Application Server Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
For application servers providing log record aggregation, the application server must compile log records from organization-defined information system components into a system-wide log trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the log trail.
Log generation and log records can be generated from various components within the application server. The list of logged events is the set of events for which logs are to be generated. This set of...Rule Medium Severity -
The application server must generate log records for access and authentication events.
Log records can be generated from various components within the application server. From an application server perspective, certain specific application server functionalities may be logged as wel...Rule Medium Severity -
The application server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged.
Log records can be generated from various components within the application server, (e.g., httpd, beans, etc.) From an application perspective, certain specific application functionalities may be l...Rule Medium Severity -
The application server must produce log records containing information to establish what type of events occurred.
Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and in...Rule Medium Severity -
The application server must produce log records containing sufficient information to establish where the events occurred.
Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the...Rule Medium Severity -
The application server must produce log records containing sufficient information to establish the sources of the events.
Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining th...Rule Medium Severity -
The application server must produce log records that contain sufficient information to establish the outcome of events.
Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to...Rule Medium Severity -
The application server must generate log records containing the full-text recording of privileged commands or the individual identities of group account users.
Privileged commands are commands that change the configuration or data of the application server. Since this type of command changes the application server configuration and could possibly change ...Rule Medium Severity -
The application server must protect log information from unauthorized modification.
If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In ad...Rule Medium Severity -
The application server must protect log tools from unauthorized access.
Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may pr...Rule Medium Severity -
The application server must protect log tools from unauthorized modification.
Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may pr...Rule Medium Severity -
The application server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate recognized and approved by the organization.
Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate recognized a...Rule Medium Severity -
The application server must be capable of reverting to the last known good configuration in the event of failed installations and upgrades.
Any changes to the components of the application server can have significant effects on the overall security of the system. In order to ensure a prompt response to failed application installations...Rule Medium Severity -
The application server must adhere to the principles of least functionality by providing only essential capabilities.
Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system....Rule Medium Severity -
The application server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
Some networking protocols may not meet organizational security requirements to protect data and components. Application servers natively host a number of various features, such as management inter...Rule Medium Severity -
The application server must use an approved DOD enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate users (or processes acting on behalf of organizational users).
To ensure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store, which i...Rule Medium Severity -
The application server must use multifactor authentication for local access to privileged accounts.
Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker st...Rule High Severity -
The application server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service, which is a repeatable process used to make dat...Rule Medium Severity -
The application server must for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.
Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are no...Rule Medium Severity -
The application server must transmit only encrypted representations of passwords.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., cle...Rule Medium Severity -
The application server must perform RFC 5280-compliant certification path validation.
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to mak...Rule Medium Severity -
Only authenticated system administrators or the designated PKI Sponsor for the application server must have access to the web servers private key.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiati...Rule Medium Severity -
The application server must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
To prevent the compromise of authentication information during the authentication process, the application server authentication screens must obfuscate input so an unauthorized user cannot view a p...Rule Medium Severity -
The application server must provide a log reduction capability that supports on-demand reporting requirements.
The ability to generate on-demand reports, including after the log data has been subjected to log reduction, greatly facilitates the organization's ability to generate incident reports as needed to...Rule Medium Severity -
The application server must separate hosted application functionality from application server management functionality.
The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged use...Rule Medium Severity -
The application server must be configured to mutually authenticate connecting proxies, application servers or gateways.
Application architecture may sometimes require a configuration where an application server is placed behind a web proxy, an application gateway or communicates directly with another application ser...Rule Medium Severity -
The application server must generate a unique session identifier using a FIPS 140-2 approved random number generator.
The application server will use session IDs to communicate between modules or applications within the application server and between the application server and users. The session ID allows the app...Rule High Severity -
The application server must protect the confidentiality and integrity of all information at rest.
When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and da...Rule Medium Severity -
The application server must check the validity of all data inputs to the management interface, except those specifically identified by the organization.
Invalid user input occurs when a user inserts data or characters into an applications data entry field and the application is unprepared to process that data. This results in unanticipated applicat...Rule Medium Severity -
The application server must identify potentially security-relevant error conditions.
The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administra...Rule Medium Severity -
The application server must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and c...Rule Medium Severity -
The application server must automatically terminate a user session after organization-defined conditions or trigger events requiring a session disconnect.
An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application se...Rule Medium Severity -
The application server management interface must provide a logout capability for user-initiated communication session.
If a user cannot explicitly end an application server management interface session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. The attack...Rule Medium Severity -
The application server must associate organization-defined types of security attributes having organization-defined security attribute values with information in process.
The application server provides a framework for applications to communicate between each other to form an overall well-designed application to perform a task. As the information traverses the appl...Rule Medium Severity -
The application server must control remote access methods.
Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requiremen...Rule Medium Severity -
The application server must off-load log records onto a different system or media from the system being logged.
Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to...Rule Medium Severity -
The application server must record time stamps for log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Tim...Rule Medium Severity -
The application server must enforce access restrictions associated with changes to application server configuration.
When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server configuration can potentially have significant eff...Rule Medium Severity -
The application server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the fu...Rule Medium Severity -
The application server must accept Personal Identity Verification (PIV) credentials to access the management interface.
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. PIV credentials are only used in an unclassified environment. DoD has mandated the use of the C...Rule High Severity -
The application server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. Application...Rule Medium Severity -
The application server must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies to access the management interface.
Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requir...Rule Medium Severity -
The application server must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and OpenID 2.0. This requirement addresses open i...Rule Medium Severity -
The application server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient secur...Rule Medium Severity -
The application server, when a MAC I system, must be in a high-availability (HA) cluster.
A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of...Rule Medium Severity -
The application server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce t...Rule Medium Severity -
The application server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.
Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during tra...Rule High Severity -
The application server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during trans...Rule Medium Severity -
The application server must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (incl...Rule Medium Severity -
The application server must generate log records when successful/unsuccessful attempts to delete privileges occur.
Deleting privileges of a subject/object may cause a subject/object to gain or lose capabilities. When successful and unsuccessful privilege deletions are made, the events need to be logged. By lo...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.