UCF STIG Viewer Logo

Oracle HTTP Server 12.1.3 Security Technical Implementation Guide


Overview

Date Finding Count (280)
2021-12-29 CAT I (High): 22 CAT II (Med): 226 CAT III (Low): 32
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-221523 High OHS must have the SSLCipherSuite directive enabled to prevent unauthorized disclosure of information during transmission.
V-221522 High OHS must have the SSLEngine, SSLProtocol, SSLWallet directives enabled and configured to prevent unauthorized disclosure of information during transmission.
V-221521 High OHS must have the SSLFIPS directive enabled to prevent unauthorized disclosure of information during transmission.
V-221449 High The version of the OHS installation must be vendor-supported.
V-221284 High OHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
V-221280 High OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
V-221281 High OHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
V-221278 High OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
V-221282 High OHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
V-221495 High OHS accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.
V-221283 High OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
V-221520 High OHS must have the LoadModule ossl_module directive enabled to prevent unauthorized disclosure of information during transmission.
V-252205 High OHS must have the LoadModule ossl_module directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
V-221277 High OHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
V-221462 High Symbolic links must not be used in the web content directory tree.
V-221463 High OHS administration must be performed over a secure path or at the local console.
V-252546 High OHS must have the SSLFIPS directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
V-221475 High OHS must use FIPS modules to encrypt passwords during transmission.
V-221474 High OHS must have the LoadModule ossl_module directive enabled to encrypt passwords during transmission.
V-221477 High OHS must have the SSLCipherSuite directive enabled to encrypt passwords during transmission.
V-221476 High OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt passwords during transmission.
V-221471 High OHS must not have the directive PlsqlDatabasePassword set in clear text.
V-221419 Medium The ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager.
V-221418 Medium The SecureListener property of the Node Manager configured to support OHS must be enabled for secure communication.
V-221456 Medium OHS must be segregated from other services.
V-221413 Medium OHS must have resource mappings set to disable the serving of certain file types.
V-221412 Medium OHS must have directives pertaining to certain scripting languages removed from virtual hosts.
V-221411 Medium OHS must have the cgi-bin directory disabled.
V-221410 Medium OHS must have the ScriptSock directive within a IfModule cgid_module directive disabled.
V-221417 Medium OHS must have Entity tags (ETags) disabled.
V-221416 Medium The Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc.
V-221415 Medium OHS must be configured to use a specified IP address, port, and protocol.
V-221414 Medium Users and scripts running on behalf of users must be contained to the document root or home directory tree of OHS.
V-221398 Medium OHS must have the LoadModule proxy_http_module directive disabled.
V-221399 Medium OHS must have the LoadModule proxy_ftp_module directive disabled.
V-221394 Medium OHS must have the Alias /icons/ directive disabled.
V-221395 Medium OHS must have the path to the icons directory disabled.
V-221397 Medium OHS must have the LoadModule proxy_module directive disabled.
V-221390 Medium OHS must have the LoadModule setenvif_module directive disabled.
V-221391 Medium OHS must have the BrowserMatch directive disabled.
V-221392 Medium OHS must have the LoadModule dumpio_module directive disabled.
V-221451 Medium OHS tools must be restricted to the web manager and the web managers designees.
V-221450 Medium OHS must be certified with accompanying Fusion Middleware products.
V-221275 Medium OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests.
V-221314 Medium OHS must have a SSL log format defined for log records generated to capture sufficient information to establish what type of events occurred.
V-221315 Medium OHS must have a log file defined for each site/virtual host to capture sufficient information to establish what type of events occurred.
V-221316 Medium OHS must have a log format defined for log records generated to capture sufficient information to establish when an event occurred.
V-221317 Medium OHS must have a SSL log format defined for log records generated to capture sufficient information to establish when an event occurred.
V-221310 Medium OHS must have a log file defined for each site/virtual host to capture logs generated by system startup and shutdown, system access, and system authentication events.
V-221485 Medium OHS must be integrated with a tool such as Oracle Access Manager to enforce a client-side certificate revocation check through the OCSP protocol.
V-221312 Medium OHS must have a log level severity defined to produce sufficient log records to establish what type of events occurred.
V-221313 Medium OHS must have a log format defined for log records generated to capture sufficient information to establish what type of events occurred.
V-221488 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
V-221489 Medium OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
V-221318 Medium OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of when an event occurred.
V-221319 Medium OHS must have a log format defined for log records that allow the establishment of where within OHS the events occurred.
V-221428 Medium The WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
V-221429 Medium The WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
V-221426 Medium The listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication.
V-221427 Medium The listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication.
V-221424 Medium The CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication.
V-221425 Medium The CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
V-221422 Medium The CustomIdentityKeyStoreFileName property of the Node Manager configured to support OHS must be configured for secure communication.
V-221423 Medium The CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
V-221420 Medium The AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication.
V-221421 Medium The KeyStores property of the Node Manager configured to support OHS must be configured for secure communication.
V-221545 Medium If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to maintain the confidentiality and integrity of information during reception.
V-221385 Medium OHS must have the LoadModule proxy_balancer_module directive disabled.
V-221384 Medium OHS must have the LoadModule proxy_connect_module directive disabled.
V-221383 Medium OHS must have the LoadModule proxy_ftp_module directive disabled.
V-221382 Medium OHS must have the LoadModule proxy_http_module directive disabled.
V-221381 Medium OHS must have the LoadModule proxy_module directive disabled.
V-221380 Medium OHS must have the LoadModule authn_anon_module directive disabled.
V-221375 Medium OHS must have the AliasMatch directive pertaining to the OHS manuals disabled.
V-221279 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server.
V-221372 Medium OHS must have the LoadModule actions_module directive disabled.
V-221307 Medium OHS must have the log rotation parameter set to allow for the generation log records for system startup and shutdown, system access, and system authentication events.
V-221306 Medium OHS must have a log level severity defined to generate adequate log records for system startup and shutdown, system access, and system authentication events.
V-221305 Medium OHS must have a log directory location defined to generate log records for system startup and shutdown, system access, and system authentication logging.
V-221304 Medium OHS must have OraLogMode set to Oracle Diagnostic Logging text mode to generate log records for system startup and shutdown, system access, and system authentication logging.
V-221303 Medium OHS must have the client requests logging module loaded to generate log records for system startup and shutdown, system access, and system authentication logging.
V-221302 Medium Non-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account.
V-221301 Medium OHS must provide the capability to immediately disconnect or disable remote access to the hosted applications.
V-221300 Medium OHS must have the Order, Allow, and Deny directives set within the Location directives set to restrict inbound connections from nonsecure zones.
V-221553 Medium Debugging and trace information used to diagnose OHS must be disabled.
V-221499 Medium OHS must have the KeepAlive directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-221309 Medium OHS must have a SSL log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.
V-221308 Medium OHS must have a log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.
V-221431 Medium OHS must have the AllowOverride directive set properly.
V-221430 Medium OHS must limit access to the Dynamic Monitoring Service (DMS).
V-221433 Medium OHS must deny all access by default when considering whether to serve a file.
V-221432 Medium OHS must be set to evaluate deny directives first when considering whether to serve a file.
V-221435 Medium The OHS instance configuration must not reference directories that contain an .htaccess file.
V-221434 Medium The OHS instance installation must not contain an .htaccess file.
V-221437 Medium OHS must have the ServerAdmin directive set properly.
V-221439 Medium The OHS htdocs directory must not contain any default files.
V-221438 Medium OHS must restrict access methods.
V-221532 Medium OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-221533 Medium OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-221534 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during preparation for transmission.
V-221446 Medium A production OHS Installation must prohibit the installation of a compiler.
V-221536 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-221537 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-221377 Medium OHS must have the LoadModule auth_basic_module directive disabled.
V-221447 Medium A public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
V-221493 Medium OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-221338 Medium OHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
V-221339 Medium OHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
V-221376 Medium OHS must have the Directory directive pointing to the OHS manuals disabled.
V-221492 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-221332 Medium OHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-221333 Medium OHS must have a log file defined for each site/virtual host to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-221330 Medium OHS must have a log file defined for each site/virtual host to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-221331 Medium OHS must have a log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
V-221336 Medium The log information from OHS must be protected from unauthorized deletion.
V-221337 Medium The log data and records from OHS must be backed up onto a different system or media.
V-221334 Medium OHS log files must only be accessible by privileged users.
V-221335 Medium The log information from OHS must be protected from unauthorized modification.
V-221490 Medium OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-221549 Medium OHS must have the Alias /error directive defined to reference the directory accompanying the ErrorDocument directives to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.
V-221401 Medium OHS must have the LoadModule proxy_balancer_module directive disabled.
V-221539 Medium OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during reception.
V-221497 Medium OHS must have the Directory directive accompanying the DocumentRoot directive set to a separate partition from the OHS system files.
V-221547 Medium OHS must have the ServerSignature directive disabled.
V-221541 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during reception.
V-221540 Medium OHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during reception.
V-221543 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SSLSecureProxy directive enabled to maintain the confidentiality and integrity of information during reception.
V-221542 Medium OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during reception.
V-221445 Medium All accounts installed with the web server software and tools must have passwords assigned and default passwords changed.
V-221529 Medium OHS must have the SSLFIPS directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
V-221528 Medium OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
V-221440 Medium OHS must have the SSLSessionCacheTimeout directive set properly.
V-221494 Medium OHS utilizing mobile code must meet DoD-defined mobile code requirements.
V-221448 Medium A private OHS installation must be located on a separate controlled access subnet.
V-221525 Medium OHS must have the WLSSLWallet directive enabled to prevent unauthorized disclosure of information during transmission.
V-221524 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to prevent unauthorized disclosure of information during transmission.
V-221550 Medium OHS must have the permissions set properly via the Directory directive accompanying the ErrorDocument directives to minimize improper access to the warning and error messages displayed to clients.
V-221286 Medium OHS must have the WLSSLWallet directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
V-221287 Medium OHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
V-221498 Medium OHS must have the Timeout directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-221329 Medium OHS must have a SSL log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-221328 Medium OHS must have a log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
V-221325 Medium OHS, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-221324 Medium OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of the source of events.
V-221327 Medium OHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-221326 Medium OHS, behind a load balancer or proxy server, must have the SSL log format set correctly to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
V-221321 Medium OHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of where within OHS the events occurred.
V-221320 Medium OHS must have a SSL log format defined for log records that allow the establishment of where within OHS the events occurred.
V-221323 Medium OHS must have a SSL log format defined for log records that allow the establishment of the source of events.
V-221322 Medium OHS must have a log format defined for log records that allow the establishment of the source of events.
V-221457 Medium OHS must have all applicable patches (i.e., CPUs) applied/documented (OEM).
V-221538 Medium If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLSProxySSL directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-221454 Medium A public OHS installation must limit email to outbound only.
V-221453 Medium The OHS htpasswd files (if present) must reflect proper ownership and permissions.
V-221518 Medium OHS must use wallets that have only DoD certificate authorities defined.
V-221519 Medium OHS must be tuned to handle the operational requirements of the hosted application.
V-221516 Medium OHS must have the SSLCipherSuite directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-221517 Medium OHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-221514 Medium OHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-221515 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-221513 Medium OHS must have the LoadModule ossl_module directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
V-221459 Medium OHS must have the ScoreBoardFile directive disabled.
V-221458 Medium A private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
V-221299 Medium OHS must have the Order, Allow, and Deny directives set within the Files directives set to restrict inbound connections from nonsecure zones.
V-221298 Medium OHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones.
V-221291 Medium OHS must have a log directory location defined to generate information for use by external applications or entities to monitor and control remote access.
V-221290 Medium OHS must have the OraLogMode set to Oracle Diagnostic Logging text mode to generate information to be used by external applications or entities to monitor and control remote access.
V-221293 Medium OHS must have the log rotation parameter set to allow generated information to be used by external applications or entities to monitor and control remote access.
V-221292 Medium OHS must have the OraLogSeverity directive defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
V-221295 Medium OHS must have a SSL log format defined to allow generated information to be used by external applications or entities to monitor and control remote access in accordance with the categorization of data hosted by the web server.
V-221294 Medium OHS must have a log format defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
V-221297 Medium Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.
V-221296 Medium OHS must have a log file defined for each site/virtual host to capture information to be used by external applications or entities to monitor and control remote access.
V-221480 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation.
V-221481 Medium OHS must have the SSLCipherSuite directive enabled to perform RFC 5280-compliant certification path validation.
V-221482 Medium OHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation.
V-221358 Medium OHS must have the IndexIgnore directive disabled.
V-221483 Medium OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation.
V-221531 Medium OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
V-221350 Medium OHS must have the LoadModule autoindex_module directive disabled.
V-221351 Medium OHS must have the IndexOptions directive disabled.
V-221352 Medium OHS must have the AddIconByEncoding directive disabled.
V-221353 Medium OHS must have the AddIconByType directive disabled.
V-221354 Medium OHS must have the AddIcon directive disabled.
V-221355 Medium OHS must have the DefaultIcon directive disabled.
V-221356 Medium OHS must have the ReadmeName directive disabled.
V-221496 Medium OHS must have the DocumentRoot directive set to a separate partition from the OHS system files.
V-221501 Medium OHS must have the MaxKeepAliveRequests directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-221500 Medium OHS must have the KeepAliveTimeout properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-221503 Medium OHS must have the LimitRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-221502 Medium OHS must have the ListenBacklog properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-221505 Medium OHS must have the LimitRequestFieldSize directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-221486 Medium OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
V-221507 Medium OHS must have the LimitXMLRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-221506 Medium OHS must have the LimitRequestLine directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-221508 Medium OHS must have the LimitInternalRecursion directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-221487 Medium OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
V-221535 Medium OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
V-221285 Medium OHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
V-221349 Medium OHS must have the LoadModule include_module directive disabled.
V-221348 Medium OHS must have the LoadModule info_module directive disabled.
V-221342 Medium OHS must have the LoadModule env_module directive disabled.
V-221357 Medium OHS must have the HeaderName directive disabled.
V-221347 Medium OHS must have the LoadModule status_module directive disabled.
V-252204 Medium OHS must capture, record, and log all content related to a user session.
V-221530 Medium OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
V-221484 Medium OHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation.
V-221527 Medium If using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to prevent unauthorized disclosure of information during transmission.
V-221288 Medium OHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
V-221464 Medium OHS must not contain any robots.txt files.
V-221289 Medium OHS must have the LoadModule log_config_module directive enabled to generate information to be used by external applications or entities to monitor and control remote access.
V-221504 Medium OHS must have the LimitRequestFields directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-221491 Medium OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-221276 Medium OHS must limit the number of worker processes to limit the number of allowed simultaneous requests.
V-221468 Medium Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
V-221469 Medium A public OHS server must use TLS if authentication is required to host web sites.
V-221273 Medium OHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests.
V-221272 Medium OHS must have the mpm property set to use the worker Multi-Processing Module (MPM) as the preferred means to limit the number of allowed simultaneous requests.
V-221378 Medium OHS must have the LoadModule authz_user_module directive disabled.
V-221379 Medium OHS must have the LoadModule authn_file_module directive disabled.
V-221460 Medium The OHS document root directory must not be on a network share.
V-221461 Medium The OHS server root directory must not be on a network share.
V-221466 Medium The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory.
V-221467 Medium The OHS DocumentRoot directory must be on a separate partition from OS root partition.
V-221465 Medium OHS must prohibit anonymous FTP user access to interactive scripts.
V-221409 Medium OHS must have the ScriptAlias /cgi-bin/ directive within a IfModule alias_module directive disabled.
V-221400 Medium OHS must have the LoadModule proxy_connect_module directive disabled.
V-221544 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during reception.
V-221403 Medium OHS must have the AliasMatch directive disabled for the OHS manuals.
V-221404 Medium OHS must have the AddHandler directive disabled.
V-221405 Medium OHS must have the LoadModule cgi_module directive disabled.
V-221406 Medium OHS must have the LoadModule cgid_module directive disabled.
V-221407 Medium OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration.
V-221369 Medium OHS must have directives pertaining to certain scripting languages removed from virtual hosts.
V-221374 Medium OHS must have the LoadModule userdir_module directive disabled.
V-221368 Medium OHS must have the cgi-bin directory disabled.
V-221526 Medium If using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WebLogicSSLVersion directive enabled to prevent unauthorized disclosure of information during transmission.
V-221340 Medium OHS must have the LoadModule file_cache_module directive disabled.
V-221361 Medium OHS must have the LoadModule cgi_module directive disabled.
V-221363 Medium OHS must have the LoadModule cgid_module directive disabled for mpm workers.
V-221362 Medium OHS must have the LoadModule fastcgi_module disabled.
V-221274 Medium OHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests.
V-221478 Medium OHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation.
V-221367 Medium OHS must have the ScriptSock directive disabled.
V-221366 Medium OHS must have the ScriptAlias directive for CGI scripts disabled.
V-221479 Medium OHS must use FIPS modules to perform RFC 5280-compliant certification path validation.
V-221473 Medium If mod_plsql is not in use with OHS, OHS must have the include moduleconf/* directive disabled.
V-221472 Medium If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level.
V-221396 Low OHS must have the IfModule mpm_winnt_module directive disabled.
V-221393 Low OHS must have the IfModule dumpio_module directive disabled.
V-221389 Low OHS must have the LoadModule uniqueid_module directive disabled.
V-221388 Low OHS must have the LoadModule usertrack_module directive disabled.
V-221387 Low OHS must have the LoadModule expires_module directive disabled.
V-221386 Low OHS must have the LoadModule cern_meta_module directive disabled.
V-221373 Low OHS must have the LoadModule speling_module directive disabled.
V-221552 Low OHS must have production information removed from error documents to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.
V-221371 Low OHS must have the LoadModule imagemap_module directive disabled.
V-221436 Low OHS must have the HostnameLookups directive enabled.
V-221551 Low OHS must have defined error pages for common error codes that minimize the identity of the web server, patches, loaded modules, and directory paths.
V-221548 Low OHS must have the ServerTokens directive set to limit the response header.
V-221546 Low OHS must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.
V-221444 Low OHS must have the RewriteLog directive set properly.
V-221441 Low OHS must have the RewriteEngine directive enabled.
V-221442 Low OHS must have the RewriteOptions directive set properly.
V-221443 Low OHS must have the RewriteLogLevel directive set to the proper log level.
V-221455 Low OHS content and configuration files must be part of a routine backup program.
V-221452 Low All utility programs, not necessary for operations, must be removed or disabled.
V-221359 Low OHS must have the LoadModule dir_module directive disabled.
V-221343 Low OHS must have the LoadModule mime_magic_module directive disabled.
V-221341 Low OHS must have the LoadModule vhost_alias_module directive disabled.
V-221346 Low OHS must not have the ForceLanguagePriority directive enabled.
V-221345 Low OHS must not have the LanguagePriority directive enabled.
V-221344 Low OHS must have the LoadModule negotiation_module directive disabled.
V-221365 Low OHS must have the LoadModule mpm_winnt_module directive disabled.
V-221364 Low OHS must have the IfModule cgid_module directive disabled.
V-221370 Low OHS must have the LoadModule asis_module directive disabled.
V-221408 Low OHS must have the LoadModule cgi_module directive disabled within the IfModule mpm_winnt_module directive.
V-221402 Low OHS must disable the directive pointing to the directory containing the OHS manuals.
V-221470 Low OHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines.
V-221360 Low OHS must have the DirectoryIndex directive disabled.