STIGQter STIGQter: STIG Summary: Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

Version: 1

Release: 6 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-77643r1_ruleOHS must have the mpm property set to use the worker Multi-Processing Module (MPM) as the preferred means to limit the number of allowed simultaneous requests.
SV-78615r1_ruleOHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests.
SV-78617r1_ruleOHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests.
SV-78619r1_ruleOHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests.
SV-78621r1_ruleOHS must limit the number of worker processes to limit the number of allowed simultaneous requests.
SV-78623r1_ruleOHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
SV-78625r1_ruleOHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
SV-78627r2_ruleOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server.
SV-78629r2_ruleOHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
SV-78631r1_ruleOHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
SV-78633r1_ruleOHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
SV-78635r2_ruleOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
SV-78637r1_ruleOHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.
SV-78639r1_ruleOHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
SV-78641r1_ruleOHS must have the WLSSLWallet directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
SV-78643r1_ruleOHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
SV-78645r1_ruleOHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.
SV-78647r1_ruleOHS must have the LoadModule log_config_module directive enabled to generate information to be used by external applications or entities to monitor and control remote access.
SV-78649r1_ruleOHS must have the OraLogMode set to Oracle Diagnostic Logging text mode to generate information to be used by external applications or entities to monitor and control remote access.
SV-78651r1_ruleOHS must have a log directory location defined to generate information for use by external applications or entities to monitor and control remote access.
SV-78653r1_ruleOHS must have the OraLogSeverity directive defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
SV-78655r1_ruleOHS must have the log rotation parameter set to allow generated information to be used by external applications or entities to monitor and control remote access.
SV-78657r1_ruleOHS must have a log format defined to generate adequate information to be used by external applications or entities to monitor and control remote access.
SV-78659r1_ruleOHS must have a SSL log format defined to allow generated information to be used by external applications or entities to monitor and control remote access in accordance with the categorization of data hosted by the web server.
SV-78661r1_ruleOHS must have a log file defined for each site/virtual host to capture information to be used by external applications or entities to monitor and control remote access.
SV-78663r1_ruleOHS must have the client requests logging module loaded to generate log records for system startup and shutdown, system access, and system authentication logging.
SV-78665r1_ruleOHS must have OraLogMode set to Oracle Diagnostic Logging text mode to generate log records for system startup and shutdown, system access, and system authentication logging.
SV-78667r1_ruleOHS must have a log directory location defined to generate log records for system startup and shutdown, system access, and system authentication logging.
SV-78669r1_ruleOHS must have a log level severity defined to generate adequate log records for system startup and shutdown, system access, and system authentication events.
SV-78671r1_ruleOHS must have the log rotation parameter set to allow for the generation log records for system startup and shutdown, system access, and system authentication events.
SV-78673r1_ruleOHS must have a log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.
SV-78675r1_ruleOHS must have a SSL log format defined to generate adequate logs by system startup and shutdown, system access, and system authentication events.
SV-78677r1_ruleOHS must have a log file defined for each site/virtual host to capture logs generated by system startup and shutdown, system access, and system authentication events.
SV-78679r1_ruleOHS must capture, record, and log all content related to a user session.
SV-78681r1_ruleOHS must have a log level severity defined to produce sufficient log records to establish what type of events occurred.
SV-78683r1_ruleOHS must have a log format defined for log records generated to capture sufficient information to establish what type of events occurred.
SV-78685r1_ruleOHS must have a SSL log format defined for log records generated to capture sufficient information to establish what type of events occurred.
SV-78687r1_ruleOHS must have a log file defined for each site/virtual host to capture sufficient information to establish what type of events occurred.
SV-78689r1_ruleOHS must have a log format defined for log records generated to capture sufficient information to establish when an event occurred.
SV-78691r1_ruleOHS must have a SSL log format defined for log records generated to capture sufficient information to establish when an event occurred.
SV-78693r1_ruleOHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of when an event occurred.
SV-78695r1_ruleOHS must have a log format defined for log records that allow the establishment of where within OHS the events occurred.
SV-78697r1_ruleOHS must have a SSL log format defined for log records that allow the establishment of where within OHS the events occurred.
SV-78699r1_ruleOHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of where within OHS the events occurred.
SV-78701r1_ruleOHS must have a log format defined for log records that allow the establishment of the source of events.
SV-78703r1_ruleOHS must have a SSL log format defined for log records that allow the establishment of the source of events.
SV-78705r1_ruleOHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of the source of events.
SV-78707r1_ruleOHS, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
SV-78709r1_ruleOHS, behind a load balancer or proxy server, must have the SSL log format set correctly to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
SV-78711r1_ruleOHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
SV-78713r1_ruleOHS must have a log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
SV-78715r1_ruleOHS must have a SSL log format defined to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
SV-78717r1_ruleOHS must have a log file defined for each site/virtual host to produce log records that contain sufficient information to establish the outcome (success or failure) of events.
SV-78719r1_ruleOHS must have a log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
SV-78721r1_ruleOHS must have a SSL log format defined to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
SV-78723r1_ruleOHS must have a log file defined for each site/virtual host to produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
SV-78725r1_ruleOHS log files must only be accessible by privileged users.
SV-78727r1_ruleThe log information from OHS must be protected from unauthorized modification.
SV-78729r1_ruleThe log information from OHS must be protected from unauthorized deletion.
SV-78731r1_ruleThe log data and records from OHS must be backed up onto a different system or media.
SV-78733r1_ruleOHS must have the LoadModule file_cache_module directive disabled.
SV-78735r1_ruleOHS must have the LoadModule vhost_alias_module directive disabled.
SV-78737r1_ruleOHS must have the LoadModule env_module directive disabled.
SV-78739r1_ruleOHS must have the LoadModule mime_magic_module directive disabled.
SV-78741r1_ruleOHS must have the LoadModule negotiation_module directive disabled.
SV-78743r1_ruleOHS must not have the LanguagePriority directive enabled.
SV-78745r1_ruleOHS must not have the ForceLanguagePriority directive enabled.
SV-78747r1_ruleOHS must have the LoadModule status_module directive disabled.
SV-78749r1_ruleOHS must have the LoadModule info_module directive disabled.
SV-78751r1_ruleOHS must have the LoadModule include_module directive disabled.
SV-78753r1_ruleOHS must have the LoadModule autoindex_module directive disabled.
SV-78755r1_ruleOHS must have the IndexOptions directive disabled.
SV-78757r1_ruleOHS must have the AddIconByEncoding directive disabled.
SV-78759r1_ruleOHS must have the AddIconByType directive disabled.
SV-78761r1_ruleOHS must have the AddIcon directive disabled.
SV-78763r1_ruleOHS must have the DefaultIcon directive disabled.
SV-78765r1_ruleOHS must have the ReadmeName directive disabled.
SV-78767r1_ruleOHS must have the HeaderName directive disabled.
SV-78769r1_ruleOHS must have the IndexIgnore directive disabled.
SV-78771r1_ruleOHS must have the LoadModule dir_module directive disabled.
SV-78773r1_ruleOHS must have the DirectoryIndex directive disabled.
SV-78775r1_ruleOHS must have the LoadModule cgi_module directive disabled.
SV-78777r1_ruleOHS must have the LoadModule fastcgi_module disabled.
SV-78779r1_ruleOHS must have the LoadModule cgid_module directive disabled for mpm workers.
SV-78781r1_ruleOHS must have the IfModule cgid_module directive disabled.
SV-78783r1_ruleOHS must have the LoadModule mpm_winnt_module directive disabled.
SV-78785r1_ruleOHS must have the ScriptAlias directive for CGI scripts disabled.
SV-78787r1_ruleOHS must have the ScriptSock directive disabled.
SV-78789r2_ruleOHS must have the cgi-bin directory disabled.
SV-78791r1_ruleOHS must have directives pertaining to certain scripting languages removed from virtual hosts.
SV-78793r1_ruleOHS must have the LoadModule asis_module directive disabled.
SV-78795r1_ruleOHS must have the LoadModule imagemap_module directive disabled.
SV-78797r1_ruleOHS must have the LoadModule actions_module directive disabled.
SV-78799r1_ruleOHS must have the LoadModule speling_module directive disabled.
SV-78801r1_ruleOHS must have the LoadModule userdir_module directive disabled.
SV-78803r1_ruleOHS must have the AliasMatch directive pertaining to the OHS manuals disabled.
SV-78805r1_ruleOHS must have the Directory directive pointing to the OHS manuals disabled.
SV-78807r1_ruleOHS must have the LoadModule auth_basic_module directive disabled.
SV-78809r1_ruleOHS must have the LoadModule authz_user_module directive disabled.
SV-78811r1_ruleOHS must have the LoadModule authn_file_module directive disabled.
SV-78813r1_ruleOHS must have the LoadModule authn_anon_module directive disabled.
SV-78815r1_ruleOHS must have the LoadModule proxy_module directive disabled.
SV-78817r1_ruleOHS must have the LoadModule proxy_http_module directive disabled.
SV-78819r1_ruleOHS must have the LoadModule proxy_ftp_module directive disabled.
SV-78821r1_ruleOHS must have the LoadModule proxy_connect_module directive disabled.
SV-78823r1_ruleOHS must have the LoadModule proxy_balancer_module directive disabled.
SV-78825r1_ruleOHS must have the LoadModule cern_meta_module directive disabled.
SV-78827r1_ruleOHS must have the LoadModule expires_module directive disabled.
SV-78829r1_ruleOHS must have the LoadModule usertrack_module directive disabled.
SV-78831r2_ruleOHS must have the LoadModule uniqueid_module directive disabled.
SV-78833r1_ruleOHS must have the LoadModule setenvif_module directive disabled.
SV-78835r1_ruleOHS must have the BrowserMatch directive disabled.
SV-78837r1_ruleOHS must have the LoadModule dumpio_module directive disabled.
SV-78839r1_ruleOHS must have the IfModule dumpio_module directive disabled.
SV-78841r1_ruleOHS must have the Alias /icons/ directive disabled.
SV-78843r1_ruleOHS must have the path to the icons directory disabled.
SV-78845r1_ruleOHS must have the IfModule mpm_winnt_module directive disabled.
SV-78847r1_ruleIf WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level.
SV-78849r1_ruleIf mod_plsql is not in use with OHS, OHS must have the include moduleconf/* directive disabled.
SV-78851r1_ruleOHS must have the LoadModule proxy_module directive disabled.
SV-78853r1_ruleOHS must have the LoadModule proxy_http_module directive disabled.
SV-78855r1_ruleOHS must have the LoadModule proxy_ftp_module directive disabled.
SV-78865r1_ruleOHS must have the LoadModule proxy_connect_module directive disabled.
SV-78867r1_ruleOHS must have the LoadModule proxy_balancer_module directive disabled.
SV-78869r1_ruleOHS must disable the directive pointing to the directory containing the OHS manuals.
SV-78871r1_ruleOHS must have the AliasMatch directive disabled for the OHS manuals.
SV-78873r1_ruleOHS must have the AddHandler directive disabled.
SV-78875r1_ruleOHS must have the LoadModule cgi_module directive disabled.
SV-78877r1_ruleOHS must have the LoadModule cgid_module directive disabled.
SV-78879r1_ruleOHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration.
SV-78881r1_ruleOHS must have the LoadModule cgi_module directive disabled within the IfModule mpm_winnt_module directive.
SV-78883r1_ruleOHS must have the ScriptAlias /cgi-bin/ directive within a IfModule alias_module directive disabled.
SV-78885r1_ruleOHS must have the ScriptSock directive within a IfModule cgid_module directive disabled.
SV-78887r1_ruleOHS must have the cgi-bin directory disabled.
SV-78889r1_ruleOHS must have directives pertaining to certain scripting languages removed from virtual hosts.
SV-78891r1_ruleOHS must have resource mappings set to disable the serving of certain file types.
SV-78893r1_ruleUsers and scripts running on behalf of users must be contained to the document root or home directory tree of OHS.
SV-78895r1_ruleOHS must be configured to use a specified IP address, port, and protocol.
SV-78897r1_ruleOHS must have the LoadModule ossl_module directive enabled to encrypt passwords during transmission.
SV-78899r1_ruleOHS must use FIPS modules to encrypt passwords during transmission.
SV-78901r2_ruleOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt passwords during transmission.
SV-78903r1_ruleOHS must have the SSLCipherSuite directive enabled to encrypt passwords during transmission.
SV-78905r1_ruleOHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation.
SV-78907r1_ruleOHS must use FIPS modules to perform RFC 5280-compliant certification path validation.
SV-78909r2_ruleOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation.
SV-78911r1_ruleOHS must have the SSLCipherSuite directive enabled to perform RFC 5280-compliant certification path validation.
SV-78913r1_ruleOHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation.
SV-78915r1_ruleOHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation.
SV-78917r1_ruleOHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation.
SV-78919r1_ruleOHS must be integrated with a tool such as Oracle Access Manager to enforce a client-side certificate revocation check through the OCSP protocol.
SV-78921r1_ruleOHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
SV-78923r1_ruleOHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
SV-78925r2_ruleOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
SV-78927r1_ruleOHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
SV-78929r1_ruleOHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
SV-78931r1_ruleOHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
SV-78933r2_ruleOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
SV-78935r1_ruleOHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
SV-78937r1_ruleOHS utilizing mobile code must meet DoD-defined mobile code requirements.
SV-78939r1_ruleOHS accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.
SV-78941r1_ruleOHS must have the DocumentRoot directive set to a separate partition from the OHS system files.
SV-78943r1_ruleOHS must have the Directory directive accompanying the DocumentRoot directive set to a separate partition from the OHS system files.
SV-78945r1_ruleOHS must have the Timeout directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-78947r1_ruleOHS must have the KeepAlive directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-78949r1_ruleOHS must have the KeepAliveTimeout properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-78951r1_ruleOHS must have the MaxKeepAliveRequests directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-78953r1_ruleOHS must have the ListenBacklog properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-78955r2_ruleOHS must have the LimitRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-78957r1_ruleOHS must have the LimitRequestFields directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-78959r1_ruleOHS must have the LimitRequestFieldSize directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-78961r1_ruleOHS must have the LimitRequestLine directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-78963r1_ruleOHS must have the LimitXMLRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-78965r1_ruleOHS must have the LimitInternalRecursion directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
SV-78967r1_ruleOHS must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.
SV-78969r1_ruleOHS must have the ServerSignature directive disabled.
SV-78971r1_ruleOHS must have the ServerTokens directive set to limit the response header.
SV-78973r1_ruleOHS must have the Alias /error directive defined to reference the directory accompanying the ErrorDocument directives to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.
SV-78975r2_ruleOHS must have the permissions set properly via the Directory directive accompanying the ErrorDocument directives to minimize improper access to the warning and error messages displayed to clients.
SV-78977r1_ruleOHS must have defined error pages for common error codes that minimize the identity of the web server, patches, loaded modules, and directory paths.
SV-78979r1_ruleOHS must have production information removed from error documents to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.
SV-78981r1_ruleDebugging and trace information used to diagnose OHS must be disabled.
SV-78983r1_ruleRemote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.
SV-78985r1_ruleOHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones.
SV-78987r1_ruleOHS must have the Order, Allow, and Deny directives set within the Files directives set to restrict inbound connections from nonsecure zones.
SV-78989r1_ruleOHS must have the Order, Allow, and Deny directives set within the Location directives set to restrict inbound connections from nonsecure zones.
SV-78991r1_ruleOHS must provide the capability to immediately disconnect or disable remote access to the hosted applications.
SV-78993r1_ruleNon-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account.
SV-78995r1_ruleOHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
SV-78997r1_ruleOHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.
SV-78999r1_ruleOHS must have the LoadModule ossl_module directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
SV-79001r1_ruleOHS must have the SSLFIPS directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
SV-79003r2_ruleOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
SV-79005r1_ruleOHS must have the SSLCipherSuite directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
SV-79007r1_ruleOHS must have the LoadModule ossl_module directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SV-79009r1_ruleOHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SV-79011r2_ruleOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SV-79013r1_ruleOHS must have the SSLCipherSuite directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SV-79015r1_ruleOHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SV-79017r1_ruleOHS must use wallets that have only DoD certificate authorities defined.
SV-79019r1_ruleOHS must be tuned to handle the operational requirements of the hosted application.
SV-79031r1_ruleOHS must have the LoadModule ossl_module directive enabled to prevent unauthorized disclosure of information during transmission.
SV-79033r1_ruleOHS must have the SSLFIPS directive enabled to prevent unauthorized disclosure of information during transmission.
SV-79035r2_ruleOHS must have the SSLEngine, SSLProtocol, SSLWallet directives enabled and configured to prevent unauthorized disclosure of information during transmission.
SV-79037r1_ruleOHS must have the SSLCipherSuite directive enabled to prevent unauthorized disclosure of information during transmission.
SV-79039r1_ruleIf using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to prevent unauthorized disclosure of information during transmission.
SV-79041r1_ruleOHS must have the WLSSLWallet directive enabled to prevent unauthorized disclosure of information during transmission.
SV-79043r1_ruleIf using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WebLogicSSLVersion directive enabled to prevent unauthorized disclosure of information during transmission.
SV-79045r1_ruleIf using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to prevent unauthorized disclosure of information during transmission.
SV-79047r1_ruleOHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
SV-79049r1_ruleOHS must have the SSLFIPS directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
SV-79051r2_ruleOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
SV-79053r1_ruleOHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
SV-79055r1_ruleOHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SV-79057r1_ruleOHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SV-79059r2_ruleOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during preparation for transmission.
SV-79061r1_ruleOHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SV-79063r1_ruleIf using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SV-79065r1_ruleIf using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SV-79067r1_ruleIf using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLSProxySSL directive enabled to maintain the confidentiality and integrity of information during preparation for transmission.
SV-79069r1_ruleOHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality and integrity of information during reception.
SV-79071r1_ruleOHS must have the SSLFIPS directive enabled to maintain the confidentiality and integrity of information during reception.
SV-79073r2_ruleOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during reception.
SV-79075r1_ruleOHS must have the SSLCipherSuite directive enabled to maintain the confidentiality and integrity of information during reception.
SV-79077r1_ruleIf using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SSLSecureProxy directive enabled to maintain the confidentiality and integrity of information during reception.
SV-79079r1_ruleIf using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WLSSLWallet directive enabled to maintain the confidentiality and integrity of information during reception.
SV-79081r1_ruleIf using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to maintain the confidentiality and integrity of information during reception.
SV-79083r1_ruleThe Node Manager account password associated with the installation of OHS must be in accordance with DoD guidance for length, complexity, etc.
SV-79085r1_ruleOHS must have Entity tags (ETags) disabled.
SV-79087r1_ruleThe SecureListener property of the Node Manager configured to support OHS must be enabled for secure communication.
SV-79089r1_ruleThe ListenAddress property of the Node Manager configured to support OHS must match the CN of the certificate used by Node Manager.
SV-79091r1_ruleThe AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication.
SV-79093r1_ruleThe KeyStores property of the Node Manager configured to support OHS must be configured for secure communication.
SV-79095r1_ruleThe CustomIdentityKeyStoreFileName property of the Node Manager configured to support OHS must be configured for secure communication.
SV-79097r1_ruleThe CustomIdentityKeyStorePassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
SV-79099r1_ruleThe CustomIdentityAlias property of the Node Manager configured to support OHS must be configured for secure communication.
SV-79101r1_ruleThe CustomIdentityPrivateKeyPassPhrase property of the Node Manager configured to support OHS must be configured for secure communication.
SV-79103r1_ruleThe listen-address element defined within the config.xml of the OHS Standalone domain that supports OHS must be configured for secure communication.
SV-79105r1_ruleThe listen-port element defined within the config.xml of the OHS Standalone Domain must be configured for secure communication.
SV-79107r1_ruleThe WLST_PROPERTIES environment variable defined for the OHS WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
SV-79109r1_ruleThe WLST_PROPERTIES environment variable defined for the Fusion Middleware WebLogic Scripting Tool must be updated to reference an appropriate trust store so that it can communicate with the Node Manager supporting OHS.
SV-79111r1_ruleOHS must not have the directive PlsqlDatabasePassword set in clear text.
SV-79113r1_ruleOHS must limit access to the Dynamic Monitoring Service (DMS).
SV-79115r1_ruleOHS must have the AllowOverride directive set properly.
SV-79117r1_ruleOHS must be set to evaluate deny directives first when considering whether to serve a file.
SV-79119r1_ruleOHS must deny all access by default when considering whether to serve a file.
SV-79121r1_ruleThe OHS instance installation must not contain an .htaccess file.
SV-79123r1_ruleThe OHS instance configuration must not reference directories that contain an .htaccess file.
SV-79125r1_ruleOHS must have the HostnameLookups directive enabled.
SV-79127r1_ruleOHS must have the ServerAdmin directive set properly.
SV-79129r1_ruleOHS must restrict access methods.
SV-79131r1_ruleThe OHS htdocs directory must not contain any default files.
SV-79133r1_ruleOHS must have the SSLSessionCacheTimeout directive set properly.
SV-79135r1_ruleOHS must have the RewriteEngine directive enabled.
SV-79137r1_ruleOHS must have the RewriteOptions directive set properly.
SV-79139r1_ruleOHS must have the RewriteLogLevel directive set to the proper log level.
SV-79141r1_ruleOHS must have the RewriteLog directive set properly.
SV-79143r2_ruleAll accounts installed with the web server software and tools must have passwords assigned and default passwords changed.
SV-79145r1_ruleA production OHS Installation must prohibit the installation of a compiler.
SV-79147r1_ruleA public OHS installation, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
SV-79149r1_ruleA private OHS installation must be located on a separate controlled access subnet.
SV-79151r1_ruleThe version of the OHS installation must be vendor-supported.
SV-79153r1_ruleOHS must be certified with accompanying Fusion Middleware products.
SV-79155r1_ruleOHS tools must be restricted to the web manager and the web managers designees.
SV-79157r1_ruleAll utility programs, not necessary for operations, must be removed or disabled.
SV-79159r1_ruleThe OHS htpasswd files (if present) must reflect proper ownership and permissions.
SV-79161r1_ruleA public OHS installation must limit email to outbound only.
SV-79163r1_ruleOHS content and configuration files must be part of a routine backup program.
SV-79165r1_ruleOHS must be segregated from other services.
SV-79167r1_ruleOHS must have all applicable patches (i.e., CPUs) applied/documented (OEM).
SV-79169r1_ruleA private OHS list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
SV-79171r1_ruleOHS must have the ScoreBoardFile directive disabled.
SV-79173r1_ruleThe OHS document root directory must not be on a network share.
SV-79175r1_ruleThe OHS server root directory must not be on a network share.
SV-79177r1_ruleSymbolic links must not be used in the web content directory tree.
SV-79179r1_ruleOHS administration must be performed over a secure path or at the local console.
SV-79181r1_ruleOHS must not contain any robots.txt files.
SV-79183r1_ruleOHS must prohibit anonymous FTP user access to interactive scripts.
SV-79185r1_ruleThe OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory.
SV-79187r1_ruleThe OHS DocumentRoot directory must be on a separate partition from OS root partition.
SV-79189r1_ruleRemote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
SV-79191r2_ruleA public OHS server must use TLS if authentication is required to host web sites.
SV-79193r1_ruleOHS hosted web sites must utilize ports, protocols, and services according to PPSM guidelines.