The OHS DocumentRoot directory must be in a separate partition from the OHS ServerRoot directory.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221466	OH12-1X-000229	SV-221466r879887_rule		Medium

Description
Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion.

Description

Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion.

STIG	Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide	2022-12-09

Details

Check Text ( C-23181r415081_chk )
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Search for the "ServerRoot" directive at the OHS server configuration scope. 4. If the "DocumentRoot" directive value specifies a directory on the same partition as the directory specified in the "ServerRoot" directive, this is a finding.

Check Text ( C-23181r415081_chk )

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "" directive.

2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes.

3. Search for the "ServerRoot" directive at the OHS server configuration scope.

4. If the "DocumentRoot" directive value specifies a directory on the same partition as the directory specified in the "ServerRoot" directive, this is a finding.

Fix Text (F-23170r415082_fix)
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "" directive. 2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes. 3. Search for the "ServerRoot" directive at the OHS server configuration scope. 4. Move the directory associated with the "DocumentRoot" directive to a partition different from the partition associated with the directory specified by the "ServerRoot" directive.

Fix Text (F-23170r415082_fix)

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "" directive.

2. Search for the "DocumentRoot" directive at the OHS server and virtual host configuration scopes.

3. Search for the "ServerRoot" directive at the OHS server configuration scope.

4. Move the directory associated with the "DocumentRoot" directive to a partition different from the partition associated with the directory specified by the "ServerRoot" directive.