OHS must have the LoadModule proxy_module directive disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221381	OH12-1X-000134	SV-221381r879587_rule		Medium

Description
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

STIG	Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide	2022-12-09

Details

Check Text ( C-23096r457168_chk )
If the AO-approved system security plan for web server configuration specifies using the proxy_module directive in order to meet application architecture requirements and authentication is enforced, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Check Text ( C-23096r457168_chk )

If the AO-approved system security plan for web server configuration specifies using the proxy_module directive in order to meet application architecture requirements and authentication is enforced, this requirement is NA.

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor.

2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope.

3. If the directive exists and is not commented out, this is a finding.

Fix Text (F-23085r457169_fix)
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_module" directive if it exists.