CCE Lists

Unnamed: 0	Last modfied: 2011-10-07	Unnamed: 2	Unnamed: 3	Unnamed: 4	Unnamed: 5	Unnamed: 6	Unnamed: 7
NaN	Version: 5.20111007	NaN	NaN	NaN	NaN	NaN	NaN
CCE ID	CCE Description	CCE Parameters	CCE Technical Mechanisms	NaN	Securing a Production Environment for Oracle WebLogic Server 11g Release 1 (10.3.1)	Securing Oracle WebLogic Server 11g Release 1 (10.3.1)	Other WebLogic Documentation
CCE-17933-3	Set the "Complete Message Timeout" appropriately for each server.	(1) number of seconds	(1) via the Administration console, Environment > Servers > Server Domain > Server name > Protocols > General > Complete Message Timeout field	NaN	NaN	NaN	BEA WebLogic Server 10.0 Domain Configuration Schema Reference, See element complete-message-timeout
CCE-18113-1	Enable or disable the "FIPS- compliant cryptographic module".	(1) enabled/disabled	(1) via 'setDomainEnv.sh'	NaN	Note in section 3.2, "Securing a Production Environment for Oracle WebLogic server"	NaN	NaN
CCE-17853-3	Enable or disable the "Allow Unencrypted Null Cipher" as appropriate for each server.	(1) enabled/disabled	(1) via the Administration console, Domain Structure > Environment > Servers > Server Name > Configuration > SSL > Advanced > Allow Unencrypted Null Cipher checkbox	NaN	Section 3.1, "an important note regarding null cipher use in SSL"	NaN	NaN
CCE-17743-6	Determine the appropriate "Maximum Message Size" for each server.	(1) bytes	(1) via the Administration console, Environment > Servers > Server name > Protocols > General > Maximum Message Size field	NaN	Table 3-3 in section 3.5, "Securing the WebLogic Security Notice"	NaN	NaN
CCE-17760-0	Determine the appropriate "Security Interoperability Mode" setting.	(1) default/performance/compatibility	(1) via the Administration console, Domain Name > Security > General > Advanced > Security Interoperability Mode setting	NaN	NaN	NaN	Oracle® Fusion Middleware Programming JTA for Oracle WebLogic Server 11g Release 1 (10.3.1), link down to 3.3.2.3, "Configuring Security Interoperability Mode"
CCE-17888-9	The Oracle WebLogic Server should be run by the appropriate account.	(1) set of accounts	(1) via the Configuration Wizard (2) via chown	NaN	p.21, Table 3-1 in section 3.6, "Securing the WebLogic Security Notice"	NaN	NaN
CCE-17155-3	Define the "Severity" field as appropriate.	(1) Failure/Success/Error/Warning/Information	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Severity attribute	NaN	NaN	link down to section 4.6, "configuring the WebLogic auditing provider"	NaN
CCE-17181-9	Enable or disable the Active Context Handler "servlet.HttpServletResponse" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17171-0	Enable or disable the Active Context Handler "wli.Message" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17572-9	Enable or disable the Active Context Handler "channel.Port" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17740-2	Enable or disable the Active Context Handler "channel.PublicPort" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17652-9	Enable or disable the Active Context Handler "servlet.HttpServletResponse" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17167-8	Enable or disable the Active Context Handler "servlet.HttpServletResponse" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-18007-5	Enable or disable the Active Context Handler "channel.RemotePort"as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17825-1	Enable or disable the Active Context Handler "channel.Protocol" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17877-2	Enable or disable the Active Context Handler "channel.Address" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17176-9	Enable or disable the Active Context Handler "channel.PublicAddress" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-18120-6	Enable or disable the Active Context Handler "channel.RemoteAddress" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17812-9	Enable or disable the Active Context Handler "channel.ChannelName" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-18009-1	Enable or disable the Active Context Handler "channel.Secure" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17296-5	Enable or disable the Active Context Handler "ejb20.Parameter" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17798-0	Enable or disable the Active Context Handler "wsee.SOAPmessage" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17335-1	Enable or disable the Active Context Handler "entitlement.EAuxilaryID" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17736-0	Enable or disable the Active Context Handler "security.ChainPrevalidatedBySSL" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-18023-2	Enable or disable the Active Context Handler "xml.SecurityToken" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17789-9	Enable or disable the Active Context Handler "webservice.Integrity" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17287-4	Enable or disable the Active Context Handler "saml.SSLClientCertificateChain" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17948-1	Enable or disable the Active Context Handler "saml.SSLClientCertificateChain" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17970-5	Enable or disable the Active Context Handler "saml.MessageSignerCerficate" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17304-7	Enable or disable the Active Context Handler "saml.subject.ConfirmationMethod" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-18088-5	Enable or disable the Active Context Handler "saml.subject.dom.KeyInfo" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17179-3	Enable or disable the Active Context Handler "jmx.ObjectName" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17893-9	Enable or disable the Active Context Handler "jmx.ShortName" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17558-8	Enable or disable the Active Context Handle "jmx.Parameters" as appropriate	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17713-9	Enable or disable the Active Context Handler "jmx.Signature" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17805-3	Enable or disable the Active Context Handle "jmx.AuditProtectedArgInfo" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-18091-9	Enable or disable the Active Context Handler "jmx.OldAttributeValue" as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Auditing > WebLogic Auditing Provider > Provider Specific > Active Context Handler Entries	NaN	NaN	link down to section 4.6.1, "auditing context handler elements"	NaN
CCE-17738-6	Set the "minimum password length" field appropriately.	(1) number of characters	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Authentication > DefualtAuthenticator > Configuration > Minimum Password Length field	NaN	NaN	link down to section 5.3, "configuring the default authentication provider"	NaN
CCE-17254-4	Enable or disable the "Reject if Password Contains the User Name" attribute as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > User Name Policies section	NaN	NaN	link down to section 5.8.1, Table 5-7	NaN
CCE-18038-0	Enable or disable the "Reject if Password Contains the User Name Reversed" setting.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > Reject if Password Contains the user Name Reversed field	NaN	NaN	link down to section 5.8.1, Table 5-7	NaN
CCE-17182-7	Set the "maximum password length" field appropriately.	(1) number of characters	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > Maximum Password Length field	NaN	NaN	link down to section 5.8.1, Table 5-7	NaN
CCE-17601-6	Set the "minimum password length" field appropriately.	(1) number of characters	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > Minimum Password Length field	NaN	NaN	link down to section 5.8.1, Table 5-7	NaN
CCE-17892-1	Set the "maximum instances of any character" field appropriately.	(1) number of characters	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > Maximum Instances of Any Character field	NaN	NaN	link down to section 5.8.1, Table 5-7	NaN
CCE-18028-1	Set the "maximum consecutive characters" field appropriately.	(1) number of characters	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > Maximum Consecutive Characters field	NaN	NaN	link down to section 5.8.1, Table 5-7	NaN
CCE-17183-5	Set the "minimum number of alphabetic characters" field appropriately.	(1) number of characters	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > Minimum Number of Alphabetic Characters field	NaN	NaN	link down to section 5.8.1, Table 5-7	NaN
CCE-17186-8	Set the "minimum number of numeric characters" field appropriately.	(1) number of characters	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > Minimum Number of Numeric Characters field	NaN	NaN	link down to section 5.8.1, Table 5-7	NaN
CCE-17561-2	Set the "minimum number of lower case characters" field appropriately.	(1) number of characters	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > Minimum Number of Lower Case Characters field	NaN	NaN	link down to section 5.8.1, Table 5-7	NaN
CCE-17979-6	Set the "minimum number of upper case characters" field appropriately	(1) number of characters	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > Minimum Number of Upper Case Characters field	NaN	NaN	link down to section 5.8.1, Table 5-7	NaN
CCE-17618-0	Set the "minimum number of non-alphanumeric characters" field appropriately.	(1) number of characters	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > Minimum Number of Non-Alphanumeric Characters field	NaN	NaN	link down to section 5.8.1, Table 5-7	NaN
CCE-17763-4	Enable or disable the "Lockout Enabled" setting.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Configuration > User Lockout > Lockout Enabled attribute	NaN	NaN	section 3.3. bullet 8 (link down to section 13.7, "protecting user accounts")	NaN
CCE-17393-0	Set permissions on the SerializedSystemIni.dat file permissions appropriately.	(1) permissions	(1) via chmod	NaN	NaN	section 3.3. (link down to section 13.6, "How Passwords Are Protected in WebLogic Server")	NaN
CCE-17913-5	Define the "Lockout Threshold" in the Security Realm appropriately.	(1) number of invalid login attempts	(1) via the Administration Console, Security Realm > Name of the active Realm > User Lockout > Lockout Threshold field	NaN	NaN	NaN	BEA WebLogic Server Domain Configuration Schema Reference, See element lockout-threshold
CCE-18068-7	Define the "Lockout Duration" in the Security Realm appropriately.	(1) number of minutes	(1) via the Administration Console, Security Realm > Name of the active Realm > User Lockout > Lockout Duration field	NaN	NaN	NaN	Report Number: I733-033R-2006 Date: December 2006 Oracle Application Server Security Recommendations and DoDI 8500.2 IA Controls can be reached at: http://www.nsa.gov/ia/_files/app/I733-033R-2006.PDF, p.27 bullet 4 under "OAS Identity Management'
CCE-17464-9	Define the "Lockout Reset Duration" in the Security Realm appropriately.	(1) number of minutes	(1) via the Administration Console, Security Realm > Name of the active Realm > User Lockout > Lockout Reset Duration field	NaN	NaN	NaN	BEA WebLogic Server Domain Configuration Schema Reference, See element lockout-reset-duration
CCE-17856-6	Enable or disable the "Require Unanimous Permit" setting.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Adjudication > DefaultAdjudicator > Provider Specific > Require Unanimous Permit attribute	NaN	NaN	link down to section 4.4, "configuring the WebLogic communication provider"	NaN
CCE-17794-9	Set the "Host Name Verification" appropriately on the Administration Server.	(1) name of host	(1) via the Administration Console, Environment > Servers > Administration Server > Configuration > SSL > Advanced > Host Name Verification setting	NaN	NaN	link down to section 12.4,"using host name verification	NaN
CCE-18186-7	Define the "Minimum Number of Non-Alphabetic Characters" appropriately.	(1) number of characters	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Password Validation > System Password Validator > Provider Specific > Minimum Number of Non-Alphabetic Characters field	NaN	NaN	link down to section 5.8.1 Table 5-7, "Password Composition Rules and Default Values" scroll to p70	NaN
CCE-17189-2	Enable or disable the "SSL Enabled" setting for the appropriate LDAP Server connections.	(1) enabled/disabled	(1) via the Administration Console, Security Realm > Name of the active Realm > Providers > Configuration > Provider Specific > SSL enabled box	NaN	NaN	NaN	Report Number: I33-004R-2005 BEA WebLogic Platform Security Guide Network Applications Team of the Systems and Network Attack Center (SNAC) Publication Date: 4 April 2005 Version Number: 1.0 "Security Service Provides" p25,28
CCE-17956-4	Set the "Host Name Verification" appropriately on all servers.	(1) Custom Hostname Verifier/BEA Hostname Verifier/None	(1) via the Administration Console, Environment > Servers > Server Name > Configuration > SSL > Advanced > Host Name Verification setting	NaN	NaN	link down to section 12.4,"using host name verification"	NaN
CCE-17960-6	Change and set "Domain Credentials" appropriately.	(1) credential	(1) via the Administration console, Security > General > Advanced > Domain Credential field	NaN	NaN	link down to 13.2.2, "Enabling Global Trust"	NaN
CCE-17947-3	Enable or disable the "Configuration Archive Enabled" box appropriately.	(1) enabled/disabled	(1) via the Administration Console, Domain Structure > Domain Name > Configuration > General > Advanced > Configuration Archive Enabled checkbox	NaN	NaN	NaN	Introduction to Oracle WebLogic Server, 3 domain configuration files
CCE-17951-5	Set the "Archive Configuration Count" appropriately.	(1) number of archive files	(1) via the Administration Console, Domain Structure > Domain Name > Configuration > General > Advanced > Archive Configuration Count field	NaN	NaN	NaN	BEA WebLogic Server 10.0 Domain Configuration Schema Reference, See element archive-config-count
CCE-17973-9	Set the password field appropriately for the "Default Administrator".	(1) password	(1) via the Administration console, Domain Name > Security Realm > Security Realm of interest > Users and Groups > WebLogic user account > Passwords > Password field	NaN	NaN	NaN	BEA WebLogic Server 10.0 Security Schema Reference, See element administration-port-enabled
CCE-17603-2	Set the appropriate "SSL Listen Port" value on each server.	(1) numerical value	(1) via the Administration Console, Domain Structure > Environment > Servers > Server Name > SSL Listen Port field	NaN	NaN	NaN	BEA WebLogic Platform Security Guide Network Applications Team of the Systems and Network Attack Center (SNAC), p. 24 "Domains and Realms"
CCE-17964-8	Set the "Administration Console Session Timeout" field appropriately.	(1) numerical value	(1) via the Administration Console, Domain Structure > Domain Name > Configuration > General > Advanced > Console Session Timeout field	NaN	NaN	NaN	Oracle® Fusion Middleware Release Notes 11g Release 1 (11.1.1); See Web Applications Issues and Workarounds http://download.oracle.com/docs/cd/E12839_01/doc.1111/e14770/weblogic_server_issues.htm#BCFCJGIF
CCE-17969-7	Enable or disable the "Production Mode" appropriately.	(1) enabled/disabled	(1) via the Administration Console, Base_Domain > Configuration > General > Production mode checkbox	NaN	link down to section 2.4,"install WebLogic server in a secure manner"	NaN	NaN
CCE-17991-1	Enable or disable the WebLogic Auditing provider as appropriate.	(1) enabled/disabled	(1) via the Administration Console, Security Realms > name of the Active Realm > Providers > Auditing	NaN	NaN	link down to 4.6, "Configuring the WebLogic Auditing Provider"	NaN
CCE-17872-3	Set the appropriate "Invocation Timeout Seconds" value.	(1) seconds	(1) via the Administration Console, Console > Domain Structure > Domain Name > Configuration > General > Advanced > Invocation Timeout Seconds field	NaN	link down to section 2.4,"install WebLogic server in a secure manner"	NaN	NaN
CCE-17612-3	Enable or disable the "Anonymous Admin Lookup Enabled" setting.	(1) enabled/disabled	(1) via the Administration Console, Domain Name > Security > Anonymous Admin Lookup Enabled box	NaN	NaN	NaN	BEA WebLogic Server 10.0 Security Schema Reference, See element anonymous-admin-lookup-enabled
CCE-17196-7	Enabled or disable the "Web App Files Case Insensitive" setting.	(1) enabled/disabled	(1) via the Administration Console, Domain > Security > General > Advanced > Web App Files Case Insensitive textbox	NaN	NaN	NaN	BEA WebLogic Server 10.0 Security Schema Reference, See element web-app-files-case-insensitive
CCE-17201-5	Enable or disable the "Enable Administration Port" setting.	(1) enabled/disabled	(1) via the Administration Console, Domain Structure > Configuration > General > Enable Administration Port attribute	NaN	NaN	NaN	Oracle® Fusion Middleware Configuring Server Environments for Oracle WebLogic Server 11g Release 1 (10.3.3), link down to 4.2.3.2, "Administration Port and Administrative Channel"
CCE-18144-6	Enable or disable the "SSL Rejection Logging Enabled" setting on all servers.	(1) enabled/disabled	(1) via the Administration Console, Environment > Servers > Server Name > Configuration > SSL > Advanced > SSL Rejection Logging Enabled attribute	NaN	NaN	link down to 12, "Configuring SSL"	NaN
CCE-17963-0	Set the "Export Key Lifespan" as appropriate on each Server.	(1) numerical value	(1) via the Administration Console, Environment > Servers > Server Name > Configuration > SSL > Advanced > Export Key Lifespan attribute	NaN	NaN	NaN	BEA WebLogic Server 9.0 Domain Configuration Schema Reference, element export-key-lifespan
CCE-17844-2	Enable or disable the "Client Cert Proxy Enabled" setting on the Administration Server.	(1) enabled/disabled	(1) via the Administration Console, Environment > Servers > AdminServer > Configuration > General > Client Cert Proxy Enabled checkbox	NaN	NaN	NaN	Oracle® Fusion Middleware Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server 11g Release 1 (10.3.1), link down to B.13.13, "client-cert-proxy-enabled"
CCE-18077-8	Enable or disable the "Client Cert Proxy Enabled" setting on the managed server.	(1) enabled/disabled	(1) via the Administration Console > Environment > Servers > Managed Servers > Client Cert Proxy Enabled checkbox	NaN	NaN	NaN	Oracle® Fusion Middleware Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server 11g Release 1 (10.3.1), link down to B.13.13, "client-cert-proxy-enabled"
CCE-18082-8	Set the "Frontend Host" attribute appropriately for each server.	(1) name of server	(1) via the Administration Console, Domain > Environment > Servers > Server Name > Protocols > HTTP > Frontend Host field	NaN	p30 Table 3-4, "Securing Applications"	NaN	NaN
CCE-17478-9	Set the "Check Roles and Policies" appropriately.	(1) AllWebApplicationsAndEJBs/WebApplicationsAndEJBsProtectedInDD	(1) via the Administration Console, Security Realm > Name of the Active Realm > Configuration > General > Advanced > Check Roles and Policies setting	NaN	NaN	NaN	Oracle® Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server 11g Release 1 (10.3.1) E13747-01. link down to 4.2.1, "Understanding the Check Roles and Policies Setting" and 4.2.2, "Understanding the When Deploying Web Applications or EJBs Setting"
CCE-17482-1	Set the "Security Model Default" appropriately.	(1) DDOnly/CustomRoles/CustomRolesAndPolices/Advanced	(1) via the Administration Console, Security Realm > Name of the Active Realm > Configuration > General > Security Model Default setting	NaN	NaN	NaN	Oracle® Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server 11g Release 1 (10.3.5), See 4 Options for Securing Web Application and EJB Resources
CCE-17346-8	Set the "When Deploying Web Applications or EJBS" appropriately.	(1) IgnoreRolesAndPoliciesFromDD/InitializeRoleAndPoliciesFromDD	(1) via the Administration Console, Security Realm > Name of the Active Realm > Settings > Advanced > When Deploying Web Applications or EJBs setting	NaN	NaN	NaN	Oracle® eDocs > Securing WebLogic Resources Using Roles and Policies > Options for Securing Web Application and EJB Resources
CCE-17208-0	Set the "Configuration Audit Type" field appropriately.	(1) Change None/Change Log/Change Audit/ Change and Audit	(1) via the Administration Console, Domain Structure > Domain Name > Configuration > General > Advanced > Configuration Audit Type field	NaN	NaN	link down to 4.6.2 "Enable Configuration Auditing"	NaN
CCE-18128-9	Set the EditMBeanServerEnabled attribute appropriately on the Administration Server	(1) True/False	(1) via the Administration Console, Environment > Servers > Administration Server > Configuration then via WLST or via the Management APIs	NaN	NaN	NaN	The WebLogic Server Mbean Reference: JMXM Bean - EditMBeanServerEnabled http://download.oracle.com/docs/cd/E12840_01/wls/docs103/wlsmbeanref/core/index.html
CCE-17507-5	Enable or disable two-way SSL appropriately for each server.	(1) enabled/disabled	(1) via the Administration Console, Environment > Servers > Configuration > SSL > Advanced > Two Way Client Cert Behavior attribute	NaN	NaN	NaN	Oracle® Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.5), See 12 Configuring SSL
CCE-17210-6	Set the Embedded LDAP "Timeout" appropriately.	(1) seconds	(1) via the Administration Console, Domain > Security > Embedded LDAP > Timeout field	NaN	NaN	NaN	The WebLogic Server Mbean Reference: EmbeddedLDAPMBean - Timeout
CCE-18126-3	Enable or disable the "Anonymous Bind Allowed" setting.	(1) enabled/disabled	(1) via the Administration Console, Domain > Security > Embedded LDAP > Anonymous Bind Allowed checkbox	NaN	NaN	NaN	Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1); See Introduction to Anonymous Binds 01http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10029/authentication.htm#OIDAG2564
CCE-18148-7	Set the Server "Post Timeout" field appropriately for each server.	(1) seconds	(1) via the Administration Console, Domain > Environment > Servers > Server Name > Protocols > HTTP > Post Timeout Field	NaN	NaN	NaN	Oracle BEA Administration Console Online Help; http://download.oracle.com/docs/cd/E13222_01/wls/docs81/ConsoleHelp/domain_server_protocols_http.html
CCE-18152-9	Set the HTTP "Duration" appropriately for each server.	(1) seconds	(1) via the Administration Console, Domain > Environment > Servers > Server Name > Protocols > HTTP . HTTP Duration Field	NaN	NaN	NaN	Oracle® Fusion Middleware Administrator's Guide for Oracle HTTP Server 11g Release 1 (11.1.1); See Introduction to Oracle HTTP Server; http://download.oracle.com/docs/cd/E12839_01/web.1111/e10144/intro_ohs.htm#HSADM101
CCE-17513-3	Set the "HTTPS Duration" appropriately for each server.	(1) seconds	(1) via the Administration Console, Domain > Environment > Servers > Server Name > Protocols > HTTP > HTTPS Duration Field	NaN	NaN	NaN	BEA WebLogic Server 10.0 Domain Configuration Schema Reference, See element https-keep-alive-secs
CCE-17769-1	Set the "HTTP Maximum Message Size" appropriately for each server.	(1) bytes	(1) via the Administration Console, Domain > Environment > Servers > Server > Protocols > HTTP > HTTP Maximum Size field	NaN	NaN	NaN	BEA WebLogic Server 10.0 Domain Configuration Schema Reference, See element max-http-message-size
CCE-17650-3	For the Managed Server, create a "Connection Filter" if necessary.	(1) connection filter	In order to configure a connection filter, follow the instructions under the "Configuring Connection Filtering" section of the following URL: http://download-llnw.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/domain.html#1107380	NaN	NaN	link down to 13.3, "Using Connection Filters"	NaN
CCE-17214-8	Create a connection filter for the appropriate serves and machines.	(1) connection filter	In order to configure a connection filter, follow the instructions under the "Configuring Connection Filtering" section of the following URL: http://download-llnw.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/domain.html#1107380	NaN	NaN	NaN	Oracle® Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.5), See 13 Configuring Security for a WebLogic Domain
CCE-18147-9	Set the "Keystore" file permissions as appropriate.	(1) value	(1) via chmod	NaN	NaN	NaN	Oracle® Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.1), See "11 Configuring Identity and Trust"
CCE-18024-0	Set the "Keystores" permission value appropriately in directories.	(1) value	(1) via chmod	NaN	NaN	link down to 11, "Configuring Identity and Trust"	NaN
CCE-18046-3	Set the premissions to the Weblogic Server Product Installation directory appropriately.	(1) value	(1) via chmod	NaN	NaN	NaN	Oracle® Fusion Middleware Installation Guide for Oracle WebLogic Server 11g Release 1 (10.3.1) -- See Choosing a Product Installation Directory; http://download.oracle.com/docs/cd/E12839_01/doc.1111/e14142/prepare.htm#WLSIG112
CCE-17425-0	Set the premissions to the Domain Home directory appropriately.	(1) value	(1) via chmod	NaN	NaN	NaN	Oracle® Fusion Middleware Administrator's Guide 11g Release 1 (11.1.1), See "2 Understanding Oracle Fusion Middleware Concepts," "2.2 What Is an Oracle WebLogic Server Domain"
CCE-17216-3	Enable or disable the "Client Cert Proxy Enabled" attribute appropriately.	(1) enabled/disabled	(1) via the Administration Console, Domain > Configuration > Web Applications > Client Cert Proxy Enabled Field	NaN	NaN	NaN	Oracle® Fusion Middleware Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server 11g Release 1 (10.3.1), See "B weblogic.xml Deployment Descriptor Elements," then "client-cert-proxy-enabled"
CCE-18171-9	Enable or disable the "Auth Cookie Enabled" option appropriately.	(1) enabled/disabled	(1) via the Administration Console, Domain > Configuration > Web Applications > Auth Cookie Enabled Field	NaN	NaN	NaN	BEA WebLogic Server 10.0 Domain Configuration Schema Reference, element auth-cookie-enabled
CCE-18193-3	Set the "Post Timeout" field appropriately.	(1) seconds	(1) via the Administration Console, Domain > Configuration > Web Applications > Post Timeout Field	NaN	NaN	NaN	BEA WebLogic Server 10.0 Domain Configuration Schema Reference, element post-timeout-secs
CCE-18198-2	Set the "Maximum Open Sockets" setting appropriately on the Administration server.	(1) open file descriptors	(1) via WLST	NaN	Oracle® Fusion Middleware Securing a Production Environment for Oracle WebLogic Server 11g Release 1 (10.3.1) E13705-01	NaN	NaN
CCE-18185-9	Set the permissions to the Middleware Home directory appropriately.	(1) value	(1) via chmod	NaN	NaN	NaN	Oracle® Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) -- Installing Oracle WebLogic Server and Creating the Oracle Middleware Home http://download.oracle.com/docs/cd/E12839_01/install.1111/e12002/before.htm#INOIM957
CCE-17895-4	Set the "Complete Message Timeout" appropriately for each custom channel on each server.	(1) number of seconds	(1) via the Administration console, Environment > Servers > Server Domain > Server name > Protocols > Channels > General > Complete Message Timeout field	NaN	NaN	NaN	Oracle® Fusion Middleware Performance and Tuning for Oracle WebLogic Server 11g Release 1 (10.3.4), See “7 Tuning WebLogic Server, Reducing the Potential for Denial of Service Attacks, Tuning Complete Message Timeout"
CCE-17410-2	Set the "Idle Connection Timeout" appropriately for each custom channel on each server.	(1) number of seconds	(1) via the Administration console, Environment > Servers > Server Domain > Server name > Protocols > Channels > General > Idle Connection Timeout field	NaN	NaN	NaN	BEA WebLogic Server 10.0 Domain Configuration Schema Reference. See: element idle-connection-timeout
CCE-17239-5	Set the "Maximum Message Size" appropriately for each custom channel on each server.	(1) number of bytes	(1) via the Administration console, Environment > Servers > Server Domain > Server name > Protocols > Channels > General > Maximum Message Size field	NaN	NaN	NaN	Oracle® Fusion Middleware Performance and Tuning for Oracle WebLogic Server 11g Release 1 (10.3.4), See "14 Tuning WebLogic JMS," then "Setting Maximum Message Size for Network Protocols
CCE-17401-1	Set the Node Manager Listen Address appropriately.	(1) IP address/hostname of server	(1) via the Administration Console, Environment > Machines > the machine hosting the WebLogic Admin Server > Configuration > Node Manager > Listen Address setting	NaN	NaN	NaN	Oracle® Fusion Middleware Node Manager Administrator's Guide for Oracle WebLogic Server 11g Release 1 (10.3.1), See “4 Configuring Java Node Manager, then Reviewing nodemanager.properties, Table 4-1 Node Manager Properties”
CCE-17237-9	Set the Node Manager "Type" appropriately.	(1) SSH/SSL/RSH/Plain	(1) via the Administration Console, Environment > Machines > the machine hosting the WebLogic Admin Server > Configuration > Node Manager > Type setting	NaN	NaN	NaN	Oracle® Fusion Middleware Node Manager Administrator's Guide for Oracle WebLogic Server 11g Release 1 (10.3.1), See “4 Configuring Java Node Manager, then Configuring Java-based Node Manager Security”
CCE-18211-3	Set the "Policy Selection Preference" appropriately.	(1) Security then Compatibility then Performance/Security then Performance then Compatibility/Compatibility then Security then Performance/Compatibility then Performance then Security/Performance then Compatibility then Security/Performance then Security then Compatibility	(1) via the Administration Console, domain name > Web Service Security > Web Service Security Configuration name > General > Policy Selection Preference setting	NaN	NaN	NaN	Oracle® Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server 11g Release 1 (10.3.1), See “2 Configuring Message-Level Security, Smart Policy Selection, Configuring Smart Policy Selection”
CCE-17780-8	Set the "Maximum Open Sockets" setting appropriately on all Managed Servers.	(1) open file descriptors	(1) via the Administration Console, Domain > Environment > Servers > Server Name > Configuration > Tuning > Maximum Open Sockets Field	NaN	Oracle® Fusion Middleware Securing a Production Environment for Oracle WebLogic Server 11g Release 1 (10.3.1) E13705-01	NaN	NaN
CCE-18146-1	Set the "Enforce Constraints" setting on digital certificates as appropriate.	(1) strict/strong/true/off	(1) via the Administration Console, Environment > Servers > Server Name > Configuration > Server Start > Arguments (2) via Startup Script	NaN	Oracle® Fusion Middleware Securing a Production Environment for Oracle WebLogic Server 11g Release 1 (10.3.1) E13705-01	NaN	NaN
CCE-17246-0	Set the "Keystores" field accordingly for each server in the domain.	(1) Custom Identity and Command Line Trust/Custom Identity and Custom Trust/Custom Identity and Java Standard Trust/Demo Identity and Demo Trust	(1) via the Administration Console, Environment > Servers > Server Name > Configuration > Keystores > Demo Identity and Demo Trust attribute	NaN	NaN	NaN	Overview of Security Management, (p7, refers to Chapter 11 Configure Identity and Trust)
CCE-18013-3	Enable or disable the "HTTP Access Log File" setting as appropriate on each server.	(1) enabled/disabled	(1) via the Administration Console, Domain Structure > Environment > Servers > Server Name >Logging > HTTP > HTTP Access Log File Enabled checkbox	NaN	NaN	NaN	Oracle® Fusion Middleware Configuring Server Environments for Oracle WebLogic Server 11g Release 1 (10.3.1), See "5 Configuring Web Server Functionality ," then "Setting Up HTTP Access Logs"
CCE-17907-7	Set the "Custom Hostname Verifier" field as appropriate.	(1) custom verifier name	(1) via the Administration Console, Domain Structure > Environment > Servers > Server Name > Configuration > SSL > Advanced > Custom Hostname Verification field	NaN	NaN	NaN	Oracle® Fusion Middleware Programming Security for Oracle WebLogic Server 11g Release 1 (10.3.1), See "4 Using SSL Authentication in Java Clients," then "Using a Custom Hostname Verifier"
CCE-18953-0	Set the "SSL port enabled" setting appropriately for each server.	(1) enabled/disabled	(1) via the Administration Console, Environment > Servers > Administration Server > SSL Listen Port Enabled attribute and SSL Listen Port field	NaN	NaN	NaN	BEA WebLogic Platform Security Guide Network Applications Team of the Systems and Network Attack Center (SNAC), p. 24 "Domains and Realms"
CCE-18365-7	Set the "Listen Port Enabled" as appropriate on each server.	(1) enabled/disabled	(1) via the Administration Console, Domain Structure > Environment > Servers > Server Name > Listen Port enabled checkbox	NaN	NaN	NaN	BEA WebLogic Platform Security Guide Network Applications Team of the Systems and Network Attack Center (SNAC), p. 24 "Domains and Realms"