WBLC-03-000127 - Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.

Information

Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system. Application servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance, for example, disabling dynamic JSP reloading on production application servers as a best practice.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

1. Access AC
2. From 'Domain Structure', select 'Deployments'
3. Select a deployment of type 'Web Application' from list of deployments
4. Select 'Configuration' tab -> 'General' tab
5. Utilize 'Change Center' to create a new change session
6. Set 'JSP Page Check' field value to '-1', which indicates JSP reloading is disabled within this deployment. Click 'Save'. Repeat steps 3-6 for all 'Web Application' type deployments.
7. For every WebLogic resource within the domain, the 'Configuration' tab and associated subtabs provide the ability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_WebLogic_Server_12c_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-235961r628661_rule, STIG-ID|WBLC-03-000127, STIG-Legacy|SV-70525, STIG-Legacy|V-56271, Vuln-ID|V-235961

Plugin: Unix

Control ID: 3fe76d9fe936d340c9b1b68564fe8835ff05bf817c971a8f63424f26a83f868a