STIGQter: STIG Summary: Oracle HTTP Server 12.1.3 Security Technical Implementation Guide Version: 1 Release: 7 Benchmark Date: 24 Jul 2020:

OHS must capture, record, and log all content related to a user session.

DISA Rule

SV-78679r1_rule

Vulnerability Number

V-64189

Group Title

SRG-APP-000093-WSR-000053

Rule Version

OH12-1X-000049

Severity

CAT II

CCI(s)

• CCI-001462 - The information system provides the capability for authorized users to capture/record and log content related to a user session.

Weight

10

Fix Recommendation

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive.

2. Search for the "LogFormat" directive with nicknames of "dod" and "dod_ssl" at the OHS server and virtual host configuration scopes.

3a. If the session id is contained within a cookie, modify the "LogFormat" directive with nicknames of "dod" and "dod_ssl" to include "sess:%{JSESSIONID}C", add the directive if it does not exist unless inherited from a larger scope.
3b. If the session id is contained within a header variable, modify the "LogFormat" directives with nicknames of "dod" and "dod_ssl" to include "sess:%{X-JSESSIONID}o" dod", add the directive if it does not exist unless inherited from a larger scope.

Check Contents

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive.

2. Search for the "LogFormat" directive with nicknames of "dod" and "dod_ssl" at the OHS server and virtual host configuration scopes.

3. If either of these directives is omitted or set improperly, this is a finding unless inherited from a larger scope.

Vulnerability Number

V-64189

Documentable

False

Rule Version

OH12-1X-000049

Severity Override Guidance

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "<VirtualHost>" directive.

2. Search for the "LogFormat" directive with nicknames of "dod" and "dod_ssl" at the OHS server and virtual host configuration scopes.

3. If either of these directives is omitted or set improperly, this is a finding unless inherited from a larger scope.

Check Content Reference

M

Target Key

2753

Comments