Skip to content
Log In

Application Server Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000001

    Group
    Show

  • SRG-APP-000014

    Group
    Show

  • SRG-APP-000015

    Group
    Show

  • The application server must implement cryptography mechanisms to protect the integrity of the remote access session.

    Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. ...
    Rule Medium Severity
    Show

  • SRG-APP-000016

    Group
    Show

  • SRG-APP-000033

    Group
    Show

  • SRG-APP-000068

    Group
    Show

  • The application server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

    Application servers are required to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system management interface, providing privacy and security notices co...
    Rule Medium Severity
    Show

  • SRG-APP-000069

    Group
    Show

  • The application server management interface must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.

    To establish acceptance of system usage policy, a click-through banner at the application server management interface logon is required. The banner shall prevent further activity on the application...
    Rule Medium Severity
    Show

  • SRG-APP-000080

    Group
    Show

  • SRG-APP-000086

    Group
    Show

  • SRG-APP-000089

    Group
    Show

  • SRG-APP-000090

    Group
    Show

  • SRG-APP-000091

    Group
    Show

  • The application server must generate log records when successful/unsuccessful attempts to access subject privileges occur.

    Accessing a subject's privileges can be used to elevate a lower-privileged subject's privileges temporarily in order to cause harm to the application server or to gain privileges to operate tempora...
    Rule Medium Severity
    Show

  • SRG-APP-000092

    Group
    Show

  • The application server must initiate session logging upon startup.

    Session logging activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.
    Rule Medium Severity
    Show

  • SRG-APP-000095

    Group
    Show

  • SRG-APP-000096

    Group
    Show

  • The application server must produce log records containing sufficient information to establish when (date and time) the events occurred.

    Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining th...
    Rule Medium Severity
    Show

  • SRG-APP-000097

    Group
    Show

  • SRG-APP-000098

    Group
    Show

  • SRG-APP-000099

    Group
    Show

  • SRG-APP-000100

    Group
    Show

  • The application server must generate log records containing information that establishes the identity of any individual or process associated with the event.

    Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source a...
    Rule Medium Severity
    Show

  • SRG-APP-000101

    Group
    Show

  • SRG-APP-000108

    Group
    Show

  • The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.

    Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log processing fails, the events during the failur...
    Rule Medium Severity
    Show

  • SRG-APP-000116

    Group
    Show

  • The application server must use internal system clocks to generate time stamps for log records.

    Without the use of an approved and synchronized time source configured on the systems, events cannot be accurately correlated and analyzed to determine what is transpiring within the application se...
    Rule Medium Severity
    Show

  • SRG-APP-000118

    Group
    Show

  • The application server must protect log information from any type of unauthorized read access.

    If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In ad...
    Rule Medium Severity
    Show

  • SRG-APP-000119

    Group
    Show

  • SRG-APP-000120

    Group
    Show

  • The application server must protect log information from unauthorized deletion.

    If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. App...
    Rule Medium Severity
    Show

  • SRG-APP-000121

    Group
    Show

  • SRG-APP-000122

    Group
    Show

  • SRG-APP-000123

    Group
    Show

  • The application server must protect log tools from unauthorized deletion.

    Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may pr...
    Rule Medium Severity
    Show

  • SRG-APP-000125

    Group
    Show

  • The application server must back up log records at least every seven days onto a different system or system component than the system or component being logged.

    Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to a different system or onto separate media from the system the application server is ...
    Rule Medium Severity
    Show

  • SRG-APP-000126

    Group
    Show

  • The application server must use cryptographic mechanisms to protect the integrity of log information.

    Protecting the integrity of log records helps to ensure log files are not tampered with. Cryptographic mechanisms are the industry-established standard used to protect the integrity of log data. An...
    Rule Medium Severity
    Show

  • SRG-APP-000131

    Group
    Show

  • SRG-APP-000133

    Group
    Show

  • The application server must limit privileges to change the software resident within software libraries.

    Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one pr...
    Rule Medium Severity
    Show

  • SRG-APP-000133

    Group
    Show

  • SRG-APP-000141

    Group
    Show

  • SRG-APP-000142

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules