| Oracle® Enterprise Manager Policy Reference Manual 10g Release 2 (10.2) Part Number B16231-01 |
|
|
View PDF |
| Oracle® Enterprise Manager Policy Reference Manual 10g Release 2 (10.2) Part Number B16231-01 |
|
|
View PDF |
This chapter provides the following information for each of the Oracle Application Server Web Cache policies:
Brief description of the policy
Summary of the policy's main properties
Default values for the policy: parameters with their default values and objects excluded by default
Impact of the policy violation
Action to perform when the violation occurs
This policy checks whether access logging is enabled on Web Cache. To effectively manage Web Cache, it is necessary to get feedback about the activity and performance of the server, as well as any problems that may be occurring.
The server access log records all requests processed by the server. The ACCESSLOG element in $ORACLE_HOME/webcache/webcache.xml is used to configure this.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Web Cache | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | Access logging is not enabled for Web Cache. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
None
Impact of Violation
Absence of an access log can severely cripple administrators' ability to monitor malicious attacks.
Action
Enable access logging for Web Cache.
This policy checks whether a Dummy Wallet is being used on Web Cache.
A dummy wallet is located in $ORACLE_HOME/webcache/wallets/default on UNIX and ORACLE_HOME\webcache\wallets\default on Windows. This wallet is intended for testing purposes for OracleAS Web Cache HTTPS communication to origin servers.
For a production environment, use the procedures described in the documentation to create a new wallet with Oracle Wallet Manager. By default, Oracle Wallet Manager stores wallets in directory /etc/ORACLE/WALLETS/user_name on UNIX and %USERPROFILES%\ORACLE\WALLETS on Windows.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Web Cache | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | Dummy Wallet is used by Web Cache. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
None
Impact of Violation
Use of a Dummy Wallet provided by Oracle could severely compromise the security of the site.
Action
Do not use a Dummy Wallet for production SSL load.
This policy verifies that the webcached binary is not owned by a super user.
Binaries with suid privilege can be exploited to get extra privileges on the host. If a super user owns the webcached binary and the suid bit is set, a malicious user can exploit it to gain super user privileges on the host.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Critical | Security | Web Cache | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | Web Cache is owned by root and the setuid bit is set. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
None
Impact of Violation
If Web Cache is owned by root and the setuid bit is set, malicious users may be able to gain access to the system as a super user.
Action
A user other than super user (root) should own the webcached binary.
This policy checks whether users other than the owner have write permission in the directory from which Web Cache will serve files.
Policy Summary
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Web Cache | Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x | The underlying metric has a collection frequency of once every 24 hours. | Yes | There are writable files in the docs folder of Webcache. |
Defaults
Parameters and Their Default Values
None
Objects Excluded by Default
None
Impact of Violation
Malicious users may be able to overwrite a writable file in the Document Root directory.
Action
Do not include any group or world writable files in the Document Root directory.
