Oracle® Enterprise Manager Policy Reference Manual 10g Release 5 (10.2.0.5) Part Number B16231-02 |
|
|
PDF · Mobi · ePub |
This chapter provides the following information for each of the Oracle Application Server Web Cache policies:
Brief description of the policy
Summary of the policy's main properties
Default values for the policy: parameters with their default values and objects excluded by default
Impact of the policy violation
Action to perform when the violation occurs
The security policies for the Web Cache target are:
This policy checks whether access logging is enabled on Web Cache. To effectively manage Web Cache, it is necessary to get feedback about the activity and performance of the server, as well as any problems that may be occurring.
The server access log records all requests processed by the server. The ACCESSLOG element in $ORACLE_HOME/webcache/webcache.xml
is used to configure this.
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Web Cache | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | Access logging is not enabled for Web Cache. |
Footnote 1 The policy rule is evaluated each time its underlying webcacheSecurityViolations metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Absence of an access log can severely cripple administrators' ability to monitor malicious attacks.
Enable access logging for Web Cache.
This policy checks whether a Dummy Wallet is being used on Web Cache.
A dummy wallet is located in $ORACLE_HOME/webcache/wallets/default
on UNIX and ORACLE_HOME\webcache\wallets\default
on Windows. This wallet is intended for testing purposes for OracleAS Web Cache HTTPS communication to origin servers.
For a production environment, use the procedures described in the documentation to create a new wallet with Oracle Wallet Manager. By default, Oracle Wallet Manager stores wallets in directory /etc/ORACLE/WALLETS/user_name
on UNIX and %USERPROFILES%\ORACLE\WALLETS
on Windows.
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Web Cache | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | Dummy Wallet is used by Web Cache. |
Footnote 1 The policy rule is evaluated each time its underlying webcacheSecurityViolations metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Use of a Dummy Wallet provided by Oracle could severely compromise the security of the site.
Do not use a Dummy Wallet for production SSL load.
This policy verifies that the webcached binary is not owned by a super user.
Binaries with suid privilege can be exploited to get extra privileges on the host. If a super user owns the webcached binary and the suid bit is set, a malicious user can exploit it to gain super user privileges on the host.
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Critical | Security | Web Cache | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | Web Cache is owned by root and the setuid bit is set. |
Footnote 1 The policy rule is evaluated each time its underlying webcacheSecurityViolations metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
If Web Cache is owned by root and the setuid bit is set, malicious users may be able to gain access to the system as a super user.
A user other than super user (root) should own the webcached binary.
This policy checks whether users other than the owner have write permission in the directory from which Web Cache will serve files.
The following table lists the policy's main properties.
Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
---|---|---|---|---|---|---|
Warning | Security | Web Cache | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | There are writable files in the docs folder of Webcache. |
Footnote 1 The policy rule is evaluated each time its underlying webcacheSecurityViolations metric is collected.
Parameters and Their Default Values
Not Applicable
Objects Excluded by Default
Not Applicable
Malicious users may be able to overwrite a writable file in the Document Root directory.
Do not include any group or world writable files in the Document Root directory.