{
"stig": {
"date": "2013-01-08",
"description": "The Application Server Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.",
"findings": {
"V-35070": {
"checkid": "C-43459r2_chk",
"checktext": "Review AS product documentation and configuration to determine if the number of concurrent sessions can be limited to an organization defined number of sessions. \n\nIf a feature to limit the number of concurrent sessions on a per hosted application basis is not configured, this is a finding.",
"description": "Application management includes the ability to control the number of sessions that utilize an application. Limiting the number of allowed sessions is helpful in limiting risks related to Denial of Service attacks.\n\nApplication servers host and expose business logic and application processes. The application server must possess the capability to limit the maximum number of concurrent sessions in a manner that affects the entire application server or on an individual application basis.\n\nThe maximum session number values must be configurable so as to meet future DoD requirements that define the maximum number of concurrent sessions.",
"fixid": "F-39623r2_fix",
"fixtext": "Configure the AS to limit the number of concurrent sessions per application or per server.",
"iacontrols": null,
"id": "V-35070",
"ruleID": "SV-46335r1_rule",
"severity": "medium",
"title": "The application server must define the maximum number of concurrent sessions for an application account globally, by account type, by account, or a combination thereof.",
"version": "SRG-APP-000001-AS-000001"
},
"V-35073": {
"checkid": "C-43460r2_chk",
"checktext": "Review system documentation to determine if the AS maintains the binding of digital signatures to software objects when those objects are stored after installation. If these bindings are not maintained, this is a finding.\n",
"description": "Digital signatures enable the system to verify the integrity of the signed object and authenticate the object's signatory. Failure to maintain the binding of digital signatures on software components and applications in storage makes it more likely that an adversary could modify or replace those objects. Conversely, the bindings enable the operating system to verify the software's integrity and source with a high degree of assurance whenever necessary.\n\n",
"fixid": "F-39625r3_fix",
"fixtext": "Configure the AS to maintain the binding of digital signatures to software objects when those objects are stored after installation.",
"iacontrols": null,
"id": "V-35073",
"ruleID": "SV-46341r1_rule",
"severity": "medium",
"title": "The application server must maintain and support the use of digital signatures on software components and applications in storage.",
"version": "SRG-APP-000006-AS-000002"
},
"V-35079": {
"checkid": "C-43466r2_chk",
"checktext": "Review system documentation to determine if the AS binds digital signatures to designated parts of messages when those messages are processed. If these bindings are not maintained, this is a finding.\n",
"description": "If the application server does not maintain the data security attributes while it processes the data, there is a risk of data compromise. \n\nEncryption, particularly digital signatures, is utilized to assure the validity of data. Digital signatures must be bound to AS processes or applications that utilize the AS when required as per data owner or classification level. Encryption is also resource intensive and sometimes only a particular sub-component may require encryption. Therefore the AS must also be capable of digitally signing the designated parts of components. For example, that would mean signing a portion of a web services message rather than the entire message.\n",
"fixid": "F-39630r3_fix",
"fixtext": "Configure the AS to bind digital signatures to designated parts of messages in process.",
"iacontrols": null,
"id": "V-35079",
"ruleID": "SV-46366r1_rule",
"severity": "medium",
"title": "The application server must bind digital signatures to software components and applications in process.",
"version": "SRG-APP-000007-AS-000003"
},
"V-35080": {
"checkid": "C-43467r3_chk",
"checktext": "Review system documentation to determine if the AS binds a digital signature to software and/or messages when they are transmitted. If these actions are not performed, this is a finding.\n",
"description": "Digital signatures enable the system to verify the integrity of the signed object and authenticate the object's signatory. Failure to maintain the binding of digital signatures on software components and applications when they are transmitted across the network makes it more likely that an adversary could modify or replace those objects when the software is executed. The bindings enable the operating system to verify the software's integrity and source just before the execution process. In order for the signature to be present at execution, it must be bound before or during transmission.\n\nIf the application server does not maintain the data security attributes when it transmits the data, there is a risk of data compromise.\n",
"fixid": "F-39631r4_fix",
"fixtext": "Configure the AS to digitally sign software and/or messages before or during transmission.",
"iacontrols": null,
"id": "V-35080",
"ruleID": "SV-46367r1_rule",
"severity": "medium",
"title": "The application server must support and maintain the binding of digital signatures on information in transmission.",
"version": "SRG-APP-000008-AS-000005"
},
"V-35081": {
"checkid": "C-43468r2_chk",
"checktext": "Review AS configuration to ensure that only the administrator can change security attributes. If any other accounts can modify security attributes, this is a finding.\n",
"description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. \n\nSecurity attributes are typically associated with internal data structures and configuration (e.g., application deployment, logging, monitoring) within the application server and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the organizational information security policy.\n\nIf unauthorized entities were able to change security attributes, the integrity and/or confidentiality of the AS could be compromised.\n",
"fixid": "F-39632r3_fix",
"fixtext": "Configure the AS to only allow the administrator to change security attributes. ",
"iacontrols": null,
"id": "V-35081",
"ruleID": "SV-46368r1_rule",
"severity": "high",
"title": "The application server must specify administrative users and grant them the sole right to change application security attributes pertaining to application server configuration.\n",
"version": "SRG-APP-000010-AS-000006"
},
"V-35082": {
"checkid": "C-43469r2_chk",
"checktext": "Review system documentation to determine if the AS maintains the binding of digital credentials to information with sufficient assurance that the information--credential association can be used as the basis for automated policy actions. If these bindings are not maintained, this is a finding.\n",
"description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. \n\nThese attributes are typically associated with internal data structures (e.g., records, buffers, files) within the information system and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. \n\nExamples of application security attributes are classified, FOUO, sensitive, etc. \n\nWithout the assurance of credential association with the application files or data, policy decisions based on that association become faulty and potentially allow for authorization decisions that are applied incorrectly.\n",
"fixid": "F-39633r3_fix",
"fixtext": "Configure the AS to maintain the binding of digital credentials to information with sufficient assurance that the information--credential association can be used as the basis for automated policy actions. ",
"iacontrols": null,
"id": "V-35082",
"ruleID": "SV-46369r1_rule",
"severity": "medium",
"title": "The application server must maintain the binding of security attributes to information with sufficient assurance that the information/attribute association can be used as the basis for automated policy actions.\n",
"version": "SRG-APP-000011-AS-000007"
},
"V-35088": {
"checkid": "C-43475r2_chk",
"checktext": "Review AS documentation to determine if the AS only allows authorized administrators to associate PKI credentials with information. If the AS allows individuals other than authorized users to associate PKI credentials with information, this is a finding.\n",
"description": "Throughout the course of normal usage, authorized users of application servers will have the need to associate security attributes in the form of PKI credentials with information. The AS utilizes a role based authentication model when managing AS resources and limits access according to user role. \nThe AS must ensure that only the users who are authorized to associate security attributes with information are allowed to do so.\n",
"fixid": "F-39639r2_fix",
"fixtext": "Configure AS accounts so only authorized users can associate PKI credentials with information.",
"iacontrols": null,
"id": "V-35088",
"ruleID": "SV-46375r1_rule",
"severity": "medium",
"title": "The application server must allow authorized users to associate PKI credentials with information.",
"version": "SRG-APP-000012-AS-000008"
},
"V-35089": {
"checkid": "C-43476r2_chk",
"checktext": "Check the AS configuration to ensure all management interfaces utilize cryptographic encryption. If the AS is not configured to encrypt remote access management sessions, this is a finding.\n",
"description": "Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the AS via a network for the purposes of managing the AS. If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. \n\nTypes of management interfaces utilized by an AS include web based HTTPS interfaces as well as command line based management interfaces. All AS management interfaces must utilize cryptographic encryption.\n",
"fixid": "F-39640r2_fix",
"fixtext": "Configure the AS to use cryptographic encryption to protect the confidentiality of remote access management sessions. ",
"iacontrols": null,
"id": "V-35089",
"ruleID": "SV-46376r1_rule",
"severity": "medium",
"title": "The application server must utilize cryptography to protect the confidentiality of remote access management sessions.",
"version": "SRG-APP-000014-AS-000009"
},
"V-35090": {
"checkid": "C-43477r3_chk",
"checktext": "Review the AS documentation and configuration to ensure the AS is configured to use cryptography to protect the integrity of remote access sessions. If the AS is not configured to use cryptography to protect the integrity of remote access sessions, this is a finding.\n",
"description": "Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the AS configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk.\n\nApplication servers utilize a web management interface and scripted commands when allowing remote access. Web access requires the use of SSL 3.0 or TLS 1.0 and scripted access requires using ssh or some other form of approved cryptography. Application servers must have a capability to enable a secure remote admin capability.",
"fixid": "F-39641r3_fix",
"fixtext": "Configure the AS to utilize encryption during remote access sessions.",
"iacontrols": null,
"id": "V-35090",
"ruleID": "SV-46377r1_rule",
"severity": "medium",
"title": "The application server must use cryptography to protect the integrity of the remote access session.",
"version": "SRG-APP-000015-AS-000010"
},
"V-35091": {
"checkid": "C-43478r2_chk",
"checktext": "Review the AS configuration to determine that the system is employing automated mechanisms to facilitate the monitoring and control of web based or command line based remote access administrative connections. If the system is not employing automated monitoring and control mechanisms, this is a finding.\n",
"description": "Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. \n\nApplication servers provide remote management access and need to provide the ability to facilitate the monitoring and control of remote user sessions. This includes the capability to directly trigger actions based on user activity, or pass information to a separate application or entity that can then perform automated tasks based on the information. \n\nExamples of automated mechanisms include but are not limited to; automated monitoring of log activity associated with remote access or process monitoring tools. \n\n\nThe AS must employ mechanisms that allow for monitoring and control of web based and command line based administrative remote sessions.",
"fixid": "F-39642r2_fix",
"fixtext": "Configure the AS to facilitate monitoring and control of web based or command line based administrative connections. ",
"iacontrols": null,
"id": "V-35091",
"ruleID": "SV-46378r1_rule",
"severity": "medium",
"title": "The application server must employ automated mechanisms to facilitate the monitoring and control of remote access methods.",
"version": "SRG-APP-000016-AS-000011"
},
"V-35092": {
"checkid": "C-43479r2_chk",
"checktext": "Review product documentation and system configuration to ensure the AS provides the capability to control all servers in a cluster from a centralized management system. If the AS is not configured to meet this requirement, it is a finding.\n\nFix Text: Configure the AS to manage all servers in the cluster from a centralized management system. ",
"description": "Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection to the AS. \n\nApplication server clusters are multiple application servers hosting the same application or applications. Clusters are utilized to provide application load balancing and /or redundancy.\n\nWithout centralized control of clustered application servers, management of multiple application servers configured in a cluster is difficult at best. It is critical that application servers provide the capability to manage all application servers contained within a cluster from the centralized designated management system.",
"fixid": "F-39643r2_fix",
"fixtext": "Configure the AS to manage all servers in the cluster from a centralized management system. ",
"iacontrols": null,
"id": "V-35092",
"ruleID": "SV-46379r1_rule",
"severity": "medium",
"title": "The application server must route all remote management access through a centrally managed access control point.\n",
"version": "SRG-APP-000017-AS-000012"
},
"V-35094": {
"checkid": "C-43482r3_chk",
"checktext": "Review the AS product documentation and server configuration to ensure only organization defined network protocols are enabled. \n\nExplicitly identified components deemed necessary to support operation requirements are allowed. \n\nIf networking protocols that have not been approved by the organization are enabled or cannot be disabled without negatively impacting AS operation, this is a finding.",
"description": "Some networking protocols may not meet organizational security requirements to protect data and components. \n\nApplication servers natively host a number of various features such as management interfaces, httpd servers and message queues. These features all run on TCPIP ports. This creates the potential that the vendor may choose to utilize port numbers or network services that have been deemed unusable by the organization. The application server must have the capability to both reconfigure and disable the assigned ports without adversely impacting application server operation capabilities. For a list of approved ports and protocols, reference the DoD ports and protocols web site at https://powhatan.iiie.disa.mil/ports/cal.html",
"fixid": "F-39646r2_fix",
"fixtext": "Configure the AS to disable use of organization defined networking protocols deemed to be non-secure except for explicitly identified protocols in support of operational requirements.",
"iacontrols": null,
"id": "V-35094",
"ruleID": "SV-46381r1_rule",
"severity": "medium",
"title": "The application server must support the capability to disable network protocols deemed by the organization to be nonsecure except for explicitly identified components in support of specific operational requirements.",
"version": "SRG-APP-000020-AS-000014"
},
"V-35096": {
"checkid": "C-43484r2_chk",
"checktext": "Review AS configuration to verify the AS is configured to display a customizable notification message or banner that meets this requirement. If the AS is not configured to meet this requirement, this is a finding.",
"description": "Application servers are required to display an approved system use notification message or banner before granting access to the system, providing privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance that states that: \n\n(i) users are accessing a U.S. Government information system; \n(ii) system usage may be monitored, recorded, and subject to audit; \n(iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and \n(iv) the use of the system indicates consent to monitoring and recording.\n\nSystem use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. \n\nSystem use notification is intended only for information system access including an interactive login interface with a human user, and is not required when an interactive interface does not exist. \n\nUse this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\".\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n\nFor Blackberries and other PDAs/PEDs with severe character limitations use the following:\n\n\"I've read & consent to terms in IS user agreem't.\"",
"fixid": "F-39648r2_fix",
"fixtext": "Configure the AS management interface so it displays the approved message banner prior to allowing access. ",
"iacontrols": null,
"id": "V-35096",
"ruleID": "SV-46383r1_rule",
"severity": "low",
"title": "The application server management interface must display an approved system use notification message or banner before granting access to the system.",
"version": "SRG-APP-000068-AS-000035"
},
"V-35098": {
"checkid": "C-43486r2_chk",
"checktext": "Review AS product documentation and configuration to determine that the logon banner can be displayed until the user takes action to acknowledge the agreement. \n\nIf the banner screen allows continuation on to the logon screen without user interaction, this is a finding.\n",
"description": "To establish acceptance of system usage policy, a click-through banner at application server logon is required. The banner shall prevent further activity on the application server unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\". The text of this banner should be customizable in the event of future user agreement changes.\n",
"fixid": "F-39650r2_fix",
"fixtext": "Configure the AS to retain the logon banner on the screen until the user takes explicit actions to logon to the server.",
"iacontrols": null,
"id": "V-35098",
"ruleID": "SV-46385r1_rule",
"severity": "low",
"title": "The application server management interface must retain the system use notification message or banner on the screen until users take explicit actions to logon for further access.\n",
"version": "SRG-APP-000069-AS-000036"
},
"V-35099": {
"checkid": "C-43487r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Decisions regarding the utilization of mobile code within organizational information systems needs to include evaluations which help determine the potential for the code to cause damage to the system if used maliciously. \n\nMobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. \nThe requirement is NA.\n The AS may host applications that utilize or offer mobile code but it does not enforce mobile code policies.",
"fixid": "F-39651r1_fix",
"fixtext": "The application must prevent the execution of prohibited mobile code.",
"iacontrols": null,
"id": "V-35099",
"ruleID": "SV-46386r1_rule",
"severity": "medium",
"title": "The application must prevent the execution of prohibited mobile code.",
"version": "SRG-APP-000298-AS-NA"
},
"V-35101": {
"checkid": "C-43490r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Including or excluding access to the granularity of a single user means providing the capability to either allow or deny access to application objects on a per single user basis. The requirement is NA. \n\nThe AS utilizes RBAC and does not allow individual users to specify or control sharing of AS objects.",
"fixid": "F-39654r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35101",
"ruleID": "SV-46388r1_rule",
"severity": "medium",
"title": "The application server must enforce an access control policy that includes or excludes access to application objects to the granularity of a single user.",
"version": "SRG-APP-000297-AS-NA"
},
"V-35102": {
"checkid": "C-43489r2_chk",
"checktext": "Review AS product documentation and server configuration to determine if an approved system use notification can be displayed at logon and/or unlock. If there is no banner, or if the banner's wording does not match the approved wording, this is a finding.\n",
"description": "Application servers must display an approved system use notification message or banner before granting access to the system. \n\nSystem use notification messages are implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access including an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist. \n\nApplication servers provide a user management interface usually in the form of a web page or command shell. This is used to manage application server configuration and configure application deployment options among other things.",
"fixid": "F-39653r4_fix",
"fixtext": "Configure the AS to display an approved system use notification message or banner before granting access to the system, unless the banner text was already displayed to the administrator via the operating system logon on the server on which the application resides.",
"iacontrols": null,
"id": "V-35102",
"ruleID": "SV-46389r1_rule",
"severity": "low",
"title": "The application server must display an approved system use notification message or banner before granting access to the system.\n",
"version": "SRG-APP-000070-AS-000037"
},
"V-35103": {
"checkid": "C-43491r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Discretionary Access Control (DAC) is based on the premise that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment.\n\nDAC allows the owner to determine who will have access to objects they control. An example of DAC includes user controlled file permissions. DAC models have the potential for the access controls to propagate without limit resulting in unauthorized access to said objects.\n\nWhen applications provide a discretionary access control mechanism, the application must be able to limit the propagation of those access rights. \n\nThe requirement is NA. The AS utilizes RBAC and does not allow individual users to specify or control sharing of AS objects.",
"fixid": "F-39655r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35103",
"ruleID": "SV-46390r1_rule",
"severity": "medium",
"title": "Applications utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.",
"version": "SRG-APP-000296-AS-NA"
},
"V-35104": {
"checkid": "C-43493r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Decisions regarding the development of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include but are not limited to: Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. \n\nMobile code is obtained from remote systems, transferred over a network, downloaded and executed on a local system without explicit installation or execution by the recipient. \n\nDoDI 8552.01 policy pertains to the use of mobile code technologies within DoD information systems. \n\n\nThis requirement addresses issues related to the development of mobile code. Application servers host mobile code but are not used for developing it. This requirement is NA.",
"fixid": "F-39657r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35104",
"ruleID": "SV-46391r1_rule",
"severity": "medium",
"title": "Mobile code applications must be developed in accordance with DoD-defined mobile code requirements.",
"version": "SRG-APP-000295-AS-NA"
},
"V-35105": {
"checkid": "C-43492r2_chk",
"checktext": "Verify the AS sends alerts to the administrator or organization's central audit management system when the audit log size reaches an organization-defined percentage of overall capacity. If the AS is configured to use a SAN, obtain SAN configuration information that shows this requirement is being met. Review auditing configurations. If designated alerts are not sent, this is a finding.\n",
"description": "Application servers need to be cognizant of potential audit log storage capacity issues. AS auditing capability is critical for accurate forensic analysis. Alerting administrators when audit log size thresholds are exceeded helps ensure the administrators can respond to heavy activity in a timely manner. Failure to alert increases the probability that an adversary's actions will go undetected. \nThe AS or the configured Network Attached Storage Device (SAN) must alert administrators when audit log usage reaches a defined percentage of overall capacity.",
