OH12-1X-000234 - OHS must not have the directive PlsqlDatabasePassword set in clear text.

Information

OHS supports the use of the module mod_plsql, which allows applications to be hosted that are PL/SQL-based. To access the database, the module must have a valid username, password and database name. To keep the password from an attacker, the password must not be stored in plain text, but instead, obfuscated.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. At shell prompt, set 'ORACLE_HOME' environment variable to $ORACLE_HOME location and export the variable.

2. At shell prompt, set 'PATH' environment variable to '$ORACLE_HOME/ohs/bin:$ORACLE_HOME/bin:$ORACLE_HOME/perl/bin:$PATH' and export the variable.

3a. If AIX OS, at shell prompt, set 'LIBPATH' environment variable to '$ORACLE_HOME/lib:$LIBPATH' and export the variable.
3b. If HP-UX OS, at shell prompt, set 'SHLIB_PATH' environment variable to '$ORACLE_HOME/lib:$SHLIB_PATH' and export the variable.
3c. If Solaris OS, at shell prompt, set 'LD_LIBRARY_PATH' environment variable to '$ORACLE_HOME/lib32:$LD_LIBRARY_PATH' and export the variable.
3d. If Linux or Other Unix OS, at shell prompt, set 'LD_LIBRARY_PATH' environment variable to '$ORACLE_HOME/lib:$LD_LIBRARY_PATH' and export the variable.

4. Change the present working directory to '$ORACLE_HOME/ohs/bin' (e.g., cd $ORACLE_HOME/ohs/bin).

5. For each .conf file found to be at fault, execute dadTool.pl script (e.g., 'perl dadTool.pl -f $DOMAIN_HOME/config/fmwconfig/compoennts/OHS/<componentName>/mod_plsql/dads.conf').

Item Details

Audit Name: DISA STIG Oracle HTTP Server 12.1.3 v2r3

Category: CONFIGURATION MANAGEMENT

Plugin: Unix

Control ID: 6303af03f435a112b50c4f6e10964c5f9df0021b22c134a9180458f0185c568f

Detections

Analytics

OH12-1X-000234 - OHS must not have the directive PlsqlDatabasePassword set in clear text.

Information

Solution

See Also

Item Details