Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the application server product documentation and configuration to determine if the number of concurrent sessions can be limited to the organization-defined number of sessions for all accounts and/or account types. If a feature to limit the number of concurrent sessions is not available, is not set, or is set to unlimited, this is a finding.
Configure the application server to limit the number of concurrent sessions for all accounts and/or account types to the organization-defined number.
Check the application server configuration to ensure all management interfaces use encryption in accordance with the management data. If the application server is not configured to encrypt remote access management sessions in accordance with the categorization of the management data, this is a finding.
Configure the application server to use encryption strength in accordance with the categorization of the management data during remote access management sessions.
Review the application server documentation and configuration to ensure the application server is configured to use cryptography to protect the integrity of remote access sessions. If the application server is not configured to implement cryptography mechanisms to protect the integrity of remote access sessions, this is a finding.
Configure the application server to implement cryptography mechanisms to protect the integrity of the remote access session.
Review the application server product documentation to determine if the application server logs remote administrative sessions. If the application server does not log remote sessions for the admin user, then this is a finding.
Configure the application server to log an event for each instance when the administrator accesses the system remotely.
Review application server product documentation and configuration to determine if the system enforces authorization requirements for logical access to the system in accordance with applicable policy. If the application server is not configured to utilize access controls or follow access control policies, this is a finding.
Configure the application server to enforce access control policies for logical access to the system in accordance with applicable policy.
Review the application server management interface configuration to verify the application server is configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access. The banner must read: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the application server management interface does not display the banner or displays an unapproved banner, this is a finding.
Configure the application server management interface so it displays the Standard Mandatory DoD Notice and Consent Banner prior to allowing access. The banner must read: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Review application server management interface product documentation and configuration to determine that the logon banner can be displayed until the user takes action to acknowledge the agreement. If the banner screen allows continuation to the application server without user interaction, this is a finding.
Configure the application server management interface to retain the logon banner on the screen until the user takes explicit action to logon to the server.
Review application server product documentation and server configuration to determine if the system does protect against an individual's (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. If the application does not meet this requirement, this is a finding.
Configure the application server to protect against an individual's (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Review the application server log feature configuration to determine if the application server or an external logging tool in conjunction with the application server does compile log records from multiple components within the server into a system-wide log trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the log trail. If the application server does not meet this requirement, this is a finding.
Configure the application server or an external logging tool supporting the application server to compile log records from multiple components within the server into a system-wide log trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the log trail.
Review the application server documentation and the deployed system configuration to determine if, at a minimum, system startup and shutdown, system access, and system authentication events are logged. If the logs do not include the minimum logable events, this is a finding.
Configure the application server to generate log records for system startup and shutdown, system access, and system authentication events.
Review application server product documentation and configuration to determine if the system only allows the ISSM (or individuals or roles appointed by the ISSM) to change logable events. If the system is not configured to perform this function, this is a finding.
Configure the application server to only allow the ISSM (or individuals or roles appointed by the ISSM) to change logable events.
Review the application server documentation and the system configuration to determine if the application server generates log records when successful/unsuccessful attempts are made to access privileges. If log records are not generated, this is a finding.
Configure the application server to generate log records when privileges are successfully/unsuccessfully accessed.
Review the application server product documentation and server configuration to determine if the application server initiates session logging on application server startup. If the application server is not configured to meet this requirement, this is a finding.
Configure the application server to initiate session logging on application server startup.
Review the application server log configuration to determine if the application server produces log records showing what type of event occurred. If the log data does not show the type of event, this is a finding.
Configure the application server to include the event type in the log data.
Review the logs on the application server to determine if the date and time are included in the log event data. If the date and time are not included, this is a finding.
Configure the application server logging system to log date and time with the event.
Review the configuration settings on the application server to determine if the application server is configured to log information that establishes where within the application server the event occurred. The data in the log file should identify the event, the component, module, filename, host name, servlets, containers, API’s, or other functionality within the application server, as well as, any source and destination information that indicates where an event occurred. If the application server is not configured to log where within the application server the event took place, this is a finding.
Configure the application server logging system to log where the event took place.
