Checklist Summary:

The Oracle HTTP Server 12.1.3 Security Technical Implementation Guide (STIG) is a published document that can be used to improve the security posture of a Department of Defense (DoD) web server and its associated web sites. It is a requirement for all DoD-administered systems and all systems connected to DoD networks. It is important to note that while much of this STIG is applicable to other versions of Oracle HTTP Server, it is specific to version 12.1.3 and a standalone configuration on the Unix/Linux platforms. This document is meant for use in conjunction with the Enclave, Network Infrastructure, Application Security and Development, and other appropriate operating system (OS) STIGs. Guidance for deployment of web servers within the DoD intranet and the Demilitarized Zone (DMZ) will be governed by the appropriate Network Infrastructure STIG provided by DISA. The web server must be configured to protect classified, unclassified, and/or restricted data, such as Personally Identifiable Information (PII), as well as data approved for public release. Immediate risks inherent to this role are external attacks and accidental exposure. Although security controls and infrastructure devices (such as firewalls, intrusion detection systems, and baseline integrity checking tools) offer some defense against malicious activity, security for web servers is best achieved through implementing a comprehensive defense-in-depth strategy. This strategy should include, but is not limited to, server configuration to prevent system compromise; operational procedures for posting data to avoid accidental exposure; proper placement of the server within the network infrastructure; and the allowance or denial of Ports, Protocols, and Services (PPS) used to access the web server. These requirements are designed to assist Security Managers (SMs), Information System Security Managers (ISSMs), Information System Security Officers (ISSOs), and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD system design, development, implementation, certification, and accreditation efforts.

Checklist Role:

• Application Server

Known Issues:

Not Provided

Target Audience:

Not Provided

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not Provided

Regulatory Compliance:

DoDI 8500.01

Comments/Warnings/Miscellaneous:

Not Provided

Disclaimer:

Not Provided

Product Support:

Not Provided

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not Provided

Licensing:

Not Provided

Change History:

Changed status from "Under Review" to "Final" - 15 February 2016
Updated URL to reflect change to the DISA website - http --> https
Updated - 11/01/2017
Updated to FINAL - 11/27/2017
corrected resource title - 1/24/2018
updated to v1,r3 - 4/25/18
Update to FINAL - 5/25/18
Updated to Ver 1, Rel 4 - 10/25/18
Updated to FINAL - 11/26/18
updated to Version 1, Release 5 - 1/22/19
Updated to FINAL - 2/19/19
Updated URLs - 6/13/19
updated to V1, R6 - removed reference link per DISA - 1/17/2020
Updated URLs - 8/3/2020
Changed URLs - 8/3/2020
updated URLs - 1/26/2022
updated URLs per DISA - 1/17/2023

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 01/17/2023