OH12-1X-000030 - Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.

Information

Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions.

A web server can be accessed remotely and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements.

Examples of the web server enforcing a remote access policy are implementing IP filtering rules, using https instead of http for communication, implementing secure tokens, and validating users.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.

2. Review the directives (e.g., '<VirtualHost>', '<Directory>', and '<Location>') at the OHS server and virtual host configuration scopes.

3. Configure the web server to require secure authentication as required, use SSL, and/or restrict access from nonsecure zones via 'Order', 'Deny', and 'Allow' directives.

Note: A product such as Oracle Access Manager may facilitate satisfying these requirements.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_HTTP_Server_12-1-3_V2R1_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(1), CAT|II, CCI|CCI-002314, Rule-ID|SV-221297r414576_rule, STIG-ID|OH12-1X-000030, STIG-Legacy|SV-78983, STIG-Legacy|V-64493, Vuln-ID|V-221297

Plugin: Unix

Control ID: be4f52e80378bccc46bb1f95dc9b774e8445a6158682e7188462654e4a7973f4