Skip to content

II - Mission Support Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000149-AS-000102

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.

    &lt;VulnDiscussion&gt;Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network,...
    Rule Medium Severity
  • SRG-APP-000295-AS-000263

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity.

    &lt;VulnDiscussion&gt; If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversar...
    Rule Low Severity
  • SRG-APP-000440-AS-000167

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system.

    &lt;VulnDiscussion&gt;Without a trusted communication path, the application server is vulnerable to a man-in-the-middle attack. Application server...
    Rule Medium Severity
  • SRG-APP-000516-AS-000237

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data.

    &lt;VulnDiscussion&gt;Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested e...
    Rule Medium Severity
  • SRG-APP-000435-AS-000069

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must protect the integrity and availability of publicly available information and applications.

    &lt;VulnDiscussion&gt; The purpose of this control is to ensure organizations explicitly address the protection needs for public information and ap...
    Rule Medium Severity
  • SRG-APP-000211-AS-000146

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality.

    &lt;VulnDiscussion&gt;Application server management functionality includes functions necessary to administer the application server and requires pr...
    Rule Medium Severity
  • SRG-APP-000219-AS-000147

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must ensure authentication of both client and server during the entire session.

    &lt;VulnDiscussion&gt;This control focuses on communications protection at the session, versus packet level. At the application layer, session ID...
    Rule Medium Severity
  • SRG-APP-000220-AS-000148

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.

    &lt;VulnDiscussion&gt; If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversar...
    Rule Medium Severity
  • SRG-APP-000225-AS-000153

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must be configured to perform complete application deployments.

    &lt;VulnDiscussion&gt; Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failur...
    Rule Medium Severity
  • SRG-APP-000440-AS-000167

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must protect the confidentiality of applications and leverage transmission protection mechanisms, such as TLS and SSL VPN, when deploying applications.

    &lt;VulnDiscussion&gt;Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptogr...
    Rule Medium Severity
  • SRG-APP-000435-AS-000069

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment.

    &lt;VulnDiscussion&gt;Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggre...
    Rule Low Severity
  • SRG-APP-000435-AS-000163

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.

    &lt;VulnDiscussion&gt;Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks...
    Rule Medium Severity
  • SRG-APP-000435-AS-000163

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.

    &lt;VulnDiscussion&gt;Priority protection helps the application server prevent a lower-priority application process from delaying or interfering wi...
    Rule Medium Severity
  • SRG-APP-000225-AS-000166

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must fail securely in the event of an operational failure.

    &lt;VulnDiscussion&gt; Fail secure is a condition achieved by the application server in order to ensure that in the event of an operational failure...
    Rule Medium Severity
  • SRG-APP-000440-AS-000167

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must employ approved cryptographic mechanisms when transmitting sensitive data.

    &lt;VulnDiscussion&gt;Preventing the disclosure of transmitted information requires that application servers take measures to employ approved crypt...
    Rule Medium Severity
  • SRG-APP-000266-AS-000168

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must identify potentially security-relevant error conditions.

    &lt;VulnDiscussion&gt;The structure and content of error messages need to be carefully considered by the organization and development team. The ext...
    Rule Low Severity
  • SRG-APP-000266-AS-000169

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.

    &lt;VulnDiscussion&gt;Any application providing too much information in error logs and in administrative messages to the screen risks compromising ...
    Rule Medium Severity
  • SRG-APP-000267-AS-000170

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must restrict error messages so only authorized personnel may view them.

    &lt;VulnDiscussion&gt;If the application provides too much information in error logs and administrative messages to the screen, this could lead to ...
    Rule Medium Severity
  • SRG-APP-000108-AS-000067

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role.

    &lt;VulnDiscussion&gt;Incident response applications are, by their nature, designed to monitor, detect, and alarm on defined events occurring on th...
    Rule Medium Severity
  • SRG-APP-000516-AS-000237

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must be integrated with a tool to monitor audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).

    &lt;VulnDiscussion&gt; It is critical that, when a system is at risk of failing to process audit logs, it detects and takes action to mitigate the ...
    Rule Medium Severity
  • SRG-APP-000516-AS-000237

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must be managed through a centralized enterprise tool.

    &lt;VulnDiscussion&gt;The application server can host multiple applications which require different functions to operate successfully but many of t...
    Rule Medium Severity
  • SRG-APP-000516-AS-000237

    <GroupDescription></GroupDescription>
    Group
  • Oracle WebLogic must be integrated with a tool to implement multi-factor user authentication.

    &lt;VulnDiscussion&gt;Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) someth...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules