UCF STIG Viewer Logo

OHS must have the LoadModule proxy_http_module directive disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221382 OH12-1X-000135 SV-221382r879587_rule Medium
Description
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance. The proxy_http_module requires the service of mod_proxy. It provides the features used for proxying HTTP and HTTPS requests. If proxy services are required, the proxy configuration must be approved by the AO.
STIG Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide 2022-12-09

Details

Check Text ( C-23097r539628_chk )
If the AO approved system security plan for the web server configuration specifies using the proxy_http_module directive in order to meet application architecture requirements and authentication is enforced, this requirement is NA.

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor.

2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope.

3. If the directive exists and is not commented out, this is a finding.
Fix Text (F-23086r457157_fix)
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor.

2. Search for the "LoadModule proxy_http_module" directive at the OHS server configuration scope.

3. Comment out the "LoadModule proxy_http_module" directive if it exists.