3.9 - Default code and application examples and pointbase database are installed - OEPE Tools

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Certain options when installed with the Weblogic server can pose a security threat. These may contain security vulnerabilities, so not installing them makes the installation more secure. The Server Examples option during installation includes sample applications, code examples, and the PointBase database. The PointBase database is included for evaluation purposes and it is not supported in the production environments. Also, the installing development tools on the production server is a security risk as they may contain security vulnerabilities, therefore they should not exist on the Administration Server.

Selecting this option could increase the attack surface and make the installation less secure.

NOTE - This check has not been performed. Please manually review your environment to ensure it matches policy and no development tools are installed.

Solution

For sample applications and code examples, ensure that when installing WebLogic Server, the option to install the Server Examples component is not selected. If it has been selected, navigate to the WL_HOME/common directory (e.g. /home/user/Oracle/Middleware/wlserver_10.3/common) and remove the directories 'samples' and 'eval'. Uninstall any development tools, if available on the production server.

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CSCv6|9.1

Plugin: Unix

Control ID: 38b3b35acd95f72cec6527a7ea9621e471653c03aff644705d788ce4d6e8e599