Detections
Analytics
OH12-1X-000326 - OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality and integrity of information during preparation for transmission - SSLProtocol
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications.
Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.
Solution
1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled '<VirtualHost>' directive.Note: Does not apply to admin.conf.
2a. Search for the 'SSLEngine' directive at the OHS server, virtual host, and/or directory configuration scopes.
2b. Set the 'SSLEngine' directive to 'On', add the directive if it does not exist.
3a. Search for the 'SSLProtocol' directive at the OHS server configuration, virtual host, and/or directory levels.
3b. Set the 'SSLProtocol' directive to 'TLSv1.2 TLSv1.1', add the directive if it does not exist.
4a. Search for the 'SSLWallet' directive at the OHS server configuration, virtual host, and/or directory levels.
4b. Set the 'SSLWallet' directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains only the identity certificate for the host and DoD Certificate Authorities, add the directive if it does not exist.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_HTTP_Server_12-1-3_V2R1_STIG.zip
Item Details
Audit Name: DISA STIG Oracle HTTP Server 12.1.3 v2r1
References: CAT|II, CCI|CCI-002420, Rule-ID|SV-221534r415283_rule, STIG-ID|OH12-1X-000326, STIG-Legacy|SV-79059, STIG-Legacy|V-64569, Vuln-ID|V-221534
Plugin: Unix
Control ID: ff380e7836ee3cb7fdb15555446a2474a710280f82cadbd4c0a29c85d5808f75