"fixid": "F-39656r2_fix",
"fixtext": "Configure the AS or the SAN audit feature to alert the administrator or organization's central audit management system when the audit log size reaches an organization-defined critical percentage of overall capacity.",
"iacontrols": null,
"id": "V-35105",
"ruleID": "SV-46392r1_rule",
"severity": "low",
"title": "The application server must configure auditing to reduce the likelihood of storage capacity being exceeded.",
"version": "SRG-APP-000071-AS-000038"
},
"V-35107": {
"checkid": "C-43495r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Application security functional testing involves testing the application for conformance to the application's security function specifications, as well as for conformance to the underlying security model. The need to verify security functionality applies to all security functions. The conformance criteria state the conditions necessary for the application to exhibit the desired security behavior or satisfy a security property, for example, successful login triggers an audit entry. \n\nOrganizations may define conditions requiring verification and the frequency in which such testing occurs. Security function testing usually occurs during the development phase and can, in some instances, occur in the production phase if the developer provides the security conformance criteria or if the conformance criteria can be established. There are application testing frameworks available that can perform functional testing on production systems however they are limited in their applicability and are language- or product-centric. \n\nThis requirement relates to functional testing of security specifications conducted during development. This is not done on a production application server.",
"fixid": "F-39659r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35107",
"ruleID": "SV-46394r1_rule",
"severity": "medium",
"title": "The application must either implement compensating security controls or the organization explicitly accepts the risk of not performing the verification as required.",
"version": "SRG-APP-000289-AS-NA"
},
"V-35108": {
"checkid": "C-43496r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Intrusion monitoring applications are, by their nature, designed to monitor and record network and system traffic and activity. They can accumulate a significant amount of sensitive data, examples of which could include user account information and application data not related to the intrusion monitoring application itself. \n\nIntrusion monitoring tools also obtain information that is critical to conducting forensic analysis on attacks occurring within the network. This data may be sensitive in nature. Information obtained by intrusion monitoring applications in the course of evaluating network and system security needs to be protected. \n\nThe AS is not an information system monitoring tool. This requirement is NA.",
"fixid": "F-39660r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35108",
"ruleID": "SV-46395r1_rule",
"severity": "medium",
"title": "The application must protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.",
"version": "SRG-APP-000288-AS-NA"
},
"V-35109": {
"checkid": "C-43497r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "System availability is a key tenet of system security. Organizations need to have the flexibility to be able to define the automated actions taken in response to an identified incident. This includes being able to define a least disruptive action that the application takes to terminate suspicious events. A least disruptive action may include initiating a request for human response rather than blocking traffic or disrupting system operation. \n\nThis requirement applies to intrusion detection and system monitoring applications, not an AS.",
"fixid": "F-39661r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35109",
"ruleID": "SV-46396r1_rule",
"severity": "medium",
"title": "The application server must take an organization defined list of least-disruptive actions to terminate suspicious events.",
"version": "SRG-APP-000287-AS-NA"
},
"V-35112": {
"checkid": "C-43500r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Incident response applications are, by their nature, designed to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficient by the creation of notification groups containing members who would be responding to a particular alarm or event. This requirement is NA. \n\nThe AS is not an incident response tool.",
"fixid": "F-39664r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35112",
"ruleID": "SV-46399r1_rule",
"severity": "medium",
"title": "Applications providing notifications regarding suspicious events must include the capability to notify an organization defined list of response personnel who are identified by name and/or role.",
"version": "SRG-APP-000286-AS-NA"
},
"V-35114": {
"checkid": "C-43504r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Any application providing intrusion detection and prevention capabilities must be architected and implemented so as to prevent non-privileged users from circumventing such protections. This can be accomplished through the use of user roles, proper systems permissions, auditing, logging, etc. This requirement is NA. \n\nThe AS is not an incident response tool.",
"fixid": "F-39667r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35114",
"ruleID": "SV-46401r1_rule",
"severity": "medium",
"title": "Applications providing intrusion and prevention capabilities must prevent non-privileged users from circumventing those capabilities.",
"version": "SRG-APP-000285-AS-NA"
},
"V-35116": {
"checkid": "C-43503r2_chk",
"checktext": "Review policy and the AS or SAN configuration or log data to verify online log capacity meets organization requirements for continuous days of operation. If the AS is not configured to meet organization defined requirements, this is a finding.\n",
"description": "The proper management of audit records and logs not only dictates proper archiving processes and procedures be established, it also requires allocating enough storage space to maintain audit logs online for a defined period of time. \n\nIf adequate online audit storage capacity is not maintained, intrusion monitoring, security investigations, and forensic analysis can be negatively affected. \n\nIt is important to keep a defined amount of logs online and readily available for investigative purposes. The logs may be stored on the AS or in some instances, Storage Area Networks (SAN) may be employed to meet this requirement. Regardless of method being used, audit record storage capacity must be sufficient to provide the defined number of days of continuous online operation.",
"fixid": "F-39668r2_fix",
"fixtext": "Allocate enough audit log storage capacity to meet the organizations online audit log storage requirement for continuous days of operation. ",
"iacontrols": null,
"id": "V-35116",
"ruleID": "SV-46403r1_rule",
"severity": "medium",
"title": "The application server must allocate online audit record storage capacity for an organization defined number of continuous days of operation.",
"version": "SRG-APP-000072-AS-000039"
},
"V-35117": {
"checkid": "C-43505r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "When an intrusion detection security event occurs it is imperative the application that has detected the event immediately notify the appropriate support personnel so they can respond accordingly. \n\nLack of this capability increases the risk that attacks will go unnoticed or responses will be delayed. This requirement is NA. \nApplication servers do not provide anti-virus or firewall protection.",
"fixid": "F-39669r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35117",
"ruleID": "SV-46404r1_rule",
"severity": "medium",
"title": "Applications that detect and alarm on security events such as intrusion detection, firewalls, anti-virus, or malware must provide near real-time alert notification.",
"version": "SRG-APP-000284-AS-NA"
},
"V-35118": {
"checkid": "C-43506r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Unusual/unauthorized activities or conditions include internal traffic indicating the presence of malicious code within an information system or propagating among system components, the unauthorized export of information, and signaling to an external information system. \n\nEvidence of malicious code is used to identify potentially compromised information systems or information system components. \n\nExamples of applications that provide monitoring capability for unusual/unauthorized activities include, but are not limited to, intrusion detection, anti-virus and malware. \n\nApplication servers do not provide Antivirus or firewall protection. That is not their functionality.",
"fixid": "F-39670r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35118",
"ruleID": "SV-46405r1_rule",
"severity": "medium",
"title": "Applications providing malware and/or firewall protection must monitor inbound and outbound communications for unauthorized activities or conditions.",
"version": "SRG-APP-000283-AS-NA"
},
"V-35120": {
"checkid": "C-43509r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "There is a recognized need to balance encrypting traffic versus the need to have insight into the traffic from a monitoring perspective. \n\nFor some organizations, the need to ensure the confidentiality of traffic is paramount; for others, the mission-assurance concerns are greater. \n\nThe AS is not an information system monitoring tool. This requirement does not apply.",
"fixid": "F-39673r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35120",
"ruleID": "SV-46407r1_rule",
"severity": "medium",
"title": "For those instances where the organization requires encrypted traffic to be visible to information system monitoring tools, the application transmitting the encrypted traffic must make provisions to allow that traffic to be visible to specific system monitoring tool.",
"version": "SRG-APP-000282-AS-NA"
},
"V-35121": {
"checkid": "C-43508r1_chk",
"checktext": "Review AS product documentation and configuration to determine if users are informed of the date and time of the last logon. If users are not informed of this information, this is a finding.",
"description": "Users need to be aware of activity that occurs regarding their application server account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. \n\nThis requirement is intended to cover traditional interactive logons to information systems. Services-oriented applications with no user interface are excluded.",
"fixid": "F-39672r1_fix",
"fixtext": "Configure the AS to display, upon logon, the date and time of the last logon.",
"iacontrols": null,
"id": "V-35121",
"ruleID": "SV-46408r1_rule",
"severity": "low",
"title": "The application server management interface, upon successful logon, must display to the user the date and time of the last logon (access).",
"version": "SRG-APP-000075-AS-000040"
},
"V-35123": {
"checkid": "C-43511r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "When utilizing intrusion detection software, monitoring components are usually dispersed throughout the network, such as when utilizing HIDS and multiple NIDS sensors. In order to leverage the capabilities of intrusion detection systems to get a complete overall view of network and host activity, these separate components must be able to report and react to activity they detect. \n\nNon-standard or custom communication protocols do not provide the reliability and veracity required of an enterprise class intrusion detection system. An example of a custom protocol includes, but is not limited to, vendor-specific communication protocols that have not undergone IETF RFC evaluation and/or are not in common use throughout the Internet as a whole. \n\nApplication servers do not provide IDS capability. Does not apply.",
"fixid": "F-39675r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35123",
"ruleID": "SV-46410r1_rule",
"severity": "medium",
"title": "Intrusion detection software must be able to interconnect using standard protocols to create a system-wide intrusion detection system.",
"version": "SRG-APP-000281-AS-NA"
},
"V-35125": {
"checkid": "C-43514r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes viruses, worms, Trojan horses, and Spyware. Applications providing this capability must have an ability to address the issue of false alerts. False alerts can overwhelm reporting and administrative interfaces, making it difficult to identify the true threat. A filtering capability that serves to identify and remove false positives is often employed to address this issue. The requirement is NA. The AS does not provide malicious code protection.",
"fixid": "F-39678r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35125",
"ruleID": "SV-46412r1_rule",
"severity": "medium",
"title": "Applications providing malicious code protection must support organizational requirements to address the receipt of false positives during malicious code detection, eradication efforts, and the resulting potential impact on the availability of the information system.",
"version": "SRG-APP-000280-AS-NA"
},
"V-35127": {
"checkid": "C-43515r1_chk",
"checktext": "Review system documentation to determine if the AS verifies the digital signatures attached to messages when those messages are processed. If these verifications are not performed, this is a finding.\n",
"description": "If the application does not maintain the data security attributes while it processes the data, there is a risk of data compromise. \n\nEncryption is utilized to assist in the maintenance of data security attributes. Encryption is also resource intensive and sometimes only a particular sub-component of a web services message or application may require encryption. The AS must be capable of verifying the digital signatures attached to any and all parts of messages and applications.",
"fixid": "F-39679r2_fix",
"fixtext": "Configure the AS to verify digital signatures attached to messages and applications. ",
"iacontrols": null,
"id": "V-35127",
"ruleID": "SV-46414r1_rule",
"severity": "medium",
"title": "The application server must verify digital signatures on software components and applications in process.",
"version": "SRG-APP-000007-AS-000004"
},
"V-35128": {
"checkid": "C-43516r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Malicious code protection mechanisms include, but are not limited to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nApplications providing this capability must be able to perform actions in response to detected malware. Responses include, but are not limited to, quarantine, deletion, and alerting.\n\nMalicious code includes viruses, worms, Trojan horses, and Spyware. The requirement is NA. The AS does not provide malicious code protection.",
"fixid": "F-39680r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35128",
"ruleID": "SV-46415r1_rule",
"severity": "medium",
"title": "Applications providing malicious code protection must support organizational requirements to be configured to perform organization defined action(s) in response to malicious code detection.",
"version": "SRG-APP-000279-AS-NA"
},
"V-35129": {
"checkid": "C-43517r1_chk",
"checktext": "Review the AS product documentation to determine if the AS audits remote administrative sessions. If the AS does not audit remote sessions for the admin user, then this is a finding.\n",
"description": "Auditing must be utilized in order to track system activity, assist in diagnosing system issues and provide evidence needed for forensic investigations post security incident. \n\nRemote access by administrators requires that the admin activity be audited. \n\nApplication servers provide a web and command line based remote management capability for managing the application server. Application servers must ensure that all actions related to administrative functionality such as application server configuration are logged.",
"fixid": "F-39681r1_fix",
"fixtext": "Configure the AS to log an audit event for each instance when the administrator accesses the system remotely. \n",
"iacontrols": null,
"id": "V-35129",
"ruleID": "SV-46416r1_rule",
"severity": "medium",
"title": "The application server must ensure remote sessions for accessing security functions and security-relevant information are audited.",
"version": "SRG-APP-000019-AS-000013"
},
"V-35131": {
"checkid": "C-43519r1_chk",
"checktext": "Review AS product documentation and configuration to determine if the administrators are informed of the number of unsuccessful login attempts since the last successful login \n\nIf the administrators are not informed of this information, this is a finding.\n",
"description": "AS administrators need to be aware of activity that occurs regarding their account. Providing AS administrators with information regarding the number of unsuccessful login attempts made to their account allows them to determine if any unauthorized activity has occurred and gives them an opportunity to notify or coordinate with the appropriate security personnel and ensure other systems have not been affected. If administrators are not aware of potential attacks against a system, they cannot perform due diligence to ensure access is not granted to unauthorized users.",
"fixid": "F-39683r1_fix",
"fixtext": "Configure the AS to display the number of unsuccessful login attempts since the last successful login. ",
"iacontrols": null,
"id": "V-35131",
"ruleID": "SV-46418r1_rule",
"severity": "low",
"title": "In order to inform administrators of failed login attempts made to the administrators account, the application server management interface, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.",
"version": "SRG-APP-000076-AS-000041"
},
"V-35132": {
"checkid": "C-43520r1_chk",
"checktext": "Review AS product documentation and server configuration to determine if users are informed of the number of successful login attempts that have occurred during a defined period of time. If the users are not informed of this information this is a finding.",
"description": "Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the number of successful attempts made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. \n\nThis requirement is intended to cover traditional logons to information systems where a user interface is involved.\n",
"fixid": "F-39684r1_fix",
"fixtext": "Configure the AS to display the number of successful login attempts that have occurred within a defined period of time. ",
"iacontrols": null,
"id": "V-35132",
"ruleID": "SV-46419r1_rule",
"severity": "low",
"title": "The application server must notify the user of the number of successful logins/accesses occurring during an organization defined time period.\n",
"version": "SRG-APP-000077-AS-000042"
},
"V-35133": {
"checkid": "C-43521r1_chk",
"checktext": "Review AS product documentation and server configuration to determine if users are informed of the number of unsuccessful login attempts that have occurred during a defined period of time. If the users are not informed of this information this is a finding.",
"description": "Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the number of unsuccessful attempts made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.\n\nThis requirement is intended to cover traditional logons to information systems where a user interface is involved.\n",
"fixid": "F-39685r1_fix",
"fixtext": "Configure the AS to display the number of unsuccessful login attempts that have occurred within a defined period of time. ",
"iacontrols": null,
"id": "V-35133",
"ruleID": "SV-46420r1_rule",
"severity": "low",
"title": "The application server must notify the user of the number of unsuccessful login/access attempts occurring during an organization defined time period.\n",
"version": "SRG-APP-000078-AS-000043"
},
"V-35134": {
"checkid": "C-43522r4_chk",
"checktext": "Review AS product documentation and server configuration to determine if the AS notifies users of security-related changes to the users' accounts occurring during the organization defined time period. If the users are not informed of this information during the organization-defined time period, this is a finding.",
"description": "DoD may define certain security events as events requiring user notification. An organization may define an event such as a password change to a user's account occurring outside of normal business hours as a security related event requiring that the application user be notified. In those instances, where organizations define such events, the application server must notify the affected user or users.\n",
"fixid": "F-39686r3_fix",
"fixtext": "Configure the AS to notify users of security-related events associated with their accounts that occur within the defined time period. ",
"iacontrols": null,
"id": "V-35134",
"ruleID": "SV-46421r1_rule",
"severity": "low",
"title": "The application server must notify users of organization defined security-related changes to the users account occurring during the organization defined time period.",
"version": "SRG-APP-000079-AS-000044"
},
"V-35135": {
"checkid": "C-43523r1_chk",
"checktext": "Review AS product documentation and server configuration to determine if the system can protect against an individual falsely denying having performed a particular action. Perform functionality testing and examine log data to ensure administrative actions such as application deployment and configuration changes are attributable to individuals. If the system cannot perform this function this is a finding.\n",
"description": "Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. \n\nTypical application server actions requiring non-repudiation will be related to application deployment among developer/users and administrative actions taken by admin personnel.\n",
"fixid": "F-39687r1_fix",
"fixtext": "Configure the AS to protect against an individual falsely denying having performed a particular action. \n",
"iacontrols": null,
"id": "V-35135",
"ruleID": "SV-46422r1_rule",
"severity": "medium",
"title": "The application server must protect against an individual falsely denying having performed a particular action.\n",
"version": "SRG-APP-000080-AS-000045"
},
"V-35136": {
"checkid": "C-43524r1_chk",
"checktext": "Review product documentation and the AS deployment configuration to determine if the AS identifies the individuals responsible for application deployment. If the AS does not meet this requirement, this is a finding.\n",
"description": "Non-repudiation supports audit requirements to provide the appropriate organizational officials the means to identify who produced specific information in the event of an information transfer. \n\nThe nature and strength of the binding between the information producer and the information are determined and approved by the appropriate organizational officials based on the security categorization of the information and relevant risk factors.\n\nApplication servers contain and host deployed Java-based applications. To maintain non-repudiation, the application server must associate deployed application files with the personnel responsible for deploying the applications.\n",
"fixid": "F-39688r1_fix",
"fixtext": "Configure the AS to identify the individuals responsible for application deployment. ",
"iacontrols": null,
"id": "V-35136",
"ruleID": "SV-46423r1_rule",
"severity": "medium",
"title": "The application server must associate the identity of the information producer with the information.\n",
"version": "SRG-APP-000081-AS-000046"
},
"V-35138": {
"checkid": "C-43525r1_chk",
"checktext": "Review product documentation and the AS deployment configuration to determine if the AS authenticates the digital certificates used to sign the application deployment files. If the AS does not meet this requirement, this is a finding.\n",
"description": " Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document.\n\nThis non-repudiation control enhancement is intended to mitigate the risk that information gets modified between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. \n\nApplication servers must be able to authenticate digitally signed application deployment files.",
"fixid": "F-39689r1_fix",
"fixtext": "Configure the AS to authenticate digitally signed application deployment files. \n",
"iacontrols": null,
"id": "V-35138",
"ruleID": "SV-46425r1_rule",
"severity": "medium",
"title": "The application server must validate the binding of the information producers identity to the information.\n",
"version": "SRG-APP-000082-AS-000047"
},
"V-35139": {
"checkid": "C-43526r1_chk",
"checktext": "Review the AS audit feature configuration to determine if the AS can compile audit records from multiple components within the server into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance. If the AS does not meet this requirement, or cannot be configured to utilize an external tool that provides this capability, this is a finding.\n",
"description": "Audit generation and audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked).\n\nThe events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet a certain tolerance criteria. For instance, DoD may define that the time stamps of different audited events must not differ by any amount greater than ten seconds. It is also acceptable for the AS to utilize an external auditing tool that provides this capability.\n",
"fixid": "F-39690r1_fix",
"fixtext": "Configure the AS to compile audit records from multiple components within the server into a system-wide (logical or physical) audit trail that is time correlated or configure the AS to utilize an external auditing tool designed to meet this requirement.",
"iacontrols": null,
"id": "V-35139",
"ruleID": "SV-46426r1_rule",
"severity": "low",
"title": "The application server must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance.\n",
"version": "SRG-APP-000086-AS-000048"
},
"V-35140": {
"checkid": "C-43527r1_chk",
"checktext": "Review the AS configuration to determine if the AS produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format. If the AS does not produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format, this is a finding.\n",
"description": "Audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events). Application server audit events may include, but are not limited to HTTP, Database, and XML parsing activity.\n\nThe application server must be capable of producing audit records in a standardized format which includes all application server functionality.\n",
"fixid": "F-39691r1_fix",
"fixtext": "Configure the AS to produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. ",
"iacontrols": null,
"id": "V-35140",
"ruleID": "SV-46427r1_rule",
"severity": "low",
"title": "The application server must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.\n",
"version": "SRG-APP-000088-AS-000049"
},
"V-35141": {
"checkid": "C-43528r1_chk",
"checktext": "Review AS product documentation and server configuration to determine if the system generates audit records for definable events (e.g., INFO, DEBUG, FATAL, ALL). Perform functionality testing and examine log data to ensure defined events are logged. If the system cannot perform this function, this is a finding.\n",
"description": " Audit records can be generated from various components within the application server (e.g. , httpd, beans, etc.). From an application perspective, certain specific application functionalities may be audited as well.\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked).\n\nApplication servers must be able to set the log level which controls what type of information and the degree to which the application server logs data.\n",
"fixid": "F-39692r1_fix",
"fixtext": "Configure the AS to audit at the defined event level. ",
"iacontrols": null,
"id": "V-35141",
"ruleID": "SV-46428r1_rule",
"severity": "low",
"title": "The application server must provide audit record generation capability for defined auditable events.\n",
"version": "SRG-APP-000089-AS-000050"
},
"V-35142": {
"checkid": "C-43529r1_chk",
"checktext": "Review AS product documentation and configuration to determine if the system is configured to assign personnel to a role responsible for selecting auditable events. If the system is not configured to perform this function this is a finding.\n",
"description": "Audit records can be generated from various components within the application server, (e.g. , httpd, beans, etc.) From an application perspective, certain specific application functionalities may be audited, as well.\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked).\n\n\nApplication servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component auditable events. The AS must be configured to select which personnel are assigned the role of selecting which auditable events are to be audited.\n",
"fixid": "F-39693r1_fix",
"fixtext": "Configure the AS by assigning organizational personnel to the role which selects and controls auditable events on the AS.",
"iacontrols": null,
"id": "V-35142",
"ruleID": "SV-46429r1_rule",
"severity": "low",
"title": "The application server must provide a user role which designates which organizational personnel select auditable events.\n",
"version": "SRG-APP-000090-AS-000051"
},
"V-35143": {
"checkid": "C-43530r1_chk",
"checktext": "Review product documentation and the system configuration to determine if the DoD-required auditable events are recorded. Required events include system startup and shutdown, successful and unsuccessful application deployment attempts, program execution, and integrity validation failures. Verify a reasonable subset of these events is captured in practice by examining the audit logs. If the audit logs do not include DoD-required auditable events, this is a finding.\n",
"description": "Audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated. \n\nThis set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked).\n\nThe DoD-required auditable events are events that assist in intrusion detection and forensic analysis. Failure to capture them increases the likelihood that an adversary can breach the system without detection.",
"fixid": "F-39694r1_fix",
"fixtext": "Configure the AS to generate audit records for the DoD-required auditable events.",
"iacontrols": null,
"id": "V-35143",
"ruleID": "SV-46430r1_rule",
"severity": "low",
"title": "The application server must generate audit records for the DoD-selected list of auditable events.\n",
"version": "SRG-APP-000091-AS-000052"
},
"V-35148": {
"checkid": "C-43534r1_chk",
"checktext": "Review the AS product documentation and server configuration to determine if the AS initiates session auditing on AS startup. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.\n",
"fixid": "F-39698r1_fix",
"fixtext": "Configure the AS to initiate session auditing on AS startup. ",
"iacontrols": null,
"id": "V-35148",
"ruleID": "SV-46435r1_rule",
"severity": "low",
"title": "The application server must initiate session auditing upon start up.\n",
"version": "SRG-APP-000092-AS-000053"
},
"V-35150": {
"checkid": "C-43536r1_chk",
"checktext": "Review the AS configuration to determine if the AS captures/records and logs all content related to an administrator session. Have an administrator log into the server and make several security relevant configuration changes and verify these were recorded in the audit log. If any of the security relevant changes do not appear in the log, this is a finding.\n",
"description": "User sessions for an application server are in the context of server management only. The application server must be capable of enabling a setting for troubleshooting or debugging purposes which will log all administrative user session information related to server management.\n",
"fixid": "F-39700r1_fix",
"fixtext": "Configure the AS to capture/record and log all content related to an administrator session.",
"iacontrols": null,
"id": "V-35150",
"ruleID": "SV-46437r1_rule",
"severity": "low",
"title": "The application server must capture, record, and log all content related to an administrative user session.\n",
"version": "SRG-APP-000093-AS-000054"
},
"V-35157": {
"checkid": "C-43541r3_chk",
"checktext": "Review the AS configuration to determine if the AS is configured to capture/record and log all content related to an administrator session. Have an administrator log into the server and make several security relevant configuration changes and verify these changes were recorded in an audit log that can be remotely viewed. If these requirements are not met, this is a finding.\n",
"description": "User sessions for an application server are in the context of server management only. The application server must be configured to log all administrative session data to a remote location for viewing.\n",
"fixid": "F-39707r2_fix",
"fixtext": "Configure the AS to capture/record and log all content related to an administrator session and enable secured remote viewing of log data. ",
"iacontrols": null,
"id": "V-35157",
"ruleID": "SV-46444r1_rule",
"severity": "low",
"title": "The application server must be configured to remotely view all content related to an established administrative user session in real time.\n",
"version": "SRG-APP-000094-AS-000055"
},
"V-35159": {
"checkid": "C-43542r1_chk",
"checktext": "Review the AS audit log configuration to determine if the AS produces audit records for the HTTPD web server functionality. Check to ensure logs contain severity levels for corresponding recorded events. \n\nIf the HTTPD component of the AS does not log or does not have an event severity level, this is a finding.",
"description": "Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nApplication servers must log all relevant log data that pertains to app server functionality. Examples of relevant data include, but are not limited to Java Virtual Machine (JVM) activity, HTTPD/Web server activity and app server-related system process activity.\n",
"fixid": "F-39708r1_fix",
"fixtext": "Configure the AS audit logs to include all HTTPD related events and severity levels in audit records.",
"iacontrols": null,
"id": "V-35159",
"ruleID": "SV-46446r1_rule",
"severity": "low",
"title": "The application server must produce application server process events and severity levels to establish what type of HTTPD related events and severity levels occurred.\n",
"version": "SRG-APP-000095-AS-000056"
},
"V-35161": {
"checkid": "C-43544r1_chk",
"checktext": "Review the AS audit log configuration to determine if the AS produces audit records for the Java Virtual Machine server functionality. Check to ensure logs contain severity levels for corresponding recorded events.",
"description": "Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nApplication servers must log all relevant log data that pertains to app server functionality. Examples of relevant data includes but is not limited to Java Virtual Machine (JVM) activity, HTTPD activity and app server related system process activity.\n",
"fixid": "F-39711r1_fix",
"fixtext": "Configure the AS audit logs to include all JVM related events and severity levels in audit records.",
"iacontrols": null,
"id": "V-35161",
"ruleID": "SV-46448r1_rule",
"severity": "low",
"title": "The application server must produce audit records containing sufficient information to establish what type of JVM related events and severity levels occurred.\n",
"version": "SRG-APP-000095-AS-000057"
},
"V-35163": {
"checkid": "C-43546r1_chk",
"checktext": "Review the AS audit log configuration to determine if the AS produces audit records for the AS core server functionality. Check to ensure logs contain severity levels for corresponding recorded events. ",
"description": "Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nApplication servers must log all relevant log data that pertains to app server functionality. Examples of relevant data includes but is not limited to Java Virtual Machine (JVM) activity, HTTPD activity and app server related system process activity.\n",
"fixid": "F-39714r1_fix",
"fixtext": "Configure the AS audit logs to include all app server process events and severity levels in audit records. ",
"iacontrols": null,
"id": "V-35163",
"ruleID": "SV-46450r1_rule",
"severity": "low",
"title": "The application server must produce process events and security levels to establish what type of AS process events and severity levels occurred.\n",
"version": "SRG-APP-000095-AS-000058"
},
"V-35165": {
"checkid": "C-43547r1_chk",
"checktext": "Review the audit logs on the AS to determine if the date and time are included in the log event data. If the date and time are not included, this is a finding.\n",
"description": "Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. \n\nIn addition to logging event information, application servers must also log the corresponding dates and times of these events. Examples of event data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity and app server related system process activity.\n",
"fixid": "F-39715r1_fix",
"fixtext": "Configure the AS auditing system to log date and time with the event. ",
"iacontrols": null,
"id": "V-35165",
"ruleID": "SV-46452r1_rule",
"severity": "low",
"title": "The application server must produce audit records containing sufficient information to establish when (date and time) the events occurred.\n",
"version": "SRG-APP-000096-AS-000059"
},
"V-35167": {
"checkid": "C-43549r1_chk",
"checktext": "Review the audit logs on the AS to determine if the logs contain information that establishes where within the application server sub components an event occurred. If the AS does not log audit data according to server functionality, this is a finding.",
"description": "Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. \n\nWithout sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered. \n\nIn addition to logging relevant data, application servers must also log information to indicate the location of these events. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity and app server-related system process activity.",
"fixid": "F-39717r1_fix",
"fixtext": "Configure the AS auditing system to log event location data.",
"iacontrols": null,
"id": "V-35167",
"ruleID": "SV-46454r1_rule",
"severity": "low",
"title": "The application server must produce audit records containing sufficient information to establish where the events occurred.\n",
"version": "SRG-APP-000097-AS-000060"
},
"V-35170": {
"checkid": "C-43552r1_chk",
"checktext": "Review AS documentation and the audit logs on the AS to determine if the logs contain information that establishes the sources of event data. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": " Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. \n\nWithout information establishing the source of activity, the value of audit records from a forensics perspective is questionable. \n\nExamples of activity sources include, but are not limited to, application process sources such as one process affecting another process, user related activity, and activity resulting from remote network system access (IP addresses).\n",
"fixid": "F-39720r1_fix",
"fixtext": "Configure the AS auditing system to log event source data. ",
"iacontrols": null,
"id": "V-35170",
"ruleID": "SV-46457r1_rule",
"severity": "low",
"title": "The application server must produce audit records containing sufficient information to establish the sources of the events.\n",
"version": "SRG-APP-000098-AS-000061"
},
"V-35176": {
"checkid": "C-43557r1_chk",
"checktext": "Review AS documentation and the audit logs on the AS to determine if the logs contain information that establishes the success or failure of event data. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. \n\nSuccess and failure indicators ascertain the outcome of a particular app server event of function. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.\n",
"fixid": "F-39725r1_fix",
"fixtext": "Configure the AS auditing system to log event success and failure. ",
"iacontrols": null,
"id": "V-35176",
"ruleID": "SV-46463r1_rule",
"severity": "low",
"title": "The application server must produce audit records that contain sufficient information to establish the outcome (success or failure) of application server and application events.",
"version": "SRG-APP-000099-AS-000062"
},
"V-35182": {
"checkid": "C-43562r1_chk",
"checktext": "Review AS documentation and the audit logs on the AS to determine if the logs contain information that establishes the identity of the user or process associated with audit event data. If the AS does not produce logs that establish the identity of the user or process associated with audit event data, this is a finding.\n",
"description": "Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. \n\nApplication servers have differing levels of logging capabilities which can be specified by setting a verbosity level. The application server must, at a minimum, be capable of establishing the identity of any user or process that is associated with any particular event.\n",
"fixid": "F-39730r1_fix",
"fixtext": "Configure the AS auditing system to log the identity of the user or process related to audit events. ",
"iacontrols": null,
"id": "V-35182",
"ruleID": "SV-46469r1_rule",
"severity": "medium",
"title": "The application server must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.\n",
"version": "SRG-APP-000100-AS-000063"
},
"V-35183": {
"checkid": "C-43563r1_chk",
"checktext": "Verify the audit logs can be directly written to a separate system or transferred from the AS to a storage location other than the AS itself. The system administrator of the device may demonstrate this capability using an audit management application, system configuration, or other means. If audit logs cannot be transferred on request or on a periodic schedule, this is a finding.\n",
"description": "Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited to time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. \n\nCentralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to be capable of writing logs to centralized audit log servers.",
"fixid": "F-39731r1_fix",
"fixtext": "Configure the AS to transfer the audit logs to remote log or management servers. \n",
"iacontrols": null,
"id": "V-35183",
"ruleID": "SV-46470r1_rule",
"severity": "medium",
"title": "The application server must provide the ability to write specified audit record content to an audit log server.\n",
"version": "SRG-APP-000102-AS-000064"
},
"V-35184": {
"checkid": "C-43564r1_chk",
"checktext": "Review the configuration settings to determine if the AS audit system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. If designated alerts are not sent, or the AS is not configured to use a dedicated audit tool that meets this requirement, this is a finding.",
"description": " It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Notification of the storage condition will allow administrators to take actions so that logs are not lost. This requirement can be met by configuring the AS to utilize a dedicated audit tool that meets this requirement.",
"fixid": "F-39732r1_fix",
"fixtext": "Configure the AS to provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. ",
"iacontrols": null,
"id": "V-35184",
"ruleID": "SV-46471r1_rule",
"severity": "low",
"title": "The application server must provide a warning when allocated audit record storage volume reaches an organization defined percentage of maximum audit record storage capacity.\n",
"version": "SRG-APP-000103-AS-000065"
},
"V-35185": {
"checkid": "C-43565r1_chk",
"checktext": "Review the configuration settings to determine if the AS audit system provides a real-time alert when organization defined audit failure events occur. Review AS documentation. If designated alerts are not sent, this is a finding.\n",
"description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Notification of the failure event will allow administrators to take actions so that logs are not lost.\n",
"fixid": "F-39733r1_fix",
"fixtext": "Configure the AS to provide a real-time alert when organization-defined audit failure events occur. ",
"iacontrols": null,
"id": "V-35185",
"ruleID": "SV-46472r1_rule",
"severity": "low",
"title": "The application server must provide a real-time alert when organization defined audit failure events occur.\n",
"version": "SRG-APP-000104-AS-000066"
},
"V-35186": {
"checkid": "C-43566r1_chk",
"checktext": "Review AS audit configuration and organization policy. If policy requires individual notification, verify the AS sends alerts to designated individual organizational officials in the event of an audit processing failure. If policy requires individual notifications and the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Audit processing failures include, but are not limited to, failures in the application server log capturing mechanisms or audit storage capacity being reached or exceeded. In some instances, it is preferred to send alarms to individuals rather than to an entire group. Application servers must be able to trigger an alarm and send that alert to designated individuals in the event there is an AS audit processing failure.\n",
"fixid": "F-39734r1_fix",
"fixtext": "Configure the AS audit feature to alert designated organizational officials in the event of an audit processing failure. ",
"iacontrols": null,
"id": "V-35186",
"ruleID": "SV-46473r1_rule",
"severity": "low",
"title": "The application server must alert designated individual organizational officials in the event of an audit processing failure.\n",
"version": "SRG-APP-000108-AS-000067"
},
"V-35188": {
"checkid": "C-43567r1_chk",
"checktext": "Review the organization policy and AS configuration settings to determine if the AS is configured to notify a group of administrative personnel when the audit subsystem fails to operate. If policy requires group notification and the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. To ensure flexibility and ease of use, application servers must be capable of notifying a group of administrative personnel upon detection of an application audit log processing failure.\n",
"fixid": "F-39735r1_fix",
"fixtext": "Configure the AS to notify a group of administrative staff when the auditing subsystem fails. ",
"iacontrols": null,
"id": "V-35188",
"ruleID": "SV-46475r1_rule",
"severity": "low",
"title": "The application server must notify administrative personnel as a group in the event of audit processing failure.\n",
"version": "SRG-APP-000109-AS-000069"
},
"V-35190": {
"checkid": "C-43568r3_chk",
"checktext": "Review the AS configuration settings to determine if the AS is configured to log the administrative personnel who are notified when the audit subsystem fails to operate. Review failure logs to ensure the nature of the failure is also logged. If the AS does not execute this requirement, this is a finding.\n",
"description": "It is critical that, when a system is at risk of failing to process audit logs, it detects and takes action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n\nFor forensic, non-repudiation and troubleshooting purposes, the AS must be configured to log both who was notified of the audit log processing failure and the nature of the failure.",
"fixid": "F-39736r2_fix",
"fixtext": "Configure the AS to log the administrative staff who are notified and the nature of the failure when the auditing subsystem fails.",
"iacontrols": null,
"id": "V-35190",
"ruleID": "SV-46477r1_rule",
"severity": "low",
"title": "The application server must be configured to log the audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).",
"version": "SRG-APP-000109-AS-000068"
},
"V-35191": {
"checkid": "C-43569r5_chk",
"checktext": "Review the systems accreditation documentation to determine system MAC and Confidentiality requirements. Review AS configuration settings to determine if the AS is configured to fail over operation to another system when the audit subsystem fails to operate. If the system MAC level specifies redundancy and the AS is not configured to fail over to another system when an audit subsystem failure occurs, this is a finding.\nIf the system MAC level does not require redundancy, this requirement is NA.",
"description": "It is critical that, when a system is at risk of failing to process audit logs as required, it detects and takes action to mitigate the failure. \nApplication servers must be capable of failing over to another system upon detection of an application audit log processing failure. This will allow continual operation of the application while minimizing the loss of audit subsystem capability and audit logs. This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA",
"fixid": "F-39737r4_fix",
"fixtext": "Configure the AS to fail over to another system when the auditing subsystem fails. ",
"iacontrols": null,
"id": "V-35191",
"ruleID": "SV-46478r1_rule",
"severity": "low",
"title": "The application server must be configured to fail over to another system in the event of audit subsystem failure.\n",
"version": "SRG-APP-000109-AS-000070"
},
"V-35192": {
"checkid": "C-43570r1_chk",
"checktext": "Review the AS configuration settings to determine if the AS audit system is configured to integrate audit review, analysis, and reporting processes. If the AS is not configured to natively meet the requirement, review AS documentation and request the system administrator demonstrate the capability on the AS to transfer audit logs to a central audit system. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a sufficient manner. \n\nAudit review, analysis, and reporting are all activities related to the evaluation of system activity through the inspection and analysis of system log data. \n\nIn order to determine what is happening within the application server or to resolve and trace an attack, it is imperative to be able to correlate the log data from multiple AS elements so as to acquire a clear understanding as to what happened or is happening. Collecting log data and presenting that data in a single, consolidated view achieves this objective. The AS must integrate audit review, analysis and reporting of audit data or it must be configurable to utilize a centralized solution designed to meet this requirement.",
"fixid": "F-39738r1_fix",
"fixtext": "Configure the AS to integrate audit review, analysis and reporting processes or configure the AS to provide audit log information to a centralized audit management system that meets the requirement. ",
"iacontrols": null,
"id": "V-35192",
"ruleID": "SV-46479r1_rule",
"severity": "low",
"title": "The application server must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.",
"version": "SRG-APP-000110-AS-000071"
},
"V-35193": {
"checkid": "C-43571r1_chk",
"checktext": "Review AS product documentation and server configuration to determine if the AS can centralize log storage from the multiple AS components. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Segregation of logging data to multiple disparate computer systems is counter-productive and makes log analysis, log event alarming and correlation difficult to implement and manage, particularly when the application server has multiple logging components that write logs to different log files and locations. This problem is compounded when there is a clustered application server environment. \n\nApplication servers must provide the capability to centralize the storage of app server logs.",
"fixid": "F-39740r1_fix",
"fixtext": "Configure the AS to centrally store application server logs.",
"iacontrols": null,
"id": "V-35193",
"ruleID": "SV-46480r1_rule",
"severity": "low",
"title": "Application Servers must centralize the review and analysis of audit records from multiple components within the system.\n",
"version": "SRG-APP-000111-AS-000072"
},
"V-35195": {
"checkid": "C-43572r1_chk",
"checktext": "Review the AS product documentation and management interface to determine if the AS provides an audit reduction capability. If the AS does not provide audit reduction, this is a finding.\n",
"description": "Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review, the AS administrator may utilize the audit reduction capability to remove the audit records known to have little security significance. \n\nThis is generally accomplished by filtering records generated by specified classes of events, such as records generated by nightly backups. Audit reduction does not alter the original audit records. \n\nAn audit reduction capability provides support for near real-time audit review and analysis requirements and after-the-fact investigations of security incidents.",
"fixid": "F-39741r1_fix",
"fixtext": "Configure the AS to provide and utilize audit reduction.",
"iacontrols": null,
"id": "V-35195",
"ruleID": "SV-46482r1_rule",
"severity": "medium",
"title": "The application server must provide an audit reduction capability.",
"version": "SRG-APP-000113-AS-000073"
},
"V-35196": {
"checkid": "C-43573r1_chk",
"checktext": "Review the configuration settings to determine if the AS audit records can be used by a report generation capability. Review AS documentation and audit records. If the AS audit records cannot be used by a report generation capability, this is a finding.\n",
"description": " In support of audit review, analysis, and reporting requirements, audit reduction is a technique used to reduce the volume of audit records in order to facilitate a manual review. \n\nIn order to identify and report on what (repetitive) data has been removed via the use of audit reduction, the application server must provide a capability to generate reports containing what values were removed by the audit reduction. \n\nAudit reduction does not alter original audit records. An audit reduction capability provides support for near real-time audit review and analysis based on policy based requirements and after-the-fact investigations of security incidents.\n",
"fixid": "F-39743r1_fix",
"fixtext": "Configure the AS audit records to be used by a report generation capability.",
"iacontrols": null,
"id": "V-35196",
"ruleID": "SV-46483r1_rule",
"severity": "medium",
"title": "The application server must provide a report generation capability for audit reduction data.\n",
"version": "SRG-APP-000114-AS-000074"
},
"V-35199": {
"checkid": "C-43574r1_chk",
"checktext": "Review the AS product documentation and management interface to determine if the AS provides the ability to filter out audit events based upon event criteria. If the AS does not provide the ability to filter out audit events based upon event criteria, this is a finding.\n",
"description": "Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review information systems and/or applications with an audit reduction capability may remove many audit records known to have little security significance. \n\nThis is generally accomplished by removing records generated by specified classes of events, such as records generated by nightly backups or other events deemed inconsequential to the investigation. Audit reduction does not alter or delete original audit records. \n\nWhen conducting a security review, time is often of the essence. A manual audit reduction capability is too time consuming. The AS must provide an automated audit reduction capability that automatically filters out events based upon a selection of available event types.",
"fixid": "F-39744r1_fix",
"fixtext": "Configure the AS to filter out events based upon selectable event criteria. \n",
"iacontrols": null,
"id": "V-35199",
"ruleID": "SV-46486r1_rule",
"severity": "medium",
"title": "The application server must automatically process audit records for events of interest based upon selectable, event criteria.",
"version": "SRG-APP-000115-AS-000075"
},
"V-35203": {
"checkid": "C-43575r1_chk",
"checktext": "Review the AS configuration files to determine if the internal system clock is used for timestamps. If this is not feasible, an alternative workaround is to take an action that generates an entry in the audit log and then immediately query the operating system for the current time. A reasonable match between the two times will suffice as evidence that the system is using the internal clock for timestamps. If the AS does not use the internal system clock to generate timestamps, this is a finding.\n",
"description": "Without the use of an approved and synchronized time source, configured on the systems, events cannot be accurately correlated and analyzed to determine what is transpiring within the AS. \n\nIf an event has been triggered on the network, and the AS is not configured with the correct time, the event may be seen as insignificant, when in reality the events are related and may have a larger impact across the network. Synchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. Determining the correct time a particular event occurred on a system, via timestamps, is critical when conducting forensic analysis and investigating system events. \nApplication servers must utilize the internal system clock when generating time stamps and audit records.",
"fixid": "F-39749r1_fix",
"fixtext": "Configure the AS to use internal system clocks to generate timestamps for audit records.",
"iacontrols": null,
"id": "V-35203",
"ruleID": "SV-46490r1_rule",
"severity": "low",
"title": "The application server must use internal system clocks to generate time stamps for audit records.",
"version": "SRG-APP-000116-AS-000076"
},
"V-35204": {
"checkid": "C-43576r1_chk",
"checktext": "Review AS documentation and confirm that the AS defers to the operating system for accurate timekeeping. If the AS provides its own timekeeping service, this is a finding.\n",
"description": "Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. \n\nSynchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. To meet that requirement the organization will define an authoritative time source and frequency to which each system will synchronize its internal clock. \n\nApplication servers must defer accurate timekeeping services to the operating system upon which the AS is installed.\n",
"fixid": "F-39750r2_fix",
"fixtext": "Configure the AS to utilize the timekeeping services of the host OS. \n",
"iacontrols": null,
"id": "V-35204",
"ruleID": "SV-46491r1_rule",
"severity": "low",
"title": "The application server must synchronize with internal information system clocks which, in turn, are synchronized on an organization defined frequency with an organization defined authoritative time source.\n",
"version": "SRG-APP-000117-AS-000077"
},
"V-35205": {
"checkid": "C-43577r1_chk",
"checktext": "Review the configuration settings to determine if the AS audit features protect audit information from unauthorized access. Review file system settings to verify the AS sets secure file permissions on audit log files. If the AS does not protect audit information from unauthorized read access, this is a finding.\n",
"description": "If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage.\n\nApplication servers contain admin interfaces that allow reading and manipulation of audit records. Therefore, these interfaces should not allow for the unfettered access to those records. Application servers also write audit data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access.\n\nAudit information includes all information (e.g., audit records, audit settings, transaction logs, and audit reports) needed to successfully audit information system activity. Application servers must protect audit information from unauthorized read access.",
"fixid": "F-39751r1_fix",
"fixtext": "Configure the AS to protect audit information from unauthorized read access.",
"iacontrols": null,
"id": "V-35205",
"ruleID": "SV-46492r1_rule",
"severity": "low",
"title": "The application server must protect audit information from any type of unauthorized read access.\n",
"version": "SRG-APP-000118-AS-000078"
},
"V-35212": {
"checkid": "C-43584r1_chk",
"checktext": "Review the configuration settings to determine if the AS audit features protect audit information from unauthorized deletion. Review file system settings to verify the AS sets secure file permissions on audit log files so as to prevent unauthorized deletion. If the AS does not protect audit information from unauthorized deletion, this is a finding.\n",
"description": "If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. \n\nApplication servers contain admin interfaces that allow reading and manipulation of audit records. Therefore, these interfaces should not allow for unfettered access to those records. Application servers also write audit data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access.\n\nAudit information includes all information (e.g., audit records, audit settings, transaction logs and audit reports) needed to successfully audit information system activity. Application servers must protect audit information from unauthorized deletion.",
"fixid": "F-39758r1_fix",
"fixtext": "Configure the AS to protect audit information from unauthorized deletion.",
"iacontrols": null,
"id": "V-35212",
"ruleID": "SV-46499r1_rule",
"severity": "low",
"title": "The application server must protect audit information from unauthorized deletion.",
"version": "SRG-APP-000120-AS-000080"
},
"V-35213": {
"checkid": "C-43585r1_chk",
"checktext": "Review the AS documentation and server configuration to determine if the AS protects audit tools from unauthorized access. Request a system administrator attempt to access audit tools while logged into the server in a role that does not have the requisite privileges. If the AS does not protect audit tools from unauthorized access, this is a finding",
"description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. \n\nDepending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. \n\nIt is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. \n\nApplication servers provide a web and/or a command line based management functionality for managing the application server audit capabilities. In addition, subsets of audit tool components may be stored on the file system as jar or xml configuration files. The application server must ensure that in addition to protecting any web based audit tools, any file system based tools are protected as well.\n",
"fixid": "F-39759r1_fix",
