Skip to content
Log In

Application Security and Development Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000292

    Group
    Show

  • SRG-APP-000293

    Group
    Show

  • The application must notify system administrators (SAs) and information system security officers (ISSOs) of account disabling actions.

    Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create...
    Rule Low Severity
    Show

  • SRG-APP-000294

    Group
    Show

  • SRG-APP-000319

    Group
    Show

  • SRG-APP-000320

    Group
    Show

  • The application must notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions.

    Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to enable an acc...
    Rule Low Severity
    Show

  • SRG-APP-000323

    Group
    Show

  • Application data protection requirements must be identified and documented.

    Failure to protect organizational information from data mining may result in a compromise of information. In order to assign the appropriate data protections, application data must be identified an...
    Rule Medium Severity
    Show

  • SRG-APP-000324

    Group
    Show

  • The application must utilize organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts.

    Failure to protect organizational information from data mining may result in a compromise of information. Data mining occurs when the application is programmatically probed and data is automatical...
    Rule Medium Severity
    Show

  • SRG-APP-000033

    Group
    Show

  • SRG-APP-000328

    Group
    Show

  • The application must enforce organization-defined discretionary access control policies over defined subjects and objects.

    Discretionary Access Control allows users to determine who is allowed to access their data. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued ce...
    Rule Medium Severity
    Show

  • SRG-APP-000038

    Group
    Show

  • The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

    A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, ...
    Rule Medium Severity
    Show

  • SRG-APP-000039

    Group
    Show

  • The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

    A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, ...
    Rule Medium Severity
    Show

  • SRG-APP-000340

    Group
    Show

  • The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

    Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileg...
    Rule Medium Severity
    Show

  • SRG-APP-000342

    Group
    Show

  • SRG-APP-000343

    Group
    Show

  • The application must audit the execution of privileged functions.

    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...
    Rule Medium Severity
    Show

  • SRG-APP-000065

    Group
    Show

  • The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.

    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the ...
    Rule High Severity
    Show

  • SRG-APP-000345

    Group
    Show

  • The application administrator must follow an approved process to unlock locked user accounts.

    Once a user account has been locked, it must be unlocked by an administrator. An ISSM and ISSO approved process must be created and followed to ensure the user requesting access is properly authen...
    Rule Medium Severity
    Show

  • SRG-APP-000068

    Group
    Show

  • SRG-APP-000069

    Group
    Show

  • SRG-APP-000070

    Group
    Show

  • SRG-APP-000075

    Group
    Show

  • The application must display the time and date of the users last successful logon.

    Providing a last successful logon date and time stamp notification to the user when they authenticate and access the application allows the user to determine if their application account has been u...
    Rule Low Severity
    Show

  • SRG-APP-000080

    Group
    Show

  • SRG-APP-000086

    Group
    Show

  • SRG-APP-000089

    Group
    Show

  • The application must provide audit record generation capability for the creation of session IDs.

    Applications create session IDs at the onset of a user session in order to manage user access to the application and differentiate between different user sessions. It is important to log the creati...
    Rule Medium Severity
    Show

  • SRG-APP-000089

    Group
    Show

  • SRG-APP-000089

    Group
    Show

  • SRG-APP-000089

    Group
    Show

  • The application must not write sensitive data into the application logs.

    It is important to identify and exclude certain types of data that is written into the logs. If the logs are compromised and sensitive data is included in the logs, this could assist an attacker in...
    Rule Medium Severity
    Show

  • SRG-APP-000089

    Group
    Show

  • SRG-APP-000089

    Group
    Show

  • The application must record a time stamp indicating when the event occurred.

    It is important to include the time stamps for when an event occurred. Failure to include time stamps in the event logs is detrimental to forensic analysis.
    Rule Medium Severity
    Show

  • SRG-APP-000089

    Group
    Show

  • The application must provide audit record generation capability for HTTP headers including User-Agent, Referer, GET, and POST.

    HTTP header information is a critical component of data that is used when evaluating forensic activity. Without the capability to generate audit records, it would be difficult to establish, correl...
    Rule Medium Severity
    Show

  • SRG-APP-000089

    Group
    Show

  • SRG-APP-000089

    Group
    Show

  • The application must record the username or user ID of the user associated with the event.

    When users conduct activity within an application, that user’s identity must be recorded in the audit log. Failing to record the identity of the user responsible for the activity within the applica...
    Rule Medium Severity
    Show

  • SRG-APP-000091

    Group
    Show

  • SRG-APP-000492

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules