The designer and IAO will ensure application resources are protected with permission sets which allow only an application administrator to modify application resource configuration files.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16803 | APP3450 | SV-17803r1_rule | ECCD-1 | Medium |
| Description |
|---|
| If application resources are not protected with permission sets that allow only an application administrator to modify application resource configuration files, unauthorized users can modify configuration files allowing these users to capture data within the application, or turn off encryption, or change any configurable option in the application. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-17801r1_chk ) |
|---|
| Ask the application representative to demonstrate the application resources have appropriate access permissions. 1) If the application representative cannot demonstrate all application resources have appropriate access permissions, it is a finding. Review the locations of all configuration files used by the application. Ask the application representative to demonstrate configuration files used by the application are restricted to authorized users. 2) If access permissions to configuration files are not restricted to application administrators, it is a finding. |
| Fix Text (F-17084r1_fix) |
|---|
| Correct access permissions restricting the modification of application resources. |