IBM WebSphere Traditional V9.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The WebSphere Application Server must accept Personal Identity Verification (PIV) credentials from other federal agencies to access the management interface.
Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requir...Rule Medium Severity -
SRG-APP-000514-AS-000137
Group -
The WebSphere Application Server must use DoD-approved Signer Certificates.
Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved...Rule Medium Severity -
SRG-APP-000211-AS-000146
Group -
SRG-APP-000219-AS-000147
Group -
The WebSphere Application Server DoD root CAs must be in the trust store.
This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an applic...Rule Medium Severity -
SRG-APP-000225-AS-000153
Group -
The WebSphere Application Server must be configured to perform complete application deployments when using A/B clusters.
Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an applic...Rule Low Severity -
SRG-APP-000225-AS-000154
Group -
The WebSphere Application servers with an RMF categorization of high must be in a high-availability (HA) cluster.
This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known s...Rule Low Severity -
SRG-APP-000428-AS-000265
Group -
The WebSphere Application Server must not generate LTPA keys automatically.
Automated LTPA key generation can create unplanned outages. Plan to change your LTPA keys during a scheduled outage. Distribute the new keys to all nodes in the cell and to all external systems/cel...Rule Low Severity -
SRG-APP-000428-AS-000265
Group -
SRG-APP-000435-AS-000163
Group -
SRG-APP-000435-AS-000163
Group -
The WebSphere Application Server memory session settings must be defined according to application load requirements.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the...Rule Low Severity -
SRG-APP-000435-AS-000163
Group -
The WebSphere Application Server thread pool size must be defined according to application load requirements.
A thread pool enables components of the application server to reuse threads, which eliminates the need to create new threads at run time. Creating new threads expends system resources and can possi...Rule Medium Severity -
SRG-APP-000439-AS-000274
Group -
The WebSphere Application Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
Export grade encryption suites are not strong and do not meet DoD requirements. The encryption for the session becomes easy for the attacker to break. Do not use export grade encryption. Informatio...Rule Medium Severity -
SRG-APP-000440-AS-000166
Group -
SRG-APP-000440-AS-000167
Group -
SRG-APP-000454-AS-000268
Group -
The WebSphere Application Server must remove organization-defined software components after updated versions have been installed.
By default, when updating WebSphere application server, the older version of binaries are saved in case a "roll back" is necessary. Not keeping the older version makes it more difficult for attacke...Rule Medium Severity -
SRG-APP-000456-AS-000266
Group -
The WebSphere Application Server must apply the latest security fixes.
Security vulnerabilities are often addressed by testing and applying the latest security patches and fix packs. Latest fixpacks can be found at: http://www-01.ibm.com/support/docview.wss?uid=swg270...Rule Medium Severity -
SRG-APP-000456-AS-000266
Group -
The WebSphere Application Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs).
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (incl...Rule Medium Severity -
The WebSphere Application Server maximum in-memory session count must be set according to application requirements.
Application management includes the ability to control the number of sessions that utilize an application by all accounts and/or account types. Limiting the number of allowed sessions is helpful in...Rule Medium Severity -
The WebSphere Application Server administrative security must be enabled.
In previous releases of WebSphere® Application Server, when a user enabled global security, both administrative and application security were enabled. The previous notion of global security is spl...Rule High Severity -
The WebSphere Application Server groups in the user registry mapped to WebSphere auditor roles must be configured in accordance with the security plan.
Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. Remote access by adm...Rule Medium Severity -
The WebSphere Application Server audit event type filters must be configured.
Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. Remote access by adm...Rule Medium Severity -
The WebSphere Application Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.
Quality of Protection specifies the security level, ciphers, and mutual authentication settings for the Secure Socket Layer (SSL/TLS) configuration.Rule Medium Severity -
The WebSphere Application Server global application security must be enabled.
Application security enables security for the applications in your environment. This setting provides application isolation and meets security requirements such as using SSL for authenticating appl...Rule High Severity -
The WebSphere Application Server users in the admin role must be authorized.
Strong access controls are critical to securing the application server. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement...Rule Medium Severity -
The WebSphere Application Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements.
JVM logs are logs used to store application and runtime related events, rather than audit related events. They are mainly used to diagnose application or runtime bugs. But sometimes they may be use...Rule Medium Severity -
The WebSphere Application Server audit subsystem failure action must be set to Log warning.
Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log processing fails, the events during the failure...Rule Medium Severity -
The WebSphere Application Server wsadmin file must be protected from unauthorized access.
Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may pr...Rule Medium Severity -
The WebSphere Application Server process must not be started from the command line with the -password option.
The use of the -password option to launch a WebSphere process from the command line can result in a security exposure. Password information may become visible to any user with the ability to view s...Rule Medium Severity -
The WebSphere Application Server must remove JREs left by web server and plug-in installers for web servers and plugins running in the DMZ.
When you install IBM HTTP Server, the installer leaves behind a JRE. Remove this JRE, as it provides functions that are not needed by the Web server or plug-in under normal conditions. Keep in mind...Rule Low Severity -
The WebSphere Application Server must disable JSP class reloading.
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system...Rule Medium Severity -
The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service which is a repeatable process used to make data...Rule Medium Severity -
The WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection.
Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device. Device authentication is accomplish...Rule Medium Severity -
The WebSphere Application Server application security must be enabled for each security domain except for publicly available applications specified in the System Security Plan.
By default, all administrative and user applications in WebSphere® Application Server use the global security configuration. For example, a user registry defined in global security is used to authe...Rule High Severity -
The WebSphere Application Server default keystore passwords must be changed.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiati...Rule High Severity -
The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and D...Rule Medium Severity -
The WebSphere Application Servers must not be in the DMZ.
The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user...Rule Medium Severity -
The WebSphere Application Server personal certificates in all keystores must be issued by an approved DoD CA.
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient secur...Rule Medium Severity -
The WebSphere Application Server must periodically regenerate LTPA keys.
The encryption of authentication information that is exchanged between servers involves the Lightweight Third-Party Authentication (LTPA) mechanism. LTPA utilizes encryption keys, if LTPA is utiliz...Rule Low Severity -
The WebSphere Application Server high availability applications must be installed on a cluster.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.