Review the application server documentation and deployment configuration to determine if the application server is configured to generate sufficient information to resolve the source, e.g., source IP, of the log event. Request a user access the application server and generate logable events, and then review the logs to determine if the source of the event can be established. If the source of the event cannot be determined, this is a finding.
Configure the application server to generate the source of each logable event.
Review application server documentation and the log files on the application server to determine if the logs contain information that establishes the outcome of event data. If the application server is not configured to meet this requirement, this is a finding.
Configure the application server logging system to log the event outcome.
Review application server documentation and the log files on the application server to determine if the logs contain information that establishes the identity of the user or process associated with log event data. If the application server does not produce logs that establish the identity of the user or process associated with log event data, this is a finding.
Configure the application server logging system to log the identity of the user or process related to the events.
Review the application server documentation and deployment configuration to determine if the application server is configured to generate full-text recording of privileged commands or the individual identities of group users at a minimum. Have a user execute a privileged command and review the log data to validate that the full-text or identity of the individual is being logged. If the application server is not meeting this requirement, this is a finding.
Configure the application server to generate the full-text recording of privileged commands or the individual identities of group users, or both.
Review application server log configuration. Verify the application server sends alerts to the SA and ISSO in the event of a log processing failure. If the application server is not configured to meet this requirement, this is a finding.
Configure the application server log feature to alert the SA and ISSO in the event of a log processing failure.
If the application server is a high availability system, this finding is NA. Review the application server configuration settings to determine if the application server is configured to shut down on a log failure. If the application server is not configured to shut down on a log failure, this is a finding.
If the application server is a high availability system, this finding is NA. Configure the application server to shut down on a log failure.
If the system MAC level and availability do not require redundancy, this requirement is NA. Review the system's accreditation documentation to determine system MAC and confidentiality requirements. Review application server configuration settings to determine if the application server is configured to fail over operation to another system when the log subsystem fails to operate. If the system MAC level requires redundancy and the application server is not configured to fail over to another system which can handle application and log functions when a log subsystem failure occurs, this is a finding.
If the system MAC level and availability do not require redundancy, this requirement is NA. Configure the application server to fail over to another system which can handle log functions when the logging subsystem fails.
Review the application server configuration files to determine if the internal system clock is used for time stamps. If this is not feasible, an alternative workaround is to take an action that generates an entry in the logs and then immediately query the operating system for the current time. A reasonable match between the two times will suffice as evidence that the system is using the internal clock for timestamps. If the application server does not use the internal system clock to generate time stamps, this is a finding.
Configure the application server to use internal system clocks to generate time stamps for log records.
Review the configuration settings to determine if the application server log features protect log information from unauthorized access. Review file system settings to verify the application server sets secure file permissions on log files. If the application server does not protect log information from unauthorized read access, this is a finding.
Configure the application server to protect log information from unauthorized read access.
Review the configuration settings to determine if the application server log features protect log information from unauthorized modification. Review file system settings to verify the application server sets secure file permissions on log files to prevent unauthorized modification. If the application server does not protect log information from unauthorized modification, this is a finding.
Configure the application server to protect log information from unauthorized modification.
Review the configuration settings to determine if the application server log features protect log information from unauthorized deletion. Review file system settings to verify the application server sets secure file permissions on log files to prevent unauthorized deletion. If the application server does not protect log information from unauthorized deletion, this is a finding.
Configure the application server to protect log information from unauthorized deletion.
Review the application server documentation and server configuration to determine if the application server protects log tools from unauthorized access. Request a system administrator attempt to access log tools while logged into the server in a role that does not have the requisite privileges. If the application server does not protect log tools from unauthorized access, this is a finding.
Configure the application server or OS to protect log tools from unauthorized access.
Review the application server documentation and server configuration to determine if the application server protects log tools from unauthorized modification. Request a system administrator attempt to modify log tools while logged into the server in a role that does not have the requisite privileges. Locate binary copies of log tool executables that are located on the file system and attempt to modify using unprivileged credentials. If the application server does not protect log tools from unauthorized modification, this is a finding.
Configure the application server or the OS to protect log tools from unauthorized modification.
