Application Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The application server must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and c...Rule Medium Severity -
The application server must automatically terminate a user session after organization-defined conditions or trigger events requiring a session disconnect.
An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application se...Rule Medium Severity -
The application server management interface must provide a logout capability for user-initiated communication session.
If a user cannot explicitly end an application server management interface session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. The attack...Rule Medium Severity -
The application server must associate organization-defined types of security attributes having organization-defined security attribute values with information in process.
The application server provides a framework for applications to communicate between each other to form an overall well-designed application to perform a task. As the information traverses the appl...Rule Medium Severity -
The application server must control remote access methods.
Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requiremen...Rule Medium Severity -
The application server must off-load log records onto a different system or media from the system being logged.
Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to...Rule Medium Severity -
The application server must record time stamps for log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Tim...Rule Medium Severity -
The application server must enforce access restrictions associated with changes to application server configuration.
When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server configuration can potentially have significant eff...Rule Medium Severity -
The application server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the fu...Rule Medium Severity -
The application server must accept Personal Identity Verification (PIV) credentials to access the management interface.
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. PIV credentials are only used in an unclassified environment. DoD has mandated the use of the C...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.