OHS must be segregated from other services.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-64675	OH12-1X-000219	SV-79165r1_rule		Medium

Description
The web server installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server that is providing the web publishing service. By separating these services, physically or logically, additional defensive layers are established between the web service and the applicable application should either be compromised. Disallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system that supports a web server will not provide other services (e.g., domain controller, e-mail server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements.

Description

The web server installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server that is providing the web publishing service. By separating these services, physically or logically, additional defensive layers are established between the web service and the applicable application should either be compromised. Disallowed or restricted services in the context of this vulnerability applies to services that are not directly associated with the delivery of web content. An operating system that supports a web server will not provide other services (e.g., domain controller, e-mail server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements.

STIG	Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide	2019-12-12

Details

Check Text ( C-65417r1_chk )
1. Obtain a copy of the OHS installation and configuration plan. 2. Ask the System Administrator whether any additional services (e.g., database, DNS, mail, application server, etc.) are installed with OHS that do not directly support operation or management of OHS. Separation of services may be physical or logical. 3. If so, this is a finding.

Fix Text (F-70605r1_fix)
Move any software from the OHS installation that is not required for the operation or management of the OHS server to another physical or logical server.