STIGQter STIGQter: STIG Summary: Oracle HTTP Server 12.1.3 Security Technical Implementation Guide Version: 1 Release: 7 Benchmark Date: 24 Jul 2020:

OHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones.

DISA Rule

SV-78985r1_rule

Vulnerability Number

V-64495

Group Title

SRG-APP-000315-WSR-000004

Rule Version

OH12-1X-000031

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.

2. Search for the "<Directory>" directive at the OHS server and virtual host configuration scopes.

Note: This fix does not apply to the root directory, i.e. the <Directory /> directive.

3. Set the "Order" directive to "allow,deny", add the directive if it does not exist.

4. Set "Allow" directives to "from all" or to an IP range (e.g., "from 123.123"), add the directives if they do not exist.

5. Set "Deny" directives to an IP range (e.g., "from 123.123") to specify nonsecure zones, add the directives if they do not exist.

Check Contents

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.

2. Search for the "<Directory>" directive at the OHS server and virtual host configuration scopes.

Note: This check does not apply to the root directory, i.e. the <Directory /> directive.

3. If the "<Directory>" directive does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access from nonsecure zones, this is a finding.

Vulnerability Number

V-64495

Documentable

False

Rule Version

OH12-1X-000031

Severity Override Guidance

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.

2. Search for the "<Directory>" directive at the OHS server and virtual host configuration scopes.

Note: This check does not apply to the root directory, i.e. the <Directory /> directive.

3. If the "<Directory>" directive does not contain the appropriate "Order", "Deny", and "Allow" directives to prohibit access from nonsecure zones, this is a finding.

Check Content Reference

M

Target Key

2753

Comments