Details
Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system. Application servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance, for example, disabling dynamic JSP reloading on production application servers as a best practice.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
1. Access AC
2. From ‘Domain Structure’, select ‘Deployments’
3. Select a deployment of type ‘Web Application’ from list of deployments
4. Select ‘Configuration’ tab -> ‘General’ tab
5. Utilize ‘Change Center’ to create a new change session
6. Set ‘JSP Page Check’ field value to ‘-1’, which indicates JSP reloading is disabled within this deployment. Click ‘Save’. Repeat steps 3-6 for all ‘Web Application’ type deployments.
7. For every WebLogic resource within the domain, the ‘Configuration’ tab and associated subtabs provide the ability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.
References
- 800-53|CM-7a.
- CAT|II
- CCI|CCI-000381
- Rule-ID|SV-235961r628661_rule
- STIG-ID|WBLC-03-000127
- STIG-Legacy|SV-70525
- STIG-Legacy|V-56271
- Vuln-ID|V-235961