Application Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The application server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. Application...Rule Medium Severity -
The application server must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies to access the management interface.
Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requir...Rule Medium Severity -
The application server must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and OpenID 2.0. This requirement addresses open i...Rule Medium Severity -
The application server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient secur...Rule Medium Severity -
The application server, when a MAC I system, must be in a high-availability (HA) cluster.
A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of...Rule Medium Severity -
The application server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce t...Rule Medium Severity -
The application server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.
Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during tra...Rule High Severity -
The application server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during trans...Rule Medium Severity -
The application server must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (incl...Rule Medium Severity -
The application server must generate log records when successful/unsuccessful attempts to delete privileges occur.
Deleting privileges of a subject/object may cause a subject/object to gain or lose capabilities. When successful and unsuccessful privilege deletions are made, the events need to be logged. By lo...Rule Medium Severity -
The application server must generate log records for all account creations, modifications, disabling, and termination events.
The maintenance of user accounts is a key activity within the system to determine access and privileges. Through changes to accounts, an attacker can create an account for persistent access, modif...Rule Medium Severity -
The application server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can tr...Rule Medium Severity -
The application server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to pr...Rule Medium Severity -
The application server must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit log...Rule Medium Severity -
The application server must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Communications paths can be logically separated using enc...Rule Medium Severity -
The application server must synchronize system clocks within and between systems or system components.
Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.