UCF STIG Viewer Logo

OHS must have the AllowOverride directive set properly.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221431 OH12-1X-000193 SV-221431r879887_rule Medium
Description
The property "AllowOverride" is used to allow directives to be set differently than those set for the overall architecture. When the property is not set to "None", OHS will check for directives in the htaccess files at each directory level until the requested resource is found for each URL request. Allowing parameters to be overridden at different levels of an application becomes a security risk as the overall security of the hosted application can change dependencies on the URL being accessed. Security management also becomes difficult as a misconfiguration can be mistakenly made.
STIG Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide 2022-12-09

Details

Check Text ( C-23146r414976_chk )
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.

2. Search for the "AllowOverride" directive at the directory configuration scope.

3. If the "AllowOverride" directive is omitted or is not set to "None", this is a finding.
Fix Text (F-23135r414977_fix)
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.

2. Search for the "AllowOverride" directive at the directory configuration scope.

3. Set the "AllowOverride" directive to "None", add the directive if it does not exist.