← Back to Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

V-221472

CAT II (Medium)

If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level.

Rule ID

SV-221472r960963_rule

STIG

Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000381

Discussion

A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.

Check Content

If not using the WebLogic Web Server Proxy Plugin:

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor.

2. Search for the "include mod_wl_ohs.conf" directive at the OHS server configuration scope.

3. If the directive exists and is not commented out, this is a finding.

Fix Text

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor.

2. Search for the "include mod_wl_ohs.conf" directive at the OHS server configuration scope.

3. Comment out the "include mod_wl_ohs.conf" directive if it exists.