Skip to content
Log In

No profile (default benchmark)

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000149-AS-000102

    Group
    Show

  • Oracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.

    Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network....
    Rule Medium Severity
    Show

  • SRG-APP-000295-AS-000263

    Group
    Show

  • Oracle WebLogic must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity.

    If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or netwo...
    Rule Low Severity
    Show

  • SRG-APP-000440-AS-000167

    Group
    Show

  • Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system.

    Without a trusted communication path, the application server is vulnerable to a man-in-the-middle attack. Application server user interfaces are used for management of the application server so th...
    Rule Medium Severity
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • Oracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data.

    Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to ...
    Rule Medium Severity
    Show

  • SRG-APP-000435-AS-000069

    Group
    Show

  • Oracle WebLogic must protect the integrity and availability of publicly available information and applications.

    The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of oth...
    Rule Medium Severity
    Show

  • SRG-APP-000211-AS-000146

    Group
    Show

  • Oracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality.

    Application server management functionality includes functions necessary to administer the application server and requires privileged access via one of the accounts assigned to a management role. ...
    Rule Medium Severity
    Show

  • SRG-APP-000219-AS-000147

    Group
    Show

  • Oracle WebLogic must ensure authentication of both client and server during the entire session.

    This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an appli...
    Rule Medium Severity
    Show

  • SRG-APP-000220-AS-000148

    Group
    Show

  • Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.

    If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or netwo...
    Rule Medium Severity
    Show

  • SRG-APP-000225-AS-000153

    Group
    Show

  • Oracle WebLogic must be configured to perform complete application deployments.

    Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an appli...
    Rule Medium Severity
    Show

  • SRG-APP-000440-AS-000167

    Group
    Show

  • Oracle WebLogic must protect the confidentiality of applications and leverage transmission protection mechanisms, such as TLS and SSL VPN, when deploying applications.

    Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission....
    Rule Medium Severity
    Show

  • SRG-APP-000435-AS-000069

    Group
    Show

  • Oracle WebLogic must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment.

    Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points. It is therefore imperative the...
    Rule Low Severity
    Show

  • SRG-APP-000435-AS-000163

    Group
    Show

  • Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.

    Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks. When utilizing an application server in a high risk environment (such ...
    Rule Medium Severity
    Show

  • SRG-APP-000435-AS-000163

    Group
    Show

  • Oracle WebLogic must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.

    Priority protection helps the application server prevent a lower-priority application process from delaying or interfering with any higher-priority application processes. If the application server ...
    Rule Medium Severity
    Show

  • SRG-APP-000225-AS-000166

    Group
    Show

  • Oracle WebLogic must fail securely in the event of an operational failure.

    Fail secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended securi...
    Rule Medium Severity
    Show

  • SRG-APP-000440-AS-000167

    Group
    Show

  • Oracle WebLogic must employ approved cryptographic mechanisms when transmitting sensitive data.

    Preventing the disclosure of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the...
    Rule Medium Severity
    Show

  • SRG-APP-000266-AS-000168

    Group
    Show

  • Oracle WebLogic must identify potentially security-relevant error conditions.

    The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application server is able to identify and handle error...
    Rule Low Severity
    Show

  • SRG-APP-000266-AS-000169

    Group
    Show

  • Oracle WebLogic must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.

    Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and c...
    Rule Medium Severity
    Show

  • SRG-APP-000267-AS-000170

    Group
    Show

  • Oracle WebLogic must restrict error messages so only authorized personnel may view them.

    If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be caref...
    Rule Medium Severity
    Show

  • SRG-APP-000108-AS-000067

    Group
    Show

  • Oracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role.

    Incident response applications are, by their nature, designed to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is the a...
    Rule Medium Severity
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • Oracle WebLogic must be integrated with a tool to monitor audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).

    It is critical that, when a system is at risk of failing to process audit logs, it detects and takes action to mitigate the failure. As part of the mitigation, the system must send a notification ...
    Rule Medium Severity
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • Oracle WebLogic must be managed through a centralized enterprise tool.

    The application server can host multiple applications which require different functions to operate successfully but many of the functions are capabilities that are needed for all the hosted applica...
    Rule Medium Severity
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • Oracle WebLogic must be integrated with a tool to implement multi-factor user authentication.

    Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g.,...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules