHS installation must limit email to outbound only.
V-64375 Medium OHS must have the LoadModule proxy_connect_module directive disabled.
V-64677 Medium OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM).
V-64467 Medium OHS must have the LimitRequestFields directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-64675 Medium OHS must be segregated from other services.
V-64465 Medium OHS must have the LimitRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-64679 Medium A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
V-64469 Medium OHS must have the LimitRequestFieldSize directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-64319 Medium OHS must have the LoadModule authz_user_module directive disabled.
V-64265 Medium OHS must have the IndexOptions directive disabled.
V-64417 Medium OHS must use FIPS modules to perform RFC 5280-compliant certification path validation.
V-64579 Medium OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during reception.
V-64263 Medium OHS must have the LoadModule autoindex_module directive disabled.
V-64575 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-64301 Medium OHS must have directives pertaining to certain scripting languages removed from virtual hosts.
V-64577 Medium If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLSProxySSL directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-64307 Medium OHS must have the LoadModule actions_module directive disabled.
V-64571 Medium OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-64573 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-64439 Medium OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-64329 Medium OHS must have the LoadModule proxy_ftp_module directive disabled.
V-64623 Medium OHS must limit access to the Dynamic Monitoring Service (DMS).
V-64641 Medium The OHS htdocs directory must not contain any default files.
V-64159 Medium OHS must have the OraLogMode set to Oracle Diagnostic Logging text mode to generate information to be used by external applications or entities to monitor and control remote access.
V-64395 Medium OHS must have the ScriptSock directive within a IfModule cgid_module directive disabled.
V-64397 Medium OHS must have the cgi-bin directory disabled.
V-64399 Medium OHS must have directives pertaining to certain scripting languages removed from virtual hosts.
V-64483 Medium OHS must have the Alias /error directive defined to reference the directory accompanying the ErrorDocument directives to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.
V-64157 Medium OHS must have the LoadModule log_config_module directive enabled to generate information to be used by external applications or entities to monitor and control remote access.
V-64155 Medium OHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
V-64619 Medium The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
V-64151 Medium OHS must have the WLSSLWallet directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
V-64665 Medium OHS tools must be restricted to the web manager and the web managers designees.
V-64519 Medium OHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-64497 Medium OHS must have the Order, Allow, and Deny directives set within the Files directives set to restrict inbound connections from nonsecure zones.
V-64669 Medium The OHS htpasswd files (if present) must reflect proper ownership and permissions.
V-64495 Medium OHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones.
V-64493 Medium Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.
V-64491 Medium Debugging and trace information used to diagnose OHS must be disabled.
V-64423 Medium OHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation.
V-64549 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to prevent unauthorized disclosure of information during transmission.
V-64415 Medium OHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation.
V-64311 Medium OHS must have the LoadModule userdir_module directive disabled.
V-64313 Medium OHS must have the AliasMatch directive pertaining to the OHS manuals disabled.
V-64315 Medium OHS must have the Directory directive pointing to the OHS manuals disabled.
V-64317 Medium OHS must have the LoadModule auth_basic_module directive disabled.
V-63153 Medium OHS must have the mpm property set to use the worker Multi-Processing Module (MPM) as the preferred means to limit the number of allowed simultaneous requests.
V-64269 Medium OHS must have the AddIconByType directive disabled.
V-64267 Medium OHS must have the AddIconByEncoding directive disabled.
V-64595 Medium OHS must have Entity tags (ETags) disabled.
V-64561 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
V-64127 Medium OHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests.
V-64663 Medium OHS must be certified with accompanying Fusion Middleware products.
V-64403 Medium Users and scripts running on behalf of users must be contained to the document root or home directory tree of OHS.
V-64631 Medium The OHS instance installation must not contain an .htaccess file.
V-64325 Medium OHS must have the LoadModule proxy_module directive disabled.
V-64557 Medium OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
V-64327 Medium OHS must have the LoadModule proxy_http_module directive disabled.
V-64555 Medium If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to prevent unauthorized disclosure of information during transmission.
V-64659 Medium A private OHS installation must be located on a separate controlled access subnet.
V-64553 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WebLogicSSLVersion directive enabled to prevent unauthorized disclosure of information during transmission.
V-64323 Medium OHS must have the LoadModule authn_anon_module directive disabled.
V-64551 Medium OHS must have the WLSSLWallet directive enabled to prevent unauthorized disclosure of information during transmission.
V-64655 Medium A production OHS Installation must prohibit the installation of a compiler.
V-64485 Medium OHS must have the permissions set properly via the Directory directive accompanying the ErrorDocument directives to minimize improper access to the warning and error messages displayed to clients.
V-64657 Medium A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
V-64653 Medium All accounts installed with the web server software and tools must have passwords assigned and default passwords changed.
V-64559 Medium OHS must have the SSLFIPS directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
V-64153 Medium OHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
V-64405 Medium OHS must be configured to use a specified IP address, port, and protocol.
V-64343 Medium OHS must have the LoadModule setenvif_module directive disabled.
V-64401 Medium OHS must have resource mappings set to disable the serving of certain file types.
V-64459 Medium OHS must have the KeepAliveTimeout properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-64149 Medium OHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
V-64593 Medium The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc.
V-64241 Medium The log data and records from OHS must be backed up onto a different system or media.
V-64335 Low OHS must have the LoadModule cern_meta_module directive disabled.
V-64255 Low OHS must not have the ForceLanguagePriority directive enabled.
V-64635 Low OHS must have the HostnameLookups directive enabled.
V-64349 Low OHS must have the IfModule dumpio_module directive disabled.
V-64291 Low OHS must have the IfModule cgid_module directive disabled.
V-64293 Low OHS must have the LoadModule mpm_winnt_module directive disabled.
V-64355 Low OHS must have the IfModule mpm_winnt_module directive disabled.
V-64283 Low OHS must have the DirectoryIndex directive disabled.
V-64281 Low OHS must have the LoadModule dir_module directive disabled.
V-64337 Low OHS must have the LoadModule expires_module directive disabled.
V-64339 Low OHS must have the LoadModule usertrack_module directive disabled.
V-64647 Low OHS must have the RewriteOptions directive set properly.
V-64645 Low OHS must have the RewriteEngine directive enabled.
V-64477 Low OHS must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.
V-64379 Low OHS must disable the directive pointing to the directory containing the OHS manuals.
V-64253 Low OHS must not have the LanguagePriority directive enabled.
V-64341 Low OHS must have the LoadModule uniqueid_module directive disabled.
V-64489 Low OHS must have production information removed from error documents to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.
V-64673 Low OHS content and configuration files must be part of a routine backup program.
V-64309 Low OHS must have the LoadModule speling_module directive disabled.
V-64303 Low OHS must have the LoadModule asis_module directive disabled.
V-64305 Low OHS must have the LoadModule imagemap_module directive disabled.
V-64249 Low OHS must have the LoadModule mime_magic_module directive disabled.
V-64481 Low OHS must have the ServerTokens directive set to limit the response header.
V-64391 Low OHS must have the LoadModule cgi_module directive disabled within the IfModule mpm_winnt_module directive.
V-64667 Low All utility programs, not necessary for operations, must be removed or disabled.
V-64649 Low OHS must have the RewriteLogLevel directive set to the proper log level.
V-64703 Low OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines.
V-64245 Low OHS must have the LoadModule vhost_alias_module directive disabled.
V-64487 Low OHS must have defined error pages for common error codes that minimize the identity of the web server, patches, loaded modules, and directory paths.
V-64651 Low OHS must have the RewriteLog directive set properly.
V-64251 Low OHS must have the LoadModule negotiation_module directive disabled.