OHS must have the BrowserMatch directive disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-64345	OH12-1X-000144	SV-78835r1_rule		Medium

Description
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

STIG	Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide	2019-12-12

Details

Check Text ( C-65097r1_chk )
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "BrowserMatch" directive. 2. Search for the "BrowserMatch" directive at the OHS server, virtual host, and directory configuration scopes. 3. If the directive and any surrounding "BrowserMatch" directive exist and are not commented out, this is a finding.

Check Text ( C-65097r1_chk )

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "BrowserMatch" directive.

2. Search for the "BrowserMatch" directive at the OHS server, virtual host, and directory configuration scopes.

3. If the directive and any surrounding "BrowserMatch" directive exist and are not commented out, this is a finding.

Fix Text (F-70275r1_fix)
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "BrowserMatch" directive. 2. Search for the "BrowserMatch" directive at the OHS server, virtual host, and directory configuration scopes. 3. Comment out the "BrowserMatch" directive and any surrounding "" directive if they exist.