Skip Headers
Oracle® Enterprise Manager Policy Reference Manual
10g Release 2 (10.2)

Part Number B16231-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

9 Oracle HTTP Server Policies

This chapter provides the following information for each of the Oracle HyperText Transfer Protocol (HTTP) Server policies:

The Oracle HTTP Server policies are categorized as follows:

9.1 Configuration Policies

The configuration policies for the HTTP target are:

9.1.1 HTTP Server HostNameLookups

This policy verifies that the HostNameLookups directive is set to off on this HTTP Server.

Any DNS lookup can affect Apache performance. The HostNameLookups directive in Apache informs Apache whether it should log information based on the IP address (if the directive is set to off), or look up the hostname associated with the IP address of each request in the DNS system on the Internet (if the directive is set to on).

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Configuration HTTP Server Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes HostNameLookups directive is set to on for HTTP Server.

Footnote 1 The policy rule is evaluated each time its underlying PerfRelated metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

If HostNameLookups directive is set to on or double, then extra DNS lookups will be performed. Any DNS lookup can affect HTTP Server performance.

Oracle has found that performance degraded by a minimum of about 3% in our tests with HostNameLookups set to on.

Action

In the configuration file (httpd.conf), set the HostNameLookups directive to off.

9.1.2 HTTP Server MaxKeepAliveRequests

This policy verifies that the MaxKeepAliveRequests directive is set to a non-zero value on this HTTP Server.

A value of zero in the MaxKeepAliveRequests directive means there is no limit on the number of connections, which are kept alive expecting subsequent client requests. But Httpd server process cannot be used to service other requests until either the client disconnects, or the connection times out.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Configuration HTTP Server Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes MaxKeepAliveRequests directive is set to zero in the HTTP Server configuration file (httpd.conf).

Footnote 1 The policy rule is evaluated each time its underlying PerfRelated metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

If the MaxKeepAliveRequests directive is set to zero (an unlimited number of connections), the Httpd server process cannot be used to service other requests until either the client disconnects, or the connection times out.

Action

Do not set the MaxKeepAliveRequests directive to zero.

9.2 Security Policies

The security policies for the HTTP target are:

9.2.1 HTTP Server Access Logging

To effectively manage an HTTP server, it is necessary to get feedback about the activity and performance of the server, as well as any problems that may be occurring. The server access log records all requests processed by the server. The location and content of the access log is controlled by the CustomLog directive. The LogFormat directive can be used to simplify the selection of the contents of the logs.

Access Logging can be configured in such a way that it contains vital information about requests and users who access HTTP Server. This policy verifies that Access Logging is enabled.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Security HTTP Server Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes Access logging is not enabled for HTTP Server.

Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

Absence of an access log can severely cripple administrators' ability to monitor malicious attacks.

Action

Enable the access logging for HTTP Server.

9.2.2 HTTP Server Directory Indexing

The HTTP Server can automatically generate the index of a directory. The IndexOptions directive can be used to configure this.

This policy verifies that Directory Indexing is disabled.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Security HTTP Server Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes HTTP Server Directory Indexing is on.

Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

If indexing is on, a malicious user may be able to view restricted files and directories in the Document Root directory.

Action

Turn off Directory Indexing.

9.2.3 HTTP Server Dummy Wallet

The HTTP Server comes with a preconfigured wallet that is used for SSL authentication. The ssl.conf file has already been configured to use this wallet. The wallet location is specified in this file with the SSLWallet parameter. By default, this parameter points to the ewallet.p12 file which is located in your $ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default directory.

This policy checks whether a Dummy Wallet is being used on HTTP Server.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Security HTTP Server Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes Dummy Wallet is used by HTTP Server.

Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

Use of a Dummy Wallet provided by Oracle can severely compromise the security of the site.

Action

Do not use a Dummy Wallet for production SSL load.

9.2.4 HTTP Server Owner And Setuid Bit

This policy verifies that the HTTPd binary is not owned by a super user and the suid bit is not set.

Binaries with suid privilege can be exploited to get extra privilege on the host. If a super user owns the HTTPd binary and the suid bit is set; a malicious user can exploit it to gain super user privileges on the host.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Security HTTP Server Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes HTTP Server is owned by root and the setuid bit is set.

Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

If HTTPd is owned by root and the setuid bit is set, malicious users may be able to gain access to the system as a super user.

Action

A user other than root should own the HTTPd binary.

9.2.5 HTTP Server SSL

The ias-component element in opmn.xml file is used to enable or disable the use of Secure Socket Layer (SSL). This file is located in ORACLE_HOME/opmn/conf/opmn.xml.

This policy checks whether Secure Socket Layer (SSL) is enabled for Single Sign-On (SSO) on HTTP Server.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Security HTTP Server Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes SSL is not enabled for SSO on HTTP Server.

Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

If SSL is not enabled on HTTP Server, malicious users may detect the user name and password entered by a user.

Action

For secure transmission of user name and password, enable SSL on HTTP Server.

9.2.6 HTTP Server Writable Files

This policy checks whether users other than the owner have write permission in the DocumentRoot folder.

The DocumentRoot directive sets the directory from which HTTP Server will serve files. Unless matched by a directive like Alias, the server appends the path from the requested URL to the document root to make the path to the document.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Security HTTP Server Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes There are writable files in the Document Root folder on HTTP Server.

Footnote 1 The policy rule is evaluated each time its underlying httpdSecurityViolations metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

Malicious users may be able to overwrite a writable file in the Document Root directory.

Action

Do not include any group or world writable files in the Document Root folder.