This chapter provides the following information for each of the Oracle HyperText Transfer Protocol (HTTP) Server policies:
Brief description of the policy
Summary of the policy's main properties
Default values for the policy: parameters with their default values and objects excluded by default
Impact of the policy violation
Action to perform when the violation occurs
The Oracle HTTP Server policies are categorized as follows:
The configuration policies for the HTTP target are:
This policy verifies that the HostNameLookups directive is set to off on this HTTP Server.
Any DNS lookup can affect Apache performance. The HostNameLookups directive in Apache informs Apache whether it should log information based on the IP address (if the directive is set to off), or look up the hostname associated with the IP address of each request in the DNS system on the Internet (if the directive is set to on).
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Configuration | HTTP Server | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | HostNameLookups directive is set to on for HTTP Server. |
Footnote 1 The policy rule is evaluated each time its underlying PerfRelated metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
If HostNameLookups directive is set to on or double, then extra DNS lookups will be performed. Any DNS lookup can affect HTTP Server performance.
Oracle has found that performance degraded by a minimum of about 3% in our tests with HostNameLookups set to on.
In the configuration file (httpd.conf), set the HostNameLookups directive to off.
This policy verifies that the MaxKeepAliveRequests directive is set to a non-zero value on this HTTP Server.
A value of zero in the MaxKeepAliveRequests directive means there is no limit on the number of connections, which are kept alive expecting subsequent client requests. But Httpd server process cannot be used to service other requests until either the client disconnects, or the connection times out.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Configuration | HTTP Server | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | MaxKeepAliveRequests directive is set to zero in the HTTP Server configuration file (httpd.conf). |
Footnote 1 The policy rule is evaluated each time its underlying PerfRelated metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
If the MaxKeepAliveRequests directive is set to zero (an unlimited number of connections), the Httpd server process cannot be used to service other requests until either the client disconnects, or the connection times out.
Do not set the MaxKeepAliveRequests directive to zero.
The security policies for the HTTP target are:
To effectively manage an HTTP server, it is necessary to get feedback about the activity and performance of the server, as well as any problems that may be occurring. The server access log records all requests processed by the server. The location and content of the access log is controlled by the CustomLog directive. The LogFormat directive can be used to simplify the selection of the contents of the logs.
Access Logging can be configured in such a way that it contains vital information about requests and users who access HTTP Server. This policy verifies that Access Logging is enabled.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | HTTP Server | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | Access logging is not enabled for HTTP Server. |
Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Absence of an access log can severely cripple administrators' ability to monitor malicious attacks.
Enable the access logging for HTTP Server.
The HTTP Server can automatically generate the index of a directory. The IndexOptions directive can be used to configure this.
This policy verifies that Directory Indexing is disabled.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | HTTP Server | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | HTTP Server Directory Indexing is on. |
Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
If indexing is on, a malicious user may be able to view restricted files and directories in the Document Root directory.
Turn off Directory Indexing.
The HTTP Server comes with a preconfigured wallet that is used for SSL authentication. The ssl.conf file has already been configured to use this wallet. The wallet location is specified in this file with the SSLWallet parameter. By default, this parameter points to the ewallet.p12 file which is located in your $ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default directory.
This policy checks whether a Dummy Wallet is being used on HTTP Server.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | HTTP Server | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | Dummy Wallet is used by HTTP Server. |
Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Use of a Dummy Wallet provided by Oracle can severely compromise the security of the site.
Do not use a Dummy Wallet for production SSL load.
This policy verifies that the HTTPd binary is not owned by a super user and the suid bit is not set.
Binaries with suid privilege can be exploited to get extra privilege on the host. If a super user owns the HTTPd binary and the suid bit is set; a malicious user can exploit it to gain super user privileges on the host.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | HTTP Server | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | HTTP Server is owned by root and the setuid bit is set. |
Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
If HTTPd is owned by root and the setuid bit is set, malicious users may be able to gain access to the system as a super user.
A user other than root should own the HTTPd binary.
The ias-component element in opmn.xml file is used to enable or disable the use of Secure Socket Layer (SSL). This file is located in ORACLE_HOME/opmn/conf/opmn.xml.
This policy checks whether Secure Socket Layer (SSL) is enabled for Single Sign-On (SSO) on HTTP Server.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | HTTP Server | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | SSL is not enabled for SSO on HTTP Server. |
Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
If SSL is not enabled on HTTP Server, malicious users may detect the user name and password entered by a user.
For secure transmission of user name and password, enable SSL on HTTP Server.
This policy checks whether users other than the owner have write permission in the DocumentRoot folder.
The DocumentRoot directive sets the directory from which HTTP Server will serve files. Unless matched by a directive like Alias, the server appends the path from the requested URL to the document root to make the path to the document.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | HTTP Server | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | There are writable files in the Document Root folder on HTTP Server. |
Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Malicious users may be able to overwrite a writable file in the Document Root directory.
Do not include any group or world writable files in the Document Root folder.