Skip to content

II - Mission Support Public

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000394-AS-000241

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection.

    &lt;VulnDiscussion&gt;Device authentication requires unique identification and authentication that may be defined by type, by specific device, or b...
    Rule Medium Severity
  • SRG-APP-000395-AS-000109

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

    &lt;VulnDiscussion&gt;Device authentication requires unique identification and authentication that may be defined by type, by specific device, or b...
    Rule Medium Severity
  • SRG-APP-000172-AS-000120

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server application security must be enabled for each security domain except for publicly available applications specified in the System Security Plan.

    &lt;VulnDiscussion&gt;By default, all administrative and user applications in WebSphere® Application Server use the global security configuration. ...
    Rule High Severity
  • SRG-APP-000172-AS-000121

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server secure LDAP (LDAPS) must be used for authentication.

    &lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmissi...
    Rule High Severity
  • SRG-APP-000400-AS-000246

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must prohibit the use of cached authenticators after an organization-defined time period.

    &lt;VulnDiscussion&gt;When the application server is using PKI authentication, a local revocation cache must be stored for instances when the revoc...
    Rule Medium Severity
  • SRG-APP-000176-AS-000125

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server default keystore passwords must be changed.

    &lt;VulnDiscussion&gt;The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, ...
    Rule High Severity
  • SRG-APP-000177-AS-000126

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must use signer for DoD-issued certificates.

    &lt;VulnDiscussion&gt;The cornerstone of PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic...
    Rule Medium Severity
  • SRG-APP-000179-AS-000129

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.

    &lt;VulnDiscussion&gt;Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified ...
    Rule Medium Severity
  • SRG-APP-000402-AS-000247

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must accept Personal Identity Verification (PIV) credentials from other federal agencies to access the management interface.

    &lt;VulnDiscussion&gt;Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Public...
    Rule Medium Severity
  • SRG-APP-000514-AS-000137

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must use DoD-approved Signer Certificates.

    &lt;VulnDiscussion&gt;Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certifica...
    Rule Medium Severity
  • SRG-APP-000211-AS-000146

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Servers must not be in the DMZ.

    &lt;VulnDiscussion&gt;The application server consists of the management interface and hosted applications. By separating the management interface f...
    Rule Medium Severity
  • SRG-APP-000219-AS-000147

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server DoD root CAs must be in the trust store.

    &lt;VulnDiscussion&gt;This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs...
    Rule Medium Severity
  • SRG-APP-000427-AS-000264

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server personal certificates in all keystores must be issued by an approved DoD CA.

    &lt;VulnDiscussion&gt;Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that se...
    Rule Medium Severity
  • SRG-APP-000225-AS-000153

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must be configured to perform complete application deployments when using A/B clusters.

    &lt;VulnDiscussion&gt;Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure...
    Rule Low Severity
  • SRG-APP-000225-AS-000154

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application servers with an RMF categorization of high must be in a high-availability (HA) cluster.

    &lt;VulnDiscussion&gt;This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specif...
    Rule Low Severity
  • SRG-APP-000428-AS-000265

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must not generate LTPA keys automatically.

    &lt;VulnDiscussion&gt;Automated LTPA key generation can create unplanned outages. Plan to change your LTPA keys during a scheduled outage. Distribu...
    Rule Low Severity
  • SRG-APP-000428-AS-000265

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must periodically regenerate LTPA keys.

    &lt;VulnDiscussion&gt;The encryption of authentication information that is exchanged between servers involves the Lightweight Third-Party Authentic...
    Rule Low Severity
  • SRG-APP-000435-AS-000163

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server high availability applications must be installed on a cluster.

    &lt;VulnDiscussion&gt;DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot ac...
    Rule Medium Severity
  • SRG-APP-000435-AS-000163

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server memory session settings must be defined according to application load requirements.

    &lt;VulnDiscussion&gt;DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot ac...
    Rule Low Severity
  • SRG-APP-000435-AS-000163

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server thread pool size must be defined according to application load requirements.

    &lt;VulnDiscussion&gt;A thread pool enables components of the application server to reuse threads, which eliminates the need to create new threads ...
    Rule Medium Severity
  • SRG-APP-000439-AS-000274

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.

    &lt;VulnDiscussion&gt;Export grade encryption suites are not strong and do not meet DoD requirements. The encryption for the session becomes easy f...
    Rule Medium Severity
  • SRG-APP-000440-AS-000166

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server distribution and consistency services (DCS) transport links must be encrypted.

    &lt;VulnDiscussion&gt;A Core Group (HA Domain) is a component of the high availability manager function. It can contain stand-alone servers, cluste...
    Rule Medium Severity
  • SRG-APP-000440-AS-000167

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server plugin must be configured to use HTTPS only.

    &lt;VulnDiscussion&gt;The Web server plug-in transmits information from the Web server to the Web container over HTTP by default. Extra steps must ...
    Rule Medium Severity
  • SRG-APP-000454-AS-000268

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must remove organization-defined software components after updated versions have been installed.

    &lt;VulnDiscussion&gt;By default, when updating WebSphere application server, the older version of binaries are saved in case a "roll back" is nece...
    Rule Medium Severity
  • SRG-APP-000456-AS-000266

    <GroupDescription></GroupDescription>
    Group
  • The WebSphere Application Server must apply the latest security fixes.

    &lt;VulnDiscussion&gt;Security vulnerabilities are often addressed by testing and applying the latest security patches and fix packs. Latest fixpac...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules