OHS must have the LoadModule authz_user_module directive disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-64319	OH12-1X-000131	SV-78809r2_rule		Medium

Description
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too insecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance. This requirement is meant to disable an unneeded service, it is not intended to restrict or limit the use of authorization when application requirements specify the need to use authorization functions. The authz_user_module in OHS provides authorization functionality so authenticated users can be allowed or denied access to portions of the web site. Refer to the system security plan to determine if OHS based authorization functions are needed based on application or system data access requirements.

Description

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too insecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance. This requirement is meant to disable an unneeded service, it is not intended to restrict or limit the use of authorization when application requirements specify the need to use authorization functions. The authz_user_module in OHS provides authorization functionality so authenticated users can be allowed or denied access to portions of the web site. Refer to the system security plan to determine if OHS based authorization functions are needed based on application or system data access requirements.

STIG	Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide	2020-06-12

Details

Check Text ( C-65071r4_chk )
If the AO approved system security plan for web server configuration specifies using the OHS authz_user_module in order to meet application architecture requirements, this requirement can be marked NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor. 2. Search for the "LoadModule authz_user_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Check Text ( C-65071r4_chk )

If the AO approved system security plan for web server configuration specifies using the OHS authz_user_module in order to meet application architecture requirements, this requirement can be marked NA.

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor.

2. Search for the "LoadModule authz_user_module" directive at the OHS server configuration scope.

3. If the directive exists and is not commented out, this is a finding.

Fix Text (F-70249r1_fix)
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor. 2. Search for the "LoadModule authz_user_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule authz_user_module" directive if it exists.