I - Mission Critical Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000108-AS-000067
Group -
Oracle WebLogic must notify administrative personnel as a group in the event of audit processing failure.
Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. To ensure flexibility and ease of use,...Rule Low Severity -
SRG-APP-000116-AS-000076
Group -
Oracle WebLogic must use internal system clocks to generate time stamps for audit records.
Without the use of an approved and synchronized time source, configured on the systems, events cannot be accurately correlated and analyzed to determine what is transpiring within the application s...Rule Low Severity -
SRG-APP-000372-AS-000212
Group -
Oracle WebLogic must synchronize with internal information system clocks which, in turn, are synchronized on an organization-defined frequency with an organization-defined authoritative time source.
Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronization of system clocks is...Rule Low Severity -
SRG-APP-000118-AS-000078
Group -
Oracle WebLogic must protect audit information from any type of unauthorized read access.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In ...Rule Low Severity -
SRG-APP-000121-AS-000081
Group -
Oracle WebLogic must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may ...Rule Medium Severity -
SRG-APP-000122-AS-000082
Group -
Oracle WebLogic must protect audit tools from unauthorized modification.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may ...Rule Medium Severity -
SRG-APP-000123-AS-000083
Group -
Oracle WebLogic must protect audit tools from unauthorized deletion.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may ...Rule Medium Severity -
SRG-APP-000133-AS-000092
Group -
Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).
Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one pr...Rule Medium Severity -
SRG-APP-000141-AS-000095
Group -
Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.
Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system...Rule Medium Severity -
SRG-APP-000142-AS-000014
Group -
Oracle WebLogic must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
Application servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed to be unnecessary or too insecure to run on a producti...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
Oracle WebLogic must utilize automated mechanisms to prevent program execution on the information system.
The application server must provide a capability to halt or otherwise disable the automatic execution of deployed applications until such time that the application is considered part of the establi...Rule Low Severity -
SRG-APP-000148-AS-000101
Group -
Oracle WebLogic must uniquely identify and authenticate users (or processes acting on behalf of users).
To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. The application server must uniquely identify and authenticate ap...Rule High Severity -
SRG-APP-000153-AS-000104
Group -
Oracle WebLogic must authenticate users individually prior to using a group authenticator.
To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and au...Rule High Severity -
SRG-APP-000516-AS-000237
Group -
Oracle WebLogic must enforce minimum password length.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one of several factors that helps t...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
Oracle WebLogic must enforce password complexity by the number of upper-case characters used.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time a...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
Oracle WebLogic must enforce password complexity by the number of lower-case characters used.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time a...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
Oracle WebLogic must enforce password complexity by the number of numeric characters used.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time a...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
Oracle WebLogic must enforce password complexity by the number of special characters used.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time a...Rule Medium Severity -
SRG-APP-000172-AS-000120
Group -
Oracle WebLogic must encrypt passwords during transmission.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize either certific...Rule High Severity -
SRG-APP-000172-AS-000121
Group -
Oracle WebLogic must utilize encryption when using LDAP for authentication.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directorie...Rule High Severity -
SRG-APP-000175-AS-000124
Group -
Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When t...Rule Medium Severity -
SRG-APP-000177-AS-000126
Group -
Oracle WebLogic must map the PKI-based authentication identity to the user account.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. Applicatio...Rule Medium Severity -
SRG-APP-000179-AS-000129
Group -
Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and D...Rule Medium Severity -
SRG-APP-000179-AS-000129
Group -
Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and D...Rule Medium Severity -
SRG-APP-000440-AS-000167
Group -
Oracle WebLogic must employ cryptographic encryption to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network....Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.