Skip to content

No profile (default benchmark)

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000001

    <GroupDescription></GroupDescription>
    Group
  • The web server must limit the number of allowed simultaneous session requests.

    &lt;VulnDiscussion&gt;Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiti...
    Rule Medium Severity
  • SRG-APP-000001

    <GroupDescription></GroupDescription>
    Group
  • The web server must perform server-side session management.

    &lt;VulnDiscussion&gt;Session management is the practice of protecting the bulk of the user authorization and identity information. Storing of this...
    Rule Medium Severity
  • SRG-APP-000014

    <GroupDescription></GroupDescription>
    Group
  • The web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided.

    &lt;VulnDiscussion&gt;The web server has several remote communications channels. Examples are user requests via http/https, communication to a back...
    Rule Medium Severity
  • SRG-APP-000015

    <GroupDescription></GroupDescription>
    Group
  • The web server must use cryptography to protect the integrity of remote sessions.

    &lt;VulnDiscussion&gt;Data exchanged between the user and the web server can range from static display data to credentials used to log into the hos...
    Rule Medium Severity
  • SRG-APP-000016

    <GroupDescription></GroupDescription>
    Group
  • The web server must generate information to be used by external applications or entities to monitor and control remote access.

    &lt;VulnDiscussion&gt;Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Rem...
    Rule Medium Severity
  • SRG-APP-000033

    <GroupDescription></GroupDescription>
    Group
  • The web server must enforce approved authorizations for logical access to hosted applications and resources in accordance with applicable access control policies.

    &lt;VulnDiscussion&gt;To control access to sensitive information and hosted applications by entities that have been issued certificates by DoD-appr...
    Rule Medium Severity
  • SRG-APP-000089

    <GroupDescription></GroupDescription>
    Group
  • The web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.

    &lt;VulnDiscussion&gt;Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.)...
    Rule Medium Severity
  • SRG-APP-000092

    <GroupDescription></GroupDescription>
    Group
  • The web server must initiate session logging upon start up.

    &lt;VulnDiscussion&gt;An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server proc...
    Rule Medium Severity
  • SRG-APP-000095

    <GroupDescription></GroupDescription>
    Group
  • The web server must produce log records containing sufficient information to establish what type of events occurred.

    &lt;VulnDiscussion&gt;Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a corr...
    Rule Medium Severity
  • SRG-APP-000096

    <GroupDescription></GroupDescription>
    Group
  • The web server must produce log records containing sufficient information to establish when (date and time) events occurred.

    &lt;VulnDiscussion&gt;Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a corr...
    Rule Medium Severity
  • SRG-APP-000097

    <GroupDescription></GroupDescription>
    Group
  • The web server must produce log records containing sufficient information to establish where within the web server the events occurred.

    &lt;VulnDiscussion&gt;Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a corr...
    Rule Medium Severity
  • SRG-APP-000098

    <GroupDescription></GroupDescription>
    Group
  • The web server must produce log records containing sufficient information to establish the source of events.

    &lt;VulnDiscussion&gt;Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a corr...
    Rule Medium Severity
  • SRG-APP-000098

    <GroupDescription></GroupDescription>
    Group
  • A web server, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

    &lt;VulnDiscussion&gt;Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a corr...
    Rule Medium Severity
  • SRG-APP-000099

    <GroupDescription></GroupDescription>
    Group
  • The web server must produce log records that contain sufficient information to establish the outcome (success or failure) of events.

    &lt;VulnDiscussion&gt;Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a corr...
    Rule Medium Severity
  • SRG-APP-000100

    <GroupDescription></GroupDescription>
    Group
  • The web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.

    &lt;VulnDiscussion&gt;Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a corr...
    Rule Medium Severity
  • SRG-APP-000108

    <GroupDescription></GroupDescription>
    Group
  • The web server must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.

    &lt;VulnDiscussion&gt;Reviewing log data allows an investigator to recreate the path of an attacker and to capture forensic data for later use. Log...
    Rule Medium Severity
  • SRG-APP-000116

    <GroupDescription></GroupDescription>
    Group
  • The web server must use the internal system clock to generate time stamps for log records.

    &lt;VulnDiscussion&gt;Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for t...
    Rule Medium Severity
  • SRG-APP-000118

    <GroupDescription></GroupDescription>
    Group
  • Web server log files must only be accessible by privileged users.

    &lt;VulnDiscussion&gt;Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysi...
    Rule Medium Severity
  • SRG-APP-000119

    <GroupDescription></GroupDescription>
    Group
  • The log information from the web server must be protected from unauthorized modification.

    &lt;VulnDiscussion&gt;Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that i...
    Rule Medium Severity
  • SRG-APP-000120

    <GroupDescription></GroupDescription>
    Group
  • The log information from the web server must be protected from unauthorized deletion.

    &lt;VulnDiscussion&gt;Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that i...
    Rule Medium Severity
  • SRG-APP-000125

    <GroupDescription></GroupDescription>
    Group
  • The log data and records from the web server must be backed up onto a different system or media.

    &lt;VulnDiscussion&gt;Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated...
    Rule Medium Severity
  • SRG-APP-000131

    <GroupDescription></GroupDescription>
    Group
  • All web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.

    &lt;VulnDiscussion&gt;Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer o...
    Rule Medium Severity
  • SRG-APP-000131

    <GroupDescription></GroupDescription>
    Group
  • Expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.

    &lt;VulnDiscussion&gt;In the case of a production web server, areas for content development and testing will not exist, as this type of content is ...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • The web server must not perform user management for hosted applications.

    &lt;VulnDiscussion&gt;User management and authentication can be an essential part of any application hosted by the web server. Along with authentic...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • The web server must only contain services and functions necessary for operation.

    &lt;VulnDiscussion&gt;A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to r...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules