IBM WebSphere Traditional V9.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The WebSphere Application Server must shut down by default upon log failure (unless availability is an overriding concern).
It is critical that, when a system is at risk of failing to process logs, it detects and takes action to mitigate the failure. Log processing failures include software/hardware errors, failures in ...Rule Low Severity -
SRG-APP-000109-AS-000070
Group -
The WebSphere Application Server high availability applications must be configured to fail over to another system in the event of log subsystem failure.
This requirement is dependent upon system MAC and availability. If the system MAC and availability do not specify redundancy requirements, this requirement is NA. It is critical that, when a syste...Rule Low Severity -
SRG-APP-000118-AS-000078
Group -
The WebSphere Application Server must be configured to protect log information from any type of unauthorized read access.
WebSphere uses role-based access controls to restrict access to log data. To take advantage of this capability, WebSphere administrators must identify specific users and place them into their respe...Rule Low Severity -
SRG-APP-000119-AS-000079
Group -
The WebSphere Application Server must protect log information from unauthorized modification.
WebSphere uses role-based access controls to restrict access to log data. To take advantage of this capability, WebSphere administrators must identify specific users and place them into their respe...Rule Medium Severity -
SRG-APP-000120-AS-000080
Group -
The WebSphere Application Server must protect log information from unauthorized deletion.
WebSphere uses role based access controls to restrict access to log data. To take advantage of this capability, WebSphere administrators must identify specific users and place them into their respe...Rule Medium Severity -
SRG-APP-000122-AS-000082
Group -
The WebSphere Application Server wsadmin file must be protected from unauthorized modification.
Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may pr...Rule Medium Severity -
SRG-APP-000123-AS-000083
Group -
The WebSphere Application Server wsadmin file must be protected from unauthorized deletion.
Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may pr...Rule Medium Severity -
SRG-APP-000126-AS-000085
Group -
The WebSphere Application Server must be configured to encrypt log information.
Protection of log records is of critical importance. Encrypting log records provides a level of protection that does not rely on host-based protections that can be accidentally misconfigured, such ...Rule Medium Severity -
SRG-APP-000126-AS-000085
Group -
SRG-APP-000141-AS-000095
Group -
SRG-APP-000141-AS-000095
Group -
The WebSphere Application Server files must be owned by the non-root WebSphere user ID.
Having files owned by the root or administrator user is an indication that the WebSphere processes are being run with escalated privileges. Running as root/admin user gives attackers elevated privi...Rule Medium Severity -
SRG-APP-000141-AS-000095
Group -
The WebSphere Application Server sample applications must be removed.
WebSphere samples are not intended for use in a production environment. Do not run them there, as they create significant security risks. In particular, the snoop servlet can provide an outsider wi...Rule Low Severity -
SRG-APP-000141-AS-000095
Group -
SRG-APP-000141-AS-000095
Group -
The WebSphere Application Server must be run as a non-admin user.
Running WebSphere as an admin user gives attackers immediate admin privileges in the event the WebSphere processes are compromised. Best practice is to operate the WebSphere server with an accoun...Rule Medium Severity -
SRG-APP-000141-AS-000095
Group -
SRG-APP-000427-AS-000264
Group -
SRG-APP-000142-AS-000014
Group -
The WebSphere Application Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
Some networking protocols may not meet organizational security requirements to protect data and components. Application servers natively host a number of various features, such as management inter...Rule Medium Severity -
SRG-APP-000148-AS-000101
Group -
The WebSphere Application Server LDAP user registry must be used.
To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is...Rule Medium Severity -
SRG-APP-000148-AS-000101
Group -
The WebSphere Application Server local file-based user registry must not be used.
WebSphere does not provide direct audit of changes to the built-in file registry. The built-in file registry must not be used to support user logon accounts. Use an LDAP/AD server and manage user a...Rule Medium Severity -
SRG-APP-000149-AS-000102
Group -
The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.
Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker st...Rule Medium Severity -
SRG-APP-000156-AS-000106
Group -
SRG-APP-000156-AS-000106
Group -
The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service, which is a repeatable process used to make dat...Rule Medium Severity -
SRG-APP-000394-AS-000241
Group -
SRG-APP-000395-AS-000109
Group -
The WebSphere Application Server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device. Bidirectional authentication provid...Rule Medium Severity -
SRG-APP-000172-AS-000120
Group -
SRG-APP-000172-AS-000121
Group -
The WebSphere Application Server secure LDAP (LDAPS) must be used for authentication.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directorie...Rule High Severity -
SRG-APP-000400-AS-000246
Group -
The WebSphere Application Server must prohibit the use of cached authenticators after an organization-defined time period.
When the application server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authenticated through the network, but if cached authent...Rule Medium Severity -
SRG-APP-000176-AS-000125
Group -
SRG-APP-000177-AS-000126
Group -
The WebSphere Application Server must use signer for DoD-issued certificates.
The cornerstone of PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information, but the key can ...Rule Medium Severity -
SRG-APP-000179-AS-000129
Group -
SRG-APP-000402-AS-000247
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.