UCF STIG Viewer Logo

OHS tools must be restricted to the web manager and the web managers designees.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221451 OH12-1X-000214 SV-221451r879887_rule Medium
Description
All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the administration tools creates risk of potential theft or damage that may ultimately compromise the mission. Adequate protection ensures that server administration operates with less risk of losses or operations outages. The key web service administrative and configuration tools must be accessible only by the authorized web server administrators. All users granted this authority must be documented and approved by the ISSO. Access to OHS must be limited to authorized users and administrators.
STIG Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide 2022-12-09

Details

Check Text ( C-23166r415036_chk )
1. Determine whether anyone other than the System Administrator or the OHS Administrator has inappropriate access to modify the OHS configuration. This includes the ability to use the OS account that owns OHS, root, or a tool with OHS management or monitoring capability such as Oracle Enterprise Manager (OEM).

2. If so, this is a finding.
Fix Text (F-23155r415037_fix)
Restrict access to the OS account that owns OHS, root, or tool with OHS management or monitoring capability such as Oracle Enterprise Manager (OEM).