Skip Headers
Oracle® Enterprise Manager Policy Reference Manual
10g Release 5 (10.2.0.5)

Part Number B16231-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
PDF · Mobi · ePub

11 Web Cache Policies

This chapter provides the following information for each of the Oracle Application Server Web Cache policies:

11.1 Security Policies

The security policies for the Web Cache target are:

11.1.1 Web Cache Access Logging

This policy checks whether access logging is enabled on Web Cache. To effectively manage Web Cache, it is necessary to get feedback about the activity and performance of the server, as well as any problems that may be occurring.

The server access log records all requests processed by the server. The ACCESSLOG element in $ORACLE_HOME/webcache/webcache.xml is used to configure this.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Security Web Cache Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes Access logging is not enabled for Web Cache.

Footnote 1 The policy rule is evaluated each time its underlying webcacheSecurityViolations metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

Absence of an access log can severely cripple administrators' ability to monitor malicious attacks.

Action

Enable access logging for Web Cache.

11.1.2 Web Cache Dummy Wallet

This policy checks whether a Dummy Wallet is being used on Web Cache.

A dummy wallet is located in $ORACLE_HOME/webcache/wallets/default on UNIX and ORACLE_HOME\webcache\wallets\default on Windows. This wallet is intended for testing purposes for OracleAS Web Cache HTTPS communication to origin servers.

For a production environment, use the procedures described in the documentation to create a new wallet with Oracle Wallet Manager. By default, Oracle Wallet Manager stores wallets in directory /etc/ORACLE/WALLETS/user_name on UNIX and %USERPROFILES%\ORACLE\WALLETS on Windows.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Security Web Cache Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes Dummy Wallet is used by Web Cache.

Footnote 1 The policy rule is evaluated each time its underlying webcacheSecurityViolations metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

Use of a Dummy Wallet provided by Oracle could severely compromise the security of the site.

Action

Do not use a Dummy Wallet for production SSL load.

11.1.3 Web Cache Owner and Setuid Bit

This policy verifies that the webcached binary is not owned by a super user.

Binaries with suid privilege can be exploited to get extra privileges on the host. If a super user owns the webcached binary and the suid bit is set, a malicious user can exploit it to gain super user privileges on the host.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Critical Security Web Cache Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes Web Cache is owned by root and the setuid bit is set.

Footnote 1 The policy rule is evaluated each time its underlying webcacheSecurityViolations metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

If Web Cache is owned by root and the setuid bit is set, malicious users may be able to gain access to the system as a super user.

Action

A user other than super user (root) should own the webcached binary.

11.1.4 Web Cache Writable Files

This policy checks whether users other than the owner have write permission in the directory from which Web Cache will serve files.

Policy Summary

The following table lists the policy's main properties.

Severity Category Target Type Versions Affected Policy Rule EvaluationFoot 1  Automatically Enabled? Alert Message
Warning Security Web Cache Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x The underlying metric has a collection frequency of once every 24 hours. Yes There are writable files in the docs folder of Webcache.

Footnote 1 The policy rule is evaluated each time its underlying webcacheSecurityViolations metric is collected.

Defaults

Parameters and Their Default Values

Not Applicable

Objects Excluded by Default

Not Applicable

Impact of Violation

Malicious users may be able to overwrite a writable file in the Document Root directory.

Action

Do not include any group or world writable files in the Document Root directory.