security.conf

LOCATION :

SIGNIFICANCE :

IMPORTANT POINTS :

FILE :

#########################################################################################################

#

# $Header: security_ux_ias1022.conf 115.12 2006/07/06 19:54:03 ssuraj ship $

#

# ###############################################################

# 

# This file is automatically generated by AutoConfig.  It will be read and

# overwritten.  If you were instructed to edit this file, or if you are not

# able to use the settings created by AutoConfig, refer to Metalink document

# 165195.1 for assistance.

# 

# ###############################################################

#

# mod_security configuration file. 

# modified SecFilterForceByteRange to 1 255  by dlouis according to bug 3849248

LoadModule security_module libexec/mod_security.so

AddModule  mod_security.c

<IfModule mod_security.c>

    # Turn the filtering engine On or Off

    SecFilterEngine On

    # The audit engine works independently and

    # can be turned On of Off on the per-server or

    # on the per-directory basis

    #SecAuditEngine RelevantOnly

    SecAuditEngine Off

    # Debug (default is 0) - writes to SecDebugLog

    SecFilterDebugLevel 0

    # The name of the audit and debug log files

    SecAuditLog /eb_rao1_q/applmgr/q570ora/iAS/Apache/Apache/logs/sec_audit.log

    SecFilterDebugLog /eb_rao1_q/applmgr/q570ora/iAS/Apache/Apache/logs/sec_debug.log

    # Should mod_security inspect POST payloads

    SecFilterScanPOST On

    # Default action is "Bad Request"

    SecFilterDefaultAction "deny,log,status:400"

    # Character ranges... (allow tab, newline, carriage return)

    SecFilterForceByteRange 1 255

    # URL encodings

    SecFilterCheckURLEncoding On

    # Unicode character encodings

    # Value for the following directive can be set to ON for UTF-8 environments

    SecFilterCheckUnicodeEncoding Off

    # Don't Allow TRACE method

    #SecFilterSelective REQUEST_METHOD "TRACE|PUT|DELETE|CONNECT"  "deny,log,status:405"

    SecFilterSelective REQUEST_METHOD "!(GET|HEAD|POST)"  "deny,log,status:405"

    # Attempted Command Execution

    SecFilter "/etc/passwd"

    SecFilter "bin/sh"

    SecFilter "bin/./sh"

    # Prevent directory traversal

    # Will it disallow ../icons/x.gif? No, browser rewrites to absolute path!

    SecFilter "\.\./"

    # Prevent any tags -- this could be too restrictive

    #SecFilter "<(.|\n)+>"

    # Simple XSS -- Script injection

    #SecFilter "<[[:space:]]*script"

    # Simple XSS -- background:url  src=url(...)

    #SecFilter "url[[:space:]]*[:(]"

    # Simple XSS --  onmouseover

    #SecFilter "onmouseover[[:space:]]*="

    # Simple XSS --  Cookie theft

    #SecFilter "document.cookie"

    # Sneaky XSS (SPI Dynamics) "background:url(javascript:alert("

    #SecFilter "[[:space:]]*background:url"

    # Cookie Content - site may receive domain scoped cookies so only look for own cookies

    # note that the cookie names have hostnames, SIDs and pool names in them.

    # host,sid,pool will have to be replaced with instance specific strings

    #SecFilterSelective COOKIES_VALUES "!(^$|^[\-\./a-zA-Z0-9]+$)"

    #SecFilterSelective COOKIE_JServSessionIDroothost "!(^$|^[\-\./a-zA-Z0-9]+$)"

    #SecFilterSelective COOKIE_host_sid               "!(^$|^[A-Z0-9]+$)"

    #SecFilterSelective COOKIE_BIGipServerpool        "!(^$|^[\.0-9]+$)"

    #SecFilterSelective COOKIE_WF_WORKLIST_MODE       "!(^$|^[\-\.0-9]+$)" -- check this

    # SQL relevant (Appscan)

    #SecFilter "delete[[:space:]]from"

    #SecFilter "insert[[:space:]]into"

    #SecFilter "select.+from"

    #SecFilter "having 1=1"

    # MS SQL specific SQL injection attacks - these won't hurt Oracle, but reject anyways

    #SecFilter xp_enumdsn

    #SecFilter xp_filelist

    #SecFilter xp_availablemedia

    #SecFilter xp_cmdshell

    #SecFilter xp_regread

    #SecFilter xp_regwrite

    #SecFilter xp_regdeletekey

    # Send button pushing auditors away

    #SecFilter "Appscan - CSS attack may be used"

# - Prevent directory crawling for the report to be run. 

# - The report must be in a directory specified by REPORTS60_PATH

# - Bug 4528934

<Location  /dev60cgi/rwcgi60>

    SecFilterSelective ARGS "report[[:space:]]*=[[:space:]]*[\"']?/"

    SecFilterSelective ARGS "module[[:space:]]*=[[:space:]]*[\"']?/"

    SecFilterSelective ARGS "desname[[:space:]]*=[[:space:]]*[\"']?/"

    SecFilterSelective ARGS "desformat[[:space:]]*=[[:space:]]*[\"']?/"

    SecFilterSelective ARGS "save_rdf"

    SecFilterSelective ARGS userid[[:space:]]*=  

</Location>

<Location  /dev60cgi/f60cgi>

   SecFilterSelective ARGS userid[[:space:]]*=

</Location>

<Location  /pls/>

  # Allow requests for path alias requests

  SecFilterSelective "REQUEST_URI"  ^/pls/[-a-z0-9_]+/fndgfm/fnd_gfm.get/ "allow,nolog"

  SecFilterSelective "REQUEST_URI"  ^/pls/[-a-z0-9_]+/fndgfm/fnd_help.get/ "allow,nolog"

  SecFilterSelective "REQUEST_URI"  ^/pls/[-a-z0-9_]+$ "allow,nolog"

  SecFilterSelective "REQUEST_URI"  ^/pls/[-a-z0-9_]+/(docs|url)/ "allow,nolog"

  # Make sure the package name contains only schema-valid subset of 7-bit

  # ascii, max 3 elements, each <= 30 characters, starting with a letter

  SecFilterSelective "REQUEST_URI"  !^/pls/[-a-z0-9_]+/!?[a-z](([a-z0-9_\$#]){0,29})(\.[a-z](([a-z0-9_\$#]){0,29})){0,2}(\?.*){0,1}$

  # Make sure the parameter names contains only valid subset of 7-bit ascii

  SecFilterSelective "ARGS_NAMES"  !^(([a-z0-9_]){1,30})((\.[a-z0-9_]{1,30}){0,1})$

</Location>

</IfModule>