II - Mission Support Public
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000001
Group -
The web server must limit the number of allowed simultaneous session requests.
Web server management includes the ability to control the number of users and user sessions that utilize a web server. Limiting the number of allowed users and sessions per user is helpful in limit...Rule Medium Severity -
SRG-APP-000001
Group -
The web server must perform server-side session management.
Session management is the practice of protecting the bulk of the user authorization and identity information. Storing of this data can occur on the client system or on the server. When the sessio...Rule Medium Severity -
SRG-APP-000014
Group -
The web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided.
The web server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption use...Rule Medium Severity -
SRG-APP-000015
Group -
The web server must use cryptography to protect the integrity of remote sessions.
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed ...Rule Medium Severity -
SRG-APP-000016
Group -
The web server must generate information to be used by external applications or entities to monitor and control remote access.
Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform manag...Rule Medium Severity -
SRG-APP-000033
Group -
The web server must enforce approved authorizations for logical access to hosted applications and resources in accordance with applicable access control policies.
To control access to sensitive information and hosted applications by entities that have been issued certificates by DoD-approved PKIs, the web server must be properly configured to incorporate a m...Rule Medium Severity -
SRG-APP-000089
Group -
The web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.
Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionali...Rule Medium Severity -
SRG-APP-000092
Group -
The web server must initiate session logging upon start up.
An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available durin...Rule Medium Severity -
SRG-APP-000095
Group -
The web server must produce log records containing sufficient information to establish what type of events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. For web servers, events...Rule Medium Severity -
SRG-APP-000096
Group -
The web server must produce log records containing sufficient information to establish when (date and time) events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
SRG-APP-000097
Group -
The web server must produce log records containing sufficient information to establish where within the web server the events occurred.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
SRG-APP-000098
Group -
The web server must produce log records containing sufficient information to establish the source of events.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
SRG-APP-000098
Group -
A web server, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correc...Rule Medium Severity -
SRG-APP-000099
Group -
The web server must produce log records that contain sufficient information to establish the outcome (success or failure) of events.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the succes...Rule Medium Severity -
SRG-APP-000100
Group -
The web server must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.
Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Determining user account...Rule Medium Severity -
SRG-APP-000108
Group -
The web server must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure.
Reviewing log data allows an investigator to recreate the path of an attacker and to capture forensic data for later use. Log data is also essential to system administrators in their daily administ...Rule Medium Severity -
SRG-APP-000116
Group -
The web server must use the internal system clock to generate time stamps for log records.
Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct tim...Rule Medium Severity -
SRG-APP-000118
Group -
Web server log files must only be accessible by privileged users.
Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activ...Rule Medium Severity -
SRG-APP-000119
Group -
The log information from the web server must be protected from unauthorized modification.
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risk...Rule Medium Severity -
SRG-APP-000120
Group -
The log information from the web server must be protected from unauthorized deletion.
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security risk...Rule Medium Severity -
SRG-APP-000125
Group -
The log data and records from the web server must be backed up onto a different system or media.
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actuall...Rule Medium Severity -
SRG-APP-000131
Group -
All web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and nonrepudiation of the in...Rule Medium Severity -
SRG-APP-000131
Group -
Expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.
In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development website. The process of developing on ...Rule Medium Severity -
SRG-APP-000141
Group -
The web server must not perform user management for hosted applications.
User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tas...Rule Medium Severity -
SRG-APP-000141
Group -
The web server must only contain services and functions necessary for operation.
A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabil...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.