Review the application server documentation and server configuration to determine if the application server protects log tools from unauthorized deletion. Locate binary copies of log tool executables that are located on the file system and attempt to delete using unprivileged credentials. If the application server does not protect log tools from unauthorized deletion, this is a finding.
Configure the application server or the OS to protect log tools from unauthorized deletion.
Review the application server configuration to determine if the application server backs up log records every seven days onto a different system or media from the system being logged. If the application server does not back up log records every seven days onto a different system or media from the system being logged, this is a finding.
Configure the application server to back up log records every seven days onto a different system or media from the system being logged.
Review the application server documentation and configuration to determine if the application server can be configured to protect the integrity of log data using cryptographic hashes and digital signatures. Configure the application server to hash and sign log data. This is typically done the moment when log files cease to be written to and are rolled over for storage or offloading. Alternatively, if the application server is not able to hash and sign log data, the task can be delegated by configuring the application server or underlying OS to send logs to a centralized log management system or SIEM that can meet the requirement. If the application server is not configured to hash and sign logs, or is not configured to utilize the aforementioned OS and centralized log management resources to meet the requirement, this is a finding.
Configure the application server to hash and sign logs using cryptographic means. Alternatively, configure the application server or OS to send logs to a centralized log server that meets the hashing and signing requirement.
Review system documentation to determine if the application server prevents the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. If the application server does not meet this requirement, this is a finding.
Configure the application server to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
Check the application server documentation and configuration to determine if the application server provides role-based access that limits the capability to change shared software libraries. Validate file permission settings to ensure library files are secured in relation to OS access. If the application server does not meet this requirement, this is a finding.
Configure the application server to limit privileges to change the software resident within software libraries through the use of defined user roles and file permissions.
Check the application server documentation and configuration to determine if the application server provides an automated rollback capability to a known good configuration in the event of a failed installation and upgrade. If the application server is not configured to meet this requirement, this is a finding.
Configure the application server to automatically rollback to a known good configuration in the event of failed application installations and application server upgrades.
Review the application server documentation and configuration to determine if the application server can disable non-essential features and capabilities. If the application server is not configured to meet this requirement, this is a finding.
Configure the application server to use only essential features and capabilities.
Review the application server documentation and deployment configuration to determine which ports and protocols are enabled. Verify that the ports and protocols being used are not prohibited and are necessary for the operation of the application server and the hosted applications. If any of the ports or protocols is prohibited or not necessary for the application server operation, this is a finding.
Configure the application server to disable any ports or protocols that are prohibited by the PPSM CAL and vulnerability assessments.
Review application server documentation and configuration settings to determine if the application server is using an enterprise solution to authenticate organizational users and processes running on the users' behalf. If an enterprise solution is not being used, this is a finding.
Configure the application server to use an enterprise user management system to uniquely identify and authenticate users and processes acting on behalf of organizational users.
Review the application server configuration to ensure the system is authenticating via multifactor authentication for privileged users. If all aspects of application server web management interfaces are not authenticating privileged users via multifactor authentication methods, this is a finding.
Configure the application server to authenticate privileged users via multifactor authentication for network access to the management interface.
Review the application server configuration to ensure the system is authenticating via multifactor authentication for privileged users. If all aspects of application server command line management interfaces are not authenticating privileged users via multifactor authentication methods, this is a finding.
Configure the application server to authenticate privileged users via multifactor authentication for local access to the management interface.
Review the application server documentation and configuration to determine if the application server individually authenticates users prior to authenticating via a role or group. Review application server logs to verify user accesses requiring authentication can be traced back to an individual account. If the application server does not authenticate users on an individual basis, this is a finding.
Configure the application server to authenticate users individually prior to allowing any group-based authentication.
Review application server documentation to ensure the application server provides extensions to the SOAP protocol that provide secure authentication. These protocols include, but are not limited to, WS_Security suite. Review policy and data owner protection requirements in order to identify sensitive data. If secure authentication protocols are not utilized to protect data identified by data owner as requiring protection, this is a finding.
Configure the application server to utilize secure authentication when SOAP web services are used to access sensitive data.
Review the application server documentation and configuration to ensure the application server disables identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. If the application server is not configured to disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity, this is a finding.
Configure the application server to disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Review application server documentation and configuration to determine if the application server enforces the requirement to only store encrypted representations of passwords. If the application server is not configured to meet this requirement, this is a finding.
Configure the application server to only store encrypted representations of passwords.
Review application server documentation and configuration to determine if the application server enforces the requirement to encrypt passwords when they are transmitted. If the application server is not configured to meet this requirement, this is a finding.
Configure the application server to transmit only encrypted representations of passwords.
Review application server documentation and configuration to determine if the application server enforces the requirement to encrypt LDAP traffic. If the application server is not configured to meet this requirement, this is a finding.
Configure the application server to encrypt LDAP traffic.
Review the application server documentation and deployed configuration to determine whether the application server provides PKI functionality that validates certification paths in accordance with RFC 5280. If PKI is not being used, this is NA. If the application server is using PKI, but it does not perform this requirement, this is a finding.
Configure the application server to validate certificates in accordance with RFC 5280.
Review application server configuration and documentation to ensure the application server enforces authorized access to the corresponding private key. If the application server is not configured to enforce authorized access to the corresponding private key, this is a finding.
Configure the application server to enforce authorized access to the corresponding private key.
Review application server documentation to ensure the application server provides a PKI integration capability that meets DoD PKI infrastructure requirements. If the application server is not configured to meet this requirement, this is a finding.
Configure the application server to utilize the DoD Enterprise PKI infrastructure.
Review the application server documentation and configuration to determine if any interfaces which are provided for authentication purposes display the user's password when it is typed into the data entry field. If authentication information is not obfuscated when entered, this is a finding.
Configure the application server to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
Review the application server documentation and deployed configuration to determine which version of TLS is being used. If the application server is not using TLS when authenticating users or non-FIPS-approved SSL versions are enabled, this is a finding.
Configure the application server to use a FIPS-2 approved TLS version to authenticate users and to disable all non-FIPS-approved SSL versions.
Review application server product documentation and server configuration to determine if the application server is configured to provide log reduction with on-demand reporting. If the application server is not configured to provide log reduction with on-demand reporting, or is not configured to send its logs to a centralized log system, this is a finding.
Configure the application server to provide and utilize log reduction with on-demand reporting or configure the application server to send its logs to a centralized log log system that provides log reduction and on-demand reporting functions.
Review the application server configuration to determine if the application server is configured to identify prohibited mobile code. If the application server is not configured to identify prohibited mobile code, this is a finding.
Configure the application server to identify prohibited mobile code.
Review the application server documentation and configuration to verify that the application server separates admin functionality from hosted application functionality. If the application server does not separate application server admin functionality from hosted application functionality, this is a finding.
Configure the application server so that admin management functionality and hosted applications are separated.
Review application server documentation, system security plan and application data protection requirements. If the connected web proxy is exposed to an untrusted network or if data protection requirements specified in the system security plan mandate the need to establish the identity of the connecting application server, proxy or application gateway and the application server is not configured to mutually authenticate the application server, proxy server or gateway, this is a finding.
Configure the application server to mutually authenticate proxy servers, other application servers and application gateways as specified.
Review the application server configuration and organizational policy to determine if the system is configured to terminate administrator sessions upon administrator logout or any other organization- or policy-defined session termination events, such as idle time limit exceeded. If the configuration is not set to terminate administrator sessions per defined events, this is a finding.
Configure the application server to terminate administrative sessions upon logout or any other organization- or policy-defined session termination events.
Review the application server session management configuration settings in either the application server management console, application server initialization or application server configuration files to determine if the application server is configured to generate a unique session identifier for each session. If the application server is not configured to generate a unique session identifier for each session, this is a finding.
Configure the application server to generate a unique session identifier for each session.
Review the application server configuration to determine if the application server recognizes only system-generated session identifiers. If the application server does not recognize only system-generated session identifiers, this is a finding.
Design the application server to recognize only system-generated session identifiers.
Review the application server configuration and documentation to determine if the application server uses a FIPS 140-2 approved random number generator to create unique session identifiers. Have a user log onto the application server to determine if the session IDs generated are random and unique. If the application server does not generate unique session identifiers and does not use a FIPS 140-2 random number generator to create the randomness of the session ID, this is a finding.
Configure the application server to generate unique session identifiers and to use a FIPS 140-2 random number generator to generate the randomness of the session identifiers.
Review the application server configuration and documentation to ensure the system is configured to perform complete application deployments. If the application server is not configured to ensure complete application deployments or provides no rollback functionality, this is a finding.
Configure the application server to detect errors that occur during application deployment and to prevent deployment if errors are encountered.
This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Review the application server configuration and documentation to ensure the application server is configured to provide clustering functionality. If the application server is not configured to provide clustering or some form of failover functionality, this is a finding.
This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Configure the application server to provide application failover or participate in an application cluster which provides failover.
Review application server documentation and configuration to determine if the application server fails to a secure state if system initialization fails, shutdown fails, or aborts fail. If the application server cannot be configured to fail securely, this is a finding.
Configure the application server to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
Review the application server documentation and configuration to ensure the application server is protecting the confidentiality and integrity of all information at rest. If the confidentiality and integrity of all information at rest is not protected, this is a finding.
Configure the application server to protect the confidentiality and integrity of all information at rest.
Review the application server configuration to ensure the system is protecting the confidentiality and integrity of all application server data at rest when stored off-line. If the application server is not configured to protect all application server data at rest when stored off-line, this is a finding.
Configure the application server to employ cryptographic mechanisms to ensure confidentiality and integrity of all application server data at rest when stored off-line.
Review the application server configuration to determine if the system checks the validity of information inputs to the management interface, except those specifically identified by the organization. If the management interface data inputs are not validated, this is a finding.
Configure the application server to check the validity of data inputs into the management interface except those specifically identified by the organization.
Review the application server configuration to determine if the system identifies potentially security-relevant error conditions on the server. If this function is not performed, this is a finding.
Configure the application server to identify potentially security-relevant error conditions on the server.
Review system documentation and logs to determine if the application server writes sensitive information such as passwords or private keys into the logs and administrative messages. If the application server writes sensitive or potentially harmful information into the logs and administrative messages, this is a finding.
Configure the application server to not write sensitive information into the logs and administrative messages.
Review the application server configuration and documentation to determine if the application server will restrict access to error messages so only authorized users may view or otherwise access them. If the application server cannot be configured to restrict access to error messages to only authorized users, this is a finding.
Configure the application server to restrict access to error messages so only authorized users may view or otherwise access them.
Review the application server configuration to determine if the application server log tools have been cryptographically signed to protect the integrity of the tools. If the application server log tools have not been cryptographically signed, this is a finding.
Configure the application server log tools to be cryptographically signed to protect the integrity of the tools.
Review application server documentation and configuration settings to determine if the application server is configured to close user sessions after defined conditions or trigger events are met. If the application server is not configured or cannot be configured to disconnect users after defined conditions and trigger events are met, this is a finding.
Configure the application server to terminate user sessions on defined conditions or trigger events.
Review application server documentation and configuration settings to determine if the application server management interface provides a logout capability. If the application server management interface does not provide a logout capability, this is a finding.
Configure the application server management interface to provide a logout capability for the users.
Review application server documentation and configuration settings to determine if the application server management interface displays a logout message. If the application server management interface does not display a logout message, this is a finding.
Configure the application server management interface to display an explicit logout message to users.
Review the application server documentation to determine if the application associates organization-defined types of security attributes with organization-defined security attribute values to information in process. If the application server does not associate the security attributes to information in process or the feature is not implemented, this is a finding.
Configure the application server to associate organization-defined types of security attributes having organization-defined security attribute values with information in process.
Review the application server documentation to determine if the application associates organization-defined types of security attributes with organization-defined security attribute values to information in transmission. If the application server does not associate the security attributes to information in transmission or the feature is not implemented, this is a finding.
Configure the application server to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.
Review organization policy, application server product documentation and configuration to determine if the system enforces the organization's requirements for remote connections. If the system is not configured to enforce these requirements, or the remote connection settings are not in accordance with the requirements, this is a finding.
Configure the application server to enforce remote connection settings.
Review the application server product documentation and server configuration to ensure that there is a capability to immediately disconnect or disable remote access to the management interface. If there is no capability, this is a finding.
Configure the application server to have the capability to immediately disconnect or disable remote access to the management interface.
Review application server documentation and configuration to verify that non-privileged users cannot access or execute privileged functions. Have a user logon as a non-privileged user and attempt to execute privileged functions. If the user is capable of executing privileged functions, this is a finding.
Configure the application server to deny non-privileged users access to and execution of privileged functions.
Review application server documentation and log configuration to verify the application server logs privileged activity. If the application server is not configured to log privileged activity, this is a finding.
Configure the application server to log privileged activity.
Review application server documentation and configuration to determine if the application server is part of a cluster. If the application server is not part of a cluster, this requirement is NA. If the application server is part of a cluster, verify that the log settings are managed and configured from a centralized management server. If the log settings are not centrally managed, this is a finding.
Configure the application server to allow centralized management and configuration of the content to be captured in log records.
Review the application server documentation and configuration to determine if the application server creates log storage to buffer log data until offloading to a log data storage facility. If the application server does not allocate storage for log data, this is a finding.
Configure the application server to allocate storage for log data before offloading to a log data storage facility.
Verify the log records are being off-loaded to a separate system or transferred from the application server to a storage location other than the application server itself. The system administrator of the device may demonstrate this capability using a log management application, system configuration, or other means. If logs are not being off-loaded, this is a finding.
Configure the application server to off-load the logs to a remote log or management server.
Review the configuration settings to determine if the application server logging system provides a warning to the SA and ISSO when 75% of allocated log record storage volume is reached. If designated alerts are not sent, or the application server is not configured to use a dedicated logging tool that meets this requirement, this is a finding.
Configure the application server to provide an alert to the SA and ISSO when allocated log record storage volume reaches 75% of maximum log record storage capacity.
Review the configuration settings to determine if the application server log system provides a real-time alert to authorized users when log failure events occur requiring real-time alerts. If designated alerts are not sent to authorized users, this is a finding.
Configure the application server to provide a real-time alert to authorized users when log failure events occur that require real-time alerts.
Review application server documentation and confirm that the application server compares internal application server clocks at least every 24 hours with an authoritative time source. If the application server does not compare internal application server clocks to an authoritative source or if the frequency is greater than every 24 hours, this is a finding.
Configure the application server to compare internal application server clocks at least every 24 hours with an authoritative time source.
Review application server documentation and configuration to determine if the application server is configured to reset internal information clocks when the difference is greater than a defined threshold with an authoritative time source. If the application server cannot synchronize internal application server clocks to the authoritative time source when the time difference is greater than the organization-defined time period, this is a finding.
Configure the application server to reset internal information system clocks when the time difference is greater than a defined time period with the authoritative time source.
Review the application server documentation and configuration files to determine if time stamps for log records can be mapped to UTC or GMT. If the time stamp cannot be mapped to UTC or GMT, this is a finding.
Configure the application server to use time stamps for log records that can easily be mapped to UTC or GMT.
Review the application server documentation and configuration files to determine if time stamps for log records meet a granularity of one second. If the time stamp cannot generate to a one-second granularity, this is a finding.
Configure the application server to use time stamps for log records that can meet a granularity of one second.
Review the application server documentation and configuration to determine if the system employs mechanisms to enforce restrictions on application server configuration changes. Configuration changes include, but are not limited to, automatic code deployments, software library updates, and changes to configuration settings within the application server. If the application server does not enforce access restrictions for configuration changes, this is a finding.
Configure the application server to enforce access restrictions associated with changes to the application server configuration to include code deployment, library updates, and changes to application server configuration settings.
Check the application server documentation and logs to determine if enforcement actions used to restrict access associated with changes to the application server are logged. If these actions are not logged, this is a finding.
Configure the application server to log the enforcement actions used to restrict access associated with changes to the application server.
Review the application server documentation and configuration to determine if the application server requires a user to re-authenticate when organization-defined circumstances or situations are met. If the application server does not require a user to re-authenticate when organization-defined circumstances or situations are met, this is a finding.
Configure the application server to require a user to re-authenticate when organization-defined circumstances or situations are met.
Review the application server documentation and configuration to determine if the application server requires devices to re-authenticate when organization-defined circumstances or situations require re-authentication. If the application server does not require a device to re-authenticate, this is a finding.
Configure the application server to require devices to re-authenticate when organization-defined circumstances or situations require re-authentication.
Review application server documentation and configuration to ensure the application server accepts PIV credentials to the management interface. If PIV credentials are not accepted, this is a finding.
Configure the application server to accept PIV credentials to access the management interface.
Review application server documentation and configuration to ensure the application server electronically verifies PIV credentials to the management interface. If PIV credentials are not electronically verified, this is a finding.
Configure the application server to electronically verify PIV credentials to access the management interface.
Review application server documentation to ensure the application server prohibits the use of cached authenticators after an organization-defined timeframe. If the application server is not configured to meet this requirement, this is a finding.
Configure the application server to prohibit the use of cached authenticators after an organization-defined timeframe.
Review application server documentation to ensure the application server provides a PKI integration capability that implements a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. If the application server is not configured to meet this requirement, this is a finding.
Configure the application server to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
Review the application server documentation and configuration to determine if the application server accepts PIV credentials from other federal agencies to access the management interface. If the application server does not accept other federal agency PIV credentials to access the management interface, this is a finding.
Configure the application server to accept PIV credentials from other federal agencies to access the management interface.
The CAC is the standard DoD authentication token;the PIV is the standard authentication token used by federal/civilian agencies. If access to the application server is limited to DoD personnel accessing the system via CAC; and PIV access is not warranted or allowed as per the system security plan, the PIV requirement is NA. Review the application server documentation and configuration to determine if the application server electronically verifies PIV credentials from other federal agencies to access the management interface. If the application server does not electronically verify other federal agency PIV credentials to access the management interface, this is a finding.
Configure the unclassified application server to electronically verify PIV credentials from other federal agencies before granting access to the management interface.
Review the application server documentation and configuration to determine if the application server accepts FICAM-approved third-party credentials. If the application server does not accept FICAM-approved third-party credentials, this is a finding.
Configure the application server to accept FICAM-approved third-party credentials.
Review the application server documentation and configuration to determine if the application server conforms to FICAM-issued profiles. If the application server does not conform to FICAM-issued profiles, this is a finding.
Configure the application server to conform to FICAM-issued profiles.
Review the application server documentation and configuration to determine if the application server only allows the use of DoD PKI-established certificate authorities. If the application server allows other certificate authorities for verification, this is a finding.
Configure the application server to allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
Review application server documentation and configuration to determine if the application server implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. If the application server does not implement cryptographic mechanisms to prevent unauthorized modification, this is a finding.
Configure the application server to implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.
Review application server documentation and configuration to determine if the application server implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components. If the application server does not implement cryptographic mechanisms to prevent unauthorized disclosure, this is a finding.
Configure the application server to implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.
If the application server is not a MAC I system, this requirement is NA. Review the application server documentation and configuration to determine if the application server is part of an HA cluster. If the application server is not part of an HA cluster, this is a finding.
If the application server is not a MAC I system, this requirement is NA. Configure the application server to be part of an HA cluster.
Review application server documentation and configuration to determine if the application server can protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing defined security safeguards. If the application server cannot be configured to protect against or limit the effects of all types of DoS, this is a finding.
Configure the application server to protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing defined security safeguards.
Review the application server documentation and deployed configuration to determine which version of TLS is being used. If the application server is not using TLS to maintain the confidentiality and integrity of transmitted information or non-FIPS-approved SSL versions are enabled, this is a finding.
Configure the application server to use a FIPS-2 approved TLS version to maintain the confidentiality and integrity of transmitted information and to disable all non-FIPS-approved SSL versions.
Review the application server documentation and deployed configuration to determine if export ciphers are removed. If the application server does not have the export ciphers removed, this is a finding.
Configure the application server to have export ciphers removed.
Review application server documentation and configuration to determine if the application server employs approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. If the application server does not employ approved cryptographic mechanisms, this is a finding.
Configure the application server to use AES 128 or AES 256 encryption for data in transit.
Review the application server documentation and deployed configuration to determine if the application server maintains the confidentiality and integrity of information during preparation before transmission. If the confidentiality and integrity is not maintained, this is a finding.
Configure the application server to maintain the confidentiality and integrity of information during preparation for transmission.
Review application server configuration to determine if the server is using a transmission method that maintains the confidentiality and integrity of information during reception. If a transmission method is not being used that maintains the confidentiality and integrity of the data during reception, this is a finding.
Configure the application server to utilize a transmission method that maintains the confidentiality and integrity of information during reception.
Review the application server configuration to determine if the management interface behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. If the application server does not meet this requirement, this is a finding.
Configure the application server management interface to behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
Review the application server documentation and configuration to determine if organization-defined software components are removed after updated versions have been installed. If organization-defined software components are not removed after updated versions have been installed, this is a finding.
Configure the application server to remove organization-defined software components after updated versions have been installed.
Review the application server documentation and configuration to determine if the application server checks with a patch management system to install security-relevant software updates within a timeframe directed by an authoritative source. If the application server does not install security-relevant patches within the time period directed by the authoritative source, this is a finding.
Configure the application server to use a patch management system to ensure security-relevant updates are installed within the time period directed by the authoritative source.
Review the application server documentation and the system configuration to determine if the application server generates log records when successful/unsuccessful attempts are made to modify privileges. If log records are not generated, this is a finding.
Configure the application server to generate log records when privileges are successfully or unsuccessfully modified.
Review the application server documentation and the system configuration to determine if the application server generates log records when successful and unsuccessful attempts are made to delete privileges. If log records are not generated, this is a finding.
Configure the application server to generate log records when privileges are successfully or unsuccessfully deleted.
Review product documentation and the system configuration to determine if the application server generates log records on successful and unsuccessful logon attempts by users. If logon attempts do not generate log records, this is a finding.
Configure the application server to generate log records when successful/unsuccessful logon attempts are made by users.
Review the application server documentation and the system configuration to determine if the application server generates log records for privileged activities. If log records are not generated for privileged activities, this is a finding.
Configure the application server to generate log records for privileged activities.
Review the application server documentation and the system configuration to determine if the application server generates log records showing starting and ending times for user access to the management interface. If log records are not generated showing starting and ending times of user access to the management interface, this is a finding.
Configure the application server to generate log records showing starting and ending times of user access to the management interface.
Review the application server documentation and the system configuration to determine if the application server generates log records showing concurrent logons from different workstations to the management interface. If concurrent logons from different workstations are not logged, this is a finding.
Configure the application server to generate log records showing concurrent logons from different workstations to the management interface.
Review the application server documentation and the system configuration to determine if the application server generates log records when accounts are created, modified, disabled, or terminated. If the application server does not generate log records for account creation, modification, disabling, and termination, this is a finding.
Configure the application server to generate log records when accounts are created, modified, disabled, or terminated.
Review application server configuration and the NIST FIPS certificate to validate the application server uses NIST-approved or NSA-approved key management technology and processes when producing, controlling or distributing symmetric and asymmetric keys. If the application server does not use this NIST-approved or NSA-approved key management technology and processes, this is a finding.
Configure the application server to utilize NIST-approved or NSA-approved key management technology when the application server produces, controls, and distributes symmetric and asymmetric cryptographic keys.
Review the application server configuration to determine if the application server utilizes approved PKI Class 3 or Class 4 certificates. If the application server is not configured to use approved DoD or CNS certificates, this is a finding.
Configure the application server to use DoD- or CNSS-approved Class 3 or Class 4 PKI certificates.
Verify the log records are being off-loaded, at a minimum of real time for interconnected systems and weekly for standalone systems. If the application server is not meeting these requirements, this is a finding.
Configure the application server to off-load interconnected systems in real time and standalone systems weekly.
Review the application server documentation and configuration to determine if the application server is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If the application server is not configured in accordance with security configuration settings, this is a finding.
Configure the application server to be in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Review application server documentation to verify that the application server is using NSA-approved cryptography to protect classified data and applications resident on the device. If the application server is not using NSA-approved cryptography for classified data and applications, this is a finding.
Configure the application server to utilize NSA-approved cryptography to protect classified information.