| V-64147 | High | OHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-64139 | High | OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server. | The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption... |
| V-64135 | High | OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server. | The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption... |
| V-64133 | High | OHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server. | The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption... |
| V-64621 | High | OHS must not have the directive PlsqlDatabasePassword set in clear text. | OHS supports the use of the module mod_plsql, which allows applications to be hosted that are PL/SQL-based. To access the database, the module must have a valid username, password and database... |
| V-64689 | High | OHS administration must be performed over a secure path or at the local console. | Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and... |
| V-64687 | High | Symbolic links must not be used in the web content directory tree. | A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and... |
| V-64513 | High | OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-64515 | High | OHS must have the SSLCipherSuite directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-64449 | High | OHS accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server.... |
| V-64545 | High | OHS must have the SSLEngine, SSLProtocol, SSLWallet directives enabled and configured to prevent unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-64145 | High | OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-64141 | High | OHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-64143 | High | OHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-64511 | High | OHS must have the SSLFIPS directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-64413 | High | OHS must have the SSLCipherSuite directive enabled to encrypt passwords during transmission. | Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to... |
| V-64411 | High | OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt passwords during transmission. | Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to... |
| V-64541 | High | OHS must have the LoadModule ossl_module directive enabled to prevent unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-64543 | High | OHS must have the SSLFIPS directive enabled to prevent unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-64547 | High | OHS must have the SSLCipherSuite directive enabled to prevent unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-64661 | High | The version of the OHS installation must be vendor-supported. | Many vulnerabilities are associated with older versions of software. As hot fixes and patches are issued, these solutions are included in the next version of the server software. Maintaining OHS... |
| V-64509 | High | OHS must have the LoadModule ossl_module directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-64407 | High | OHS must have the LoadModule ossl_module directive enabled to encrypt passwords during transmission. | Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to... |
| V-64409 | High | OHS must use FIPS modules to encrypt passwords during transmission. | Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to... |
| V-64261 | Medium | OHS must have the LoadModule include_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64501 | Medium | OHS must provide the capability to immediately disconnect or disable remote access to the hosted applications. | During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack.
The web server must provide a... |
| V-64243 | Medium | OHS must have the LoadModule file_cache_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64523 | Medium | OHS must have the SSLCipherSuite directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). | Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity... |
| V-64333 | Medium | OHS must have the LoadModule proxy_balancer_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64521 | Medium | OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). | Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity... |
| V-64331 | Medium | OHS must have the LoadModule proxy_connect_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64527 | Medium | OHS must use wallets that have only DoD certificate authorities defined. | Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity... |
| V-64525 | Medium | OHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). | Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity... |
| V-64529 | Medium | OHS must be tuned to handle the operational requirements of the hosted application. | A Denial of Service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a... |
| V-64137 | Medium | OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server. | The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption... |
| V-64131 | Medium | OHS must limit the number of worker processes to limit the number of allowed simultaneous requests. | Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in... |
| V-64431 | Medium | OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity,... |
| V-64239 | Medium | The log information from OHS must be protected from unauthorized deletion. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-64435 | Medium | OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity,... |
| V-64437 | Medium | OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity,... |
| V-64233 | Medium | OHS must have a log file defined for each site/virtual host to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Determining user... |
| V-64231 | Medium | OHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Determining user... |
| V-64237 | Medium | The log information from OHS must be protected from unauthorized modification. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-64235 | Medium | OHS log files must only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-64351 | Medium | OHS must have the Alias /icons/ directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64393 | Medium | OHS must have the ScriptAlias /cgi-bin/ directive within a IfModule alias_module directive disabled. | Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application... |
| V-64257 | Medium | OHS must have the LoadModule status_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64199 | Medium | OHS must have a log format defined for log records generated to capture sufficient information to establish when an event occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64499 | Medium | OHS must have the Order, Allow, and Deny directives set within the Location directives set to restrict inbound connections from nonsecure zones. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64259 | Medium | OHS must have the LoadModule info_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64461 | Medium | OHS must have the MaxKeepAliveRequests directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-64197 | Medium | OHS must have a log file defined for each site/virtual host to capture sufficient information to establish what type of events occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64599 | Medium | The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager. | Oracle Node Manager is the utility that is used to perform common operational tasks for OHS.
For connections to be made to the Node Manager, it must listen on an assigned address. When this... |
| V-64195 | Medium | OHS must have a SSL log format defined for log records generated to capture sufficient information to establish what type of events occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64457 | Medium | OHS must have the KeepAlive directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-64359 | Medium | If mod_plsql is not in use with OHS, OHS must have the include moduleconf/* directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64347 | Medium | OHS must have the LoadModule dumpio_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64229 | Medium | OHS must have a log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Determining user... |
| V-64345 | Medium | OHS must have the BrowserMatch directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64185 | Medium | OHS must have a SSL log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-64701 | Medium | A public OHS server must use TLS if authentication is required to host web sites. | Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required.
Without the use of TLS, the... |
| V-64187 | Medium | OHS must have a log file defined for each site/virtual host to capture logs generated by system startup and shutdown, system access, and system authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-64429 | Medium | OHS must be integrated with a tool such as Oracle Access Manager to enforce a client-side certificate revocation check through the OCSP protocol. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to... |
| V-64189 | Medium | OHS must capture, record, and log all content related to a user session. | A user session to a web server is in the context of a user accessing a hosted application that extends to any plug-ins/modules and services that may execute on behalf of the user.
The web server... |
| V-64221 | Medium | OHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64223 | Medium | OHS must have a log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64633 | Medium | The OHS instance configuration must not reference directories that contain an .htaccess file. | .htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is... |
| V-64225 | Medium | OHS must have a SSL log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64227 | Medium | OHS must have a log file defined for each site/virtual host to produce log records that contain sufficient information to establish the outcome (success or failure) of events. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64691 | Medium | OHS must not contain any robots.txt files. | Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In... |
| V-64693 | Medium | OHS must prohibit anonymous FTP user access to interactive scripts. | The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web... |
| V-64695 | Medium | The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory. | Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is... |
| V-64697 | Medium | The OHS DocumentRoot directory must be on a separate partition from OS root partition. | Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is... |
| V-64699 | Medium | Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory. | Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code. A remote web user whose agency has a... |
| V-64125 | Medium | OHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests. | Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in... |
| V-64299 | Medium | OHS must have the cgi-bin directory disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64443 | Medium | OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
| V-64295 | Medium | OHS must have the ScriptAlias directive for CGI scripts disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64129 | Medium | OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests. | Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in... |
| V-64297 | Medium | OHS must have the ScriptSock directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64215 | Medium | OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of the source of events. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64181 | Medium | OHS must have the log rotation parameter set to allow for the generation log records for system startup and shutdown, system access, and system authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-64217 | Medium | OHS, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64247 | Medium | OHS must have the LoadModule env_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64211 | Medium | OHS must have a log format defined for log records that allow the establishment of the source of events. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64213 | Medium | OHS must have a SSL log format defined for log records that allow the establishment of the source of events. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64505 | Medium | OHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes. | A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic... |
| V-64507 | Medium | OHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes. | A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic... |
| V-64219 | Medium | OHS, behind a load balancer or proxy server, must have the SSL log format set correctly to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64183 | Medium | OHS must have a log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-64503 | Medium | Non-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account. | By separating web server security functions from non-privileged users, roles can be developed that can then be used to administer the web server. Forcing users to change from a non-privileged... |
| V-64585 | Medium | OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-64587 | Medium | If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SSLSecureProxy directive enabled to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-64357 | Medium | If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64581 | Medium | OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-64629 | Medium | OHS must deny all access by default when considering whether to serve a file. | Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the... |
| V-64583 | Medium | OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-64353 | Medium | OHS must have the path to the icons directory disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64453 | Medium | OHS must have the Directory directive accompanying the DocumentRoot directive set to a separate partition from the OHS system files. | A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To... |
| V-64625 | Medium | OHS must have the AllowOverride directive set properly. | The property "AllowOverride" is used to allow directives to be set differently than those set for the overall architecture. When the property is not set to "None", OHS will check for directives... |
| V-64451 | Medium | OHS must have the DocumentRoot directive set to a separate partition from the OHS system files. | A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To... |
| V-64627 | Medium | OHS must be set to evaluate deny directives first when considering whether to serve a file. | Part of securing OHS is allowing/denying access to the web server. Deciding on the manor the allow/deny rules are evaluated can turn what was once an allowable access into being blocked if the... |
| V-64589 | Medium | If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-64455 | Medium | OHS must have the Timeout directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-64191 | Medium | OHS must have a log level severity defined to produce sufficient log records to establish what type of events occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64639 | Medium | OHS must restrict access methods. | The directive "<LimitExcept>" allows the system administrator to restrict what users may use which methods. An example of methods would be GET, POST and DELETE. These three are the most common... |
| V-64685 | Medium | The OHS server root directory must not be on a network share. | Sharing of the web server directory where the executables are stored is a security risk when a web server is involved. Users that have access to the share may not be administrative users. These... |
| V-64683 | Medium | The OHS document root directory must not be on a network share. | Sharing of web server content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network... |
| V-64681 | Medium | OHS must have the ScoreBoardFile directive disabled. | The ScoreBoardFile directive sets a file path which the server will use for Inter-Process Communication (IPC) among the Apache processes. If the directive is specified, then Apache will use the... |
| V-64163 | Medium | OHS must have the OraLogSeverity directive defined to generate adequate information to be used by external applications or entities to monitor and control remote access. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64637 | Medium | OHS must have the ServerAdmin directive set properly. | Making sure that information is given to the system administrator in a timely fashion is important. This information can be system status, warnings that may need attention before system failure... |
| V-64161 | Medium | OHS must have a log directory location defined to generate information for use by external applications or entities to monitor and control remote access. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64289 | Medium | OHS must have the LoadModule cgid_module directive disabled for mpm workers. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64167 | Medium | OHS must have a log format defined to generate adequate information to be used by external applications or entities to monitor and control remote access. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64165 | Medium | OHS must have the log rotation parameter set to allow generated information to be used by external applications or entities to monitor and control remote access. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64427 | Medium | OHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to... |
| V-64169 | Medium | OHS must have a SSL log format defined to allow generated information to be used by external applications or entities to monitor and control remote access in accordance with the categorization of data hosted by the web server. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64287 | Medium | OHS must have the LoadModule fastcgi_module disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64203 | Medium | OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of when an event occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64425 | Medium | OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to... |
| V-64207 | Medium | OHS must have a SSL log format defined for log records that allow the establishment of where within OHS the events occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64205 | Medium | OHS must have a log format defined for log records that allow the establishment of where within OHS the events occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64209 | Medium | OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of where within OHS the events occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64517 | Medium | OHS must have the LoadModule ossl_module directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). | Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity... |
| V-64361 | Medium | OHS must have the LoadModule proxy_module directive disabled. | A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy... |
| V-64363 | Medium | OHS must have the LoadModule proxy_http_module directive disabled. | A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy... |
| V-64591 | Medium | If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-64365 | Medium | OHS must have the LoadModule proxy_ftp_module directive disabled. | A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy... |
| V-64597 | Medium | The SecureListener property of the Node Manager configured to support OHS must be enabled for secure communication. | Oracle Node Manager is the utility that is used to perform common operational tasks for OHS.
To protect the information being sent between WebLogic Scripting Tool and Node Manager, the Node... |
| V-64643 | Medium | OHS must have the SSLSessionCacheTimeout directive set properly. | During an SSL session, information about the session is stored in the global/inter-process SSL Session Cache, the OpenSSL internal memory cache and for sessions resumed by TLS session resumption... |
| V-64611 | Medium | The CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication. | Oracle Node Manager is the utility that is used to perform common operational tasks for OHS.
The "CustomIdentityPrivateKeyPassPhrase" is the password that protects the private key when creating... |
| V-64441 | Medium | OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
| V-64613 | Medium | The listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication. | Oracle Node Manager is the utility that is used to perform common operational tasks for OHS.
When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml... |
| V-64421 | Medium | OHS must have the SSLCipherSuite directive enabled to perform RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to... |
| V-64615 | Medium | The listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication. | Oracle Node Manager is the utility that is used to perform common operational tasks for OHS.
When starting an OHS instance, the WebLogic Scripting Tool reads the parameters within the config.xml... |
| V-64445 | Medium | OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
| V-64617 | Medium | The WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS. | Oracle Node Manager is the utility that is used to perform common operational tasks for OHS.
When starting an OHS instance, the "OHS" WebLogic Scripting Tool needs to trust the certificate... |
| V-64447 | Medium | OHS utilizing mobile code must meet DoD-defined mobile code requirements. | Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid, as opposed to a static web page. The data presentation becomes more... |
| V-64419 | Medium | OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to... |
| V-64171 | Medium | OHS must have a log file defined for each site/virtual host to capture information to be used by external applications or entities to monitor and control remote access. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64173 | Medium | OHS must have the client requests logging module loaded to generate log records for system startup and shutdown, system access, and system authentication logging. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-64175 | Medium | OHS must have OraLogMode set to Oracle Diagnostic Logging text mode to generate log records for system startup and shutdown, system access, and system authentication logging. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-64177 | Medium | OHS must have a log directory location defined to generate log records for system startup and shutdown, system access, and system authentication logging. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-64179 | Medium | OHS must have a log level severity defined to generate adequate log records for system startup and shutdown, system access, and system authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-64475 | Medium | OHS must have the LimitInternalRecursion directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-64607 | Medium | The CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication. | Oracle Node Manager is the utility that is used to perform common operational tasks for OHS.
The "CustomIdentityKeyStorePassPhrase" property is used to protect the data within the keystore. ... |
| V-64605 | Medium | The CustomIdentityKeyStoreFileName property of the Node Manager configured to support OHS must be configured for secure communication. | Oracle Node Manager is the utility that is used to perform common operational tasks for OHS.
The "CustomIdentityKeyStoreFileName" property specifies the file name of the identity keystore. This... |
| V-64471 | Medium | OHS must have the LimitRequestLine directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-64603 | Medium | The KeyStores property of the Node Manager configured to support OHS must be configured for secure communication. | Oracle Node Manager is a utility that can be used to perform common operational tasks across Managed Servers. These servers can be distributed across multiple machines and geographical locations.... |
| V-64473 | Medium | OHS must have the LimitXMLRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-64601 | Medium | The AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication. | Oracle Node Manager is the utility that is used to perform common operational tasks for OHS.
To accept connections from the WebLogic Scripting Tool, the Node Manager can be setup to authenticate... |
| V-64479 | Medium | OHS must have the ServerSignature directive disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or... |
| V-64433 | Medium | OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity,... |
| V-64609 | Medium | The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication. | Oracle Node Manager is the utility that is used to perform common operational tasks for OHS.
The "CustomIdentityAlias" specifies the alias when loading the private key into the keystore. This... |
| V-64277 | Medium | OHS must have the HeaderName directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64275 | Medium | OHS must have the ReadmeName directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64273 | Medium | OHS must have the DefaultIcon directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64271 | Medium | OHS must have the AddIcon directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64567 | Medium | OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points,... |
| V-64377 | Medium | OHS must have the LoadModule proxy_balancer_module directive disabled. | A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy... |
| V-64565 | Medium | OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points,... |
| V-64285 | Medium | OHS must have the LoadModule cgi_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64563 | Medium | OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web... |
| V-64279 | Medium | OHS must have the IndexIgnore directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64569 | Medium | OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during preparation for transmission. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points,... |
| V-64383 | Medium | OHS must have the AddHandler directive disabled. | Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the... |
| V-64193 | Medium | OHS must have a log format defined for log records generated to capture sufficient information to establish what type of events occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64381 | Medium | OHS must have the AliasMatch directive disabled for the OHS manuals. | Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production... |
| V-64201 | Medium | OHS must have a SSL log format defined for log records generated to capture sufficient information to establish when an event occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-64387 | Medium | OHS must have the LoadModule cgid_module directive disabled. | Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application... |
| V-64385 | Medium | OHS must have the LoadModule cgi_module directive disabled. | Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application... |
| V-64321 | Medium | OHS must have the LoadModule authn_file_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64389 | Medium | OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration. | Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application... |
| V-64463 | Medium | OHS must have the ListenBacklog properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-64671 | Medium | A public OHS installation must limit email to outbound only. | Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, Email represents the main use of the... |
| V-64375 | Medium | OHS must have the LoadModule proxy_connect_module directive disabled. | A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy... |
| V-64677 | Medium | OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM). | The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services... |
| V-64467 | Medium | OHS must have the LimitRequestFields directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-64675 | Medium | OHS must be segregated from other services. | The web server installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, indexing, or... |
| V-64465 | Medium | OHS must have the LimitRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-64679 | Medium | A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA. | A PKI certificate is a digital identifier that establishes the identity of an individual or a platform. A server that has a certificate provides users with third-party confirmation of... |
| V-64469 | Medium | OHS must have the LimitRequestFieldSize directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-64319 | Medium | OHS must have the LoadModule authz_user_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too insecure to run on a production DoD system.
The web server must provide the... |
| V-64265 | Medium | OHS must have the IndexOptions directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64417 | Medium | OHS must use FIPS modules to perform RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to... |
| V-64579 | Medium | OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-64263 | Medium | OHS must have the LoadModule autoindex_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64575 | Medium | If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points,... |
| V-64301 | Medium | OHS must have directives pertaining to certain scripting languages removed from virtual hosts. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64577 | Medium | If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLSProxySSL directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points,... |
| V-64307 | Medium | OHS must have the LoadModule actions_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64571 | Medium | OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points,... |
| V-64573 | Medium | If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to maintain the confidentiality and integrity of information during preparation for transmission. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points,... |
| V-64439 | Medium | OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
| V-64329 | Medium | OHS must have the LoadModule proxy_ftp_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64623 | Medium | OHS must limit access to the Dynamic Monitoring Service (DMS). | The Oracle Dynamic Monitoring Service (DMS) enables application developers, support analysts, system administrators, and others to measure application specific performance information. If OHS... |
| V-64641 | Medium | The OHS htdocs directory must not contain any default files. | Default files from the OHS installation should not be part of the htdocs directory. These files are not always patched or supported and may become an attacker vector in the future. |
| V-64159 | Medium | OHS must have the OraLogMode set to Oracle Diagnostic Logging text mode to generate information to be used by external applications or entities to monitor and control remote access. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64395 | Medium | OHS must have the ScriptSock directive within a IfModule cgid_module directive disabled. | Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application... |
| V-64397 | Medium | OHS must have the cgi-bin directory disabled. | Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application... |
| V-64399 | Medium | OHS must have directives pertaining to certain scripting languages removed from virtual hosts. | Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application... |
| V-64483 | Medium | OHS must have the Alias /error directive defined to reference the directory accompanying the ErrorDocument directives to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or... |
| V-64157 | Medium | OHS must have the LoadModule log_config_module directive enabled to generate information to be used by external applications or entities to monitor and control remote access. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64155 | Medium | OHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-64619 | Medium | The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS. | Oracle Node Manager is the utility that is used to perform common operational tasks for OHS.
When starting an OHS instance, the "Fusion Middleware" WebLogic Scripting Tool needs to trust the... |
| V-64151 | Medium | OHS must have the WLSSLWallet directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-64665 | Medium | OHS tools must be restricted to the web manager and the web managers designees. | All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or... |
| V-64519 | Medium | OHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). | Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity... |
| V-64497 | Medium | OHS must have the Order, Allow, and Deny directives set within the Files directives set to restrict inbound connections from nonsecure zones. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64669 | Medium | The OHS htpasswd files (if present) must reflect proper ownership and permissions. | In addition to OS restrictions, access rights to files and directories can be set on a web site using the web server software. That is, in addition to allowing or denying all access rights, a... |
| V-64495 | Medium | OHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64493 | Medium | Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-64491 | Medium | Debugging and trace information used to diagnose OHS must be disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-64423 | Medium | OHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to... |
| V-64549 | Medium | If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to prevent unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-64415 | Medium | OHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to... |
| V-64311 | Medium | OHS must have the LoadModule userdir_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64313 | Medium | OHS must have the AliasMatch directive pertaining to the OHS manuals disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64315 | Medium | OHS must have the Directory directive pointing to the OHS manuals disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64317 | Medium | OHS must have the LoadModule auth_basic_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-63153 | Medium | OHS must have the mpm property set to use the worker Multi-Processing Module (MPM) as the preferred means to limit the number of allowed simultaneous requests. | Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in... |
| V-64269 | Medium | OHS must have the AddIconByType directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64267 | Medium | OHS must have the AddIconByEncoding directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64595 | Medium | OHS must have Entity tags (ETags) disabled. | Entity tags (ETags) are used for cache management to save network bandwidth by not sending a web page to the requesting client if the cached version on the client is current. When the client only... |
| V-64561 | Medium | OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web... |
| V-64127 | Medium | OHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests. | Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in... |
| V-64663 | Medium | OHS must be certified with accompanying Fusion Middleware products. | OHS is capable of being used with other Oracle products. For the products to work properly and not introduce vulnerabilities or errors, Oracle certifies which versions work with each other. ... |
| V-64403 | Medium | Users and scripts running on behalf of users must be contained to the document root or home directory tree of OHS. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web... |
| V-64631 | Medium | The OHS instance installation must not contain an .htaccess file. | .htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is... |
| V-64325 | Medium | OHS must have the LoadModule proxy_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64557 | Medium | OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web... |
| V-64327 | Medium | OHS must have the LoadModule proxy_http_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64555 | Medium | If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to prevent unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-64659 | Medium | A private OHS installation must be located on a separate controlled access subnet. | Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but,... |
| V-64553 | Medium | If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WebLogicSSLVersion directive enabled to prevent unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-64323 | Medium | OHS must have the LoadModule authn_anon_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64551 | Medium | OHS must have the WLSSLWallet directive enabled to prevent unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-64655 | Medium | A production OHS Installation must prohibit the installation of a compiler. | The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the... |
| V-64485 | Medium | OHS must have the permissions set properly via the Directory directive accompanying the ErrorDocument directives to minimize improper access to the warning and error messages displayed to clients. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or... |
| V-64657 | Medium | A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension. | To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from... |
| V-64653 | Medium | All accounts installed with the web server software and tools must have passwords assigned and default passwords changed. | During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password,... |
| V-64559 | Medium | OHS must have the SSLFIPS directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web... |
| V-64153 | Medium | OHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-64405 | Medium | OHS must be configured to use a specified IP address, port, and protocol. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP... |
| V-64343 | Medium | OHS must have the LoadModule setenvif_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64401 | Medium | OHS must have resource mappings set to disable the serving of certain file types. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to... |
| V-64459 | Medium | OHS must have the KeepAliveTimeout properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | A web server can limit the ability of the web server being used in a DoS attack through several methods. The methods employed will depend upon the hosted applications and their resource needs for... |
| V-64149 | Medium | OHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-64593 | Medium | The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc. | During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password,... |
| V-64241 | Medium | The log data and records from OHS must be backed up onto a different system or media. | Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is... |
| V-64335 | Low | OHS must have the LoadModule cern_meta_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64255 | Low | OHS must not have the ForceLanguagePriority directive enabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64635 | Low | OHS must have the HostnameLookups directive enabled. | Setting the "HostnameLookups" to "On" allows for more information to be logged in the event of an attack and subsequent investigation. This information can be added to other information gathered... |
| V-64349 | Low | OHS must have the IfModule dumpio_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64291 | Low | OHS must have the IfModule cgid_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64293 | Low | OHS must have the LoadModule mpm_winnt_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64355 | Low | OHS must have the IfModule mpm_winnt_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64283 | Low | OHS must have the DirectoryIndex directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64281 | Low | OHS must have the LoadModule dir_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64337 | Low | OHS must have the LoadModule expires_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64339 | Low | OHS must have the LoadModule usertrack_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64647 | Low | OHS must have the RewriteOptions directive set properly. | The rules for the rewrite engine can be configured to inherit those from the parent and build upon that set of rules, to copy the rules from the parent if there are none defined or to only process... |
| V-64645 | Low | OHS must have the RewriteEngine directive enabled. | The rewrite engine is used to evaluate URL requests and modify the requests on the fly. Enabling this engine gives the system administrator the capability to trap potential attacks before... |
| V-64477 | Low | OHS must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an... |
| V-64379 | Low | OHS must disable the directive pointing to the directory containing the OHS manuals. | Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production... |
| V-64253 | Low | OHS must not have the LanguagePriority directive enabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64341 | Low | OHS must have the LoadModule uniqueid_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64489 | Low | OHS must have production information removed from error documents to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or... |
| V-64673 | Low | OHS content and configuration files must be part of a routine backup program. | Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to... |
| V-64309 | Low | OHS must have the LoadModule speling_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64303 | Low | OHS must have the LoadModule asis_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64305 | Low | OHS must have the LoadModule imagemap_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64249 | Low | OHS must have the LoadModule mime_magic_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64481 | Low | OHS must have the ServerTokens directive set to limit the response header. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or... |
| V-64391 | Low | OHS must have the LoadModule cgi_module directive disabled within the IfModule mpm_winnt_module directive. | Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application... |
| V-64667 | Low | All utility programs, not necessary for operations, must be removed or disabled. | Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application... |
| V-64649 | Low | OHS must have the RewriteLogLevel directive set to the proper log level. | Logging must not contain sensitive information or more information necessary than that needed to administer the system. The log levels from the rewrite engine range from 0 to 9 where 0 is no... |
| V-64703 | Low | OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines. | Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the automated information system... |
| V-64245 | Low | OHS must have the LoadModule vhost_alias_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-64487 | Low | OHS must have defined error pages for common error codes that minimize the identity of the web server, patches, loaded modules, and directory paths. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or... |
| V-64651 | Low | OHS must have the RewriteLog directive set properly. | Specifying where the log files are written gives the system administrator the capability to store the files in a location other than the default, with system files or in a globally accessible... |
| V-64251 | Low | OHS must have the LoadModule negotiation_module directive disabled. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
