If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-221472 | OH12-1X-000235 | SV-221472r415101_rule | Medium |
| Description |
|---|
| A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance. |
| STIG | Date |
|---|---|
| Oracle HTTP Server 12.1.3 Security Technical Implementation Guide | 2021-12-29 |
Details
| Check Text ( C-23187r415099_chk ) |
|---|
| If not using the WebLogic Web Server Proxy Plugin: 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/ 2. Search for the "include mod_wl_ohs.conf" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding. |
| Fix Text (F-23176r415100_fix) |
|---|
| 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/ 2. Search for the "include mod_wl_ohs.conf" directive at the OHS server configuration scope. 3. Comment out the "include mod_wl_ohs.conf" directive if it exists. |