"fixtext": "Configure the AS or OS to protect audit tools from unauthorized access. \n",
"iacontrols": null,
"id": "V-35213",
"ruleID": "SV-46500r1_rule",
"severity": "medium",
"title": "The application server must protect audit tools from unauthorized access.",
"version": "SRG-APP-000121-AS-000081"
},
"V-35214": {
"checkid": "C-43586r1_chk",
"checktext": "Review the AS documentation and server configuration to determine if the AS protects audit tools from unauthorized modification. Request a system administrator attempt to modify audit tools while logged into the server in a role that does not have the requisite privileges. Locate binary copies of audit tool executables that are located on the file system and attempt to modify using unprivileged credentials. If the AS does not protect audit tools from unauthorized modification, this is a finding.\n",
"description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. \n\nDepending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. \n\nIt is, therefore, imperative that access to audit tools be controlled and protected from unauthorized modification. If an attacker were to modify audit tools he could also manipulate logs to hide evidence of malicious activity. \n\nApplication servers provide a web and/or a command line based management functionality for managing the application server audit capabilities. In addition, subsets of audit tool components may be stored on the file system as jar or xml configuration files. The application server must ensure that in addition to protecting any web based audit tools, any file system based tools are protected as well.",
"fixid": "F-39760r1_fix",
"fixtext": "Configure the AS or the OS to protect audit tools from unauthorized modification. ",
"iacontrols": null,
"id": "V-35214",
"ruleID": "SV-46501r1_rule",
"severity": "medium",
"title": "The application server must protect audit tools from unauthorized modification.",
"version": "SRG-APP-000122-AS-000082"
},
"V-35215": {
"checkid": "C-43587r1_chk",
"checktext": "Review the AS documentation and server configuration to determine if the AS protects audit tools from unauthorized deletion. Locate binary copies of audit tool executables that are located on the file system and attempt to delete using unprivileged credentials. If the AS does not protect audit tools from unauthorized deletion, this is a finding.\n",
"description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. \n\nDepending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. \n\nIt is, therefore, imperative that access to audit tools be controlled and protected from unauthorized modification. If an attacker were to delete audit tools the AS Admins would have no way of managing or viewing the logs. \n\nApplication servers provide a web and/or a command line based management functionality for managing the application server audit capabilities. In addition, subsets of audit tool components may be stored on the file system as jar, class or xml configuration files. The application server must ensure that in addition to protecting any web based audit tools, any file system based tools are protected from unauthorized deletion as well.\n",
"fixid": "F-39761r1_fix",
"fixtext": "Configure the AS or the OS to protect audit tools from unauthorized deletion. \n",
"iacontrols": null,
"id": "V-35215",
"ruleID": "SV-46502r1_rule",
"severity": "medium",
"title": "The application server must protect audit tools from unauthorized deletion.\n",
"version": "SRG-APP-000123-AS-000083"
},
"V-35216": {
"checkid": "C-43588r1_chk",
"checktext": "Review the AS configuration to determine if the AS backs up audit records on an organization defined frequency onto a different system or media than the system being audited. If the AS does not back up audit records on an organization-defined frequency onto a different system or media than the system being audited, this is a finding.",
"description": "Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system the application server is actually running on helps to assure that in the event of a catastrophic system failure, the audit records will be retained.\n",
"fixid": "F-39762r1_fix",
"fixtext": "Configure the AS to back up audit records on an organization defined frequency onto a different system or media than the system being audited. ",
"iacontrols": null,
"id": "V-35216",
"ruleID": "SV-46503r1_rule",
"severity": "medium",
"title": "The application server must back up audit data and records on an organization defined frequency onto a different system or media than the system the application server itself is running on.",
"version": "SRG-APP-000125-AS-000084"
},
"V-35217": {
"checkid": "C-43589r1_chk",
"checktext": "Review the AS documentation and configuration to determine if the AS can protect audit log data using cryptographic means. If the AS is not configured to encrypt and sign audit logs, this is a finding.\n",
"description": "Protection of audit records and audit data is of critical importance. Encrypting audit records provides a level of protection that does not rely on host-based protections that can be accidentally misconfigured such as file system permissions. Cryptographic mechanisms are the industry established standard used to protect the integrity of audit data. An example of a cryptographic mechanism is the computation and application of a cryptographic-signed hash using asymmetric cryptography.\n",
"fixid": "F-39763r1_fix",
"fixtext": "Configure the AS to encrypt and sign audit logs. ",
"iacontrols": null,
"id": "V-35217",
"ruleID": "SV-46504r1_rule",
"severity": "medium",
"title": "The application server must protect audit data records and integrity by using cryptographic mechanisms.\n",
"version": "SRG-APP-000126-AS-000085"
},
"V-35218": {
"checkid": "C-43590r1_chk",
"checktext": "Review the AS documentation and configuration to determine if the AS protects the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions. If the AS does not meet this requirement, this is a finding.",
"description": "Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. \n\nAuditing might not be reliable when performed by an information system which the user being audited has privileged access to. \n\nThe privileged user could inhibit auditing or directly modify audit records. To prevent this from occurring, privileged access shall be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. \n\nThe application server must ensure that its administrative log files are secured when they are created, copied, or overwritten.\n",
"fixid": "F-39764r1_fix",
"fixtext": "Configure the AS or OS to protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions. ",
"iacontrols": null,
"id": "V-35218",
"ruleID": "SV-46505r1_rule",
"severity": "medium",
"title": "The application server must protect the audit records generated as a result of remote accesses to privileged accounts and the execution of privileged functions.\n",
"version": "SRG-APP-000127-AS-000086"
},
"V-35219": {
"checkid": "C-43591r1_chk",
"checktext": "Review the AS documentation and configuration to determine if the AS provides unique account roles specifically for the purposes of segmenting the responsibilities for managing the server and the applications installed on the AS. Log in to the server using an AS role with limited permissions (e.g., Auditor, Monitor, Deployer, Operator, etc.) and verify the account is not able to perform configuration changes that are not related to that role. If the AS does not enforce these access restrictions, this is a finding.",
"description": " When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to application server components for the purposes of initiating changes, including upgrades and application modifications. \nThe application server must provide a control mechanism to restrict access to configuration capability. The controls can be specific to the application server, delegated to operating system controls, or a combination of both.\n\n",
"fixid": "F-39765r1_fix",
"fixtext": "Configure the AS to utilize specific roles that restrict access related to AS configuration changes. ",
"iacontrols": null,
"id": "V-35219",
"ruleID": "SV-46506r1_rule",
"severity": "high",
"title": "The application server must enforce logical access restrictions associated with changes to application configuration.\n",
"version": "SRG-APP-000128-AS-000087"
},
"V-35220": {
"checkid": "C-43592r2_chk",
"checktext": "Review the AS documentation and configuration to determine if the system employs mechanisms to enforce restrictions on automated code deployment on production application servers. If the AS does not provide these access controls, this is a finding.\n",
"description": "When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server configuration can potentially have significant effects on the overall security of the system. \n\nAccess restrictions for changes also include application software libraries. \n\nIf the application server provides automatic code deployment capability, (where updates to applications hosted on the app server are automatically performed, usually by the developers IDE tool), it must also provide a capability to restrict the use of automatic application deployment. Automatic code deployments are allowable in a development environment, but not in production.\n",
"fixid": "F-39766r1_fix",
"fixtext": "Configure the AS to block automatic code deployments. ",
"iacontrols": null,
"id": "V-35220",
"ruleID": "SV-46507r1_rule",
"severity": "medium",
"title": "The application server must employ automated mechanisms for enforcing access restrictions.\n",
"version": "SRG-APP-000129-AS-000088"
},
"V-35221": {
"checkid": "C-43593r1_chk",
"checktext": "Check the AS documentation and logs to determine if the auditing subsystem starts automatically when the AS processes are started. If the AS is not configured to automatically start auditing processes, this is a finding.\n",
"description": "If the auditing subsystem is not automatically started when the application server is started, security-related events could go unnoticed.\nThe AS auditing subsystem must automatically start when the AS processes are started.\n",
"fixid": "F-39767r1_fix",
"fixtext": "Configure the AS to automatically start auditing processes when the AS is started. \n",
"iacontrols": null,
"id": "V-35221",
"ruleID": "SV-46508r1_rule",
"severity": "medium",
"title": "The application server must automatically record an event in the device audit log each time the server is started.\n",
"version": "SRG-APP-000130-AS-000089"
},
"V-35222": {
"checkid": "C-43594r1_chk",
"checktext": "Review the AS logs. Attempt to perform an action that is restricted by the AS, such as logging in, uploading an application, or making changes to the AS configuration. Verify the AS automatically makes an entry in the AS logs that documents the nature of the restricted activity. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. \n\nWhen attempts are made to log in or make changes to the application server configuration or to the applications that reside on the application server, the application server must automatically log these actions for troubleshooting and forensic purposes.\n",
"fixid": "F-39768r2_fix",
"fixtext": "Configure the AS to automatically log all restricted activity. ",
"iacontrols": null,
"id": "V-35222",
"ruleID": "SV-46509r1_rule",
"severity": "medium",
"title": "The application server must employ automated mechanisms for the auditing of enforcement actions.",
"version": "SRG-APP-000130-AS-000090"
},
"V-35223": {
"checkid": "C-43595r1_chk",
"checktext": "Check the AS documentation and configuration to determine if the AS validates digitally signed web service messages. If the AS does not meet this requirement, this is a finding.\n",
"description": "Organizations may require that critical software be signed with a certificate recognized and approved by the organization. This includes messages that are transferred or read by the AS part of a web services or SOA-oriented application. \n\nWS-Security is an extension to the SOAP protocol which provides an integrity and confidentiality enhancement that is not native to the SOAP protocol. WS-Security provides the AS with the capability to sign, validate, and encrypt messages. The AS must validate the digital signature of signed web service messages.\n\n",
"fixid": "F-39769r1_fix",
"fixtext": "Configure the AS features to validate the digital signature bound to web service messages. ",
"iacontrols": null,
"id": "V-35223",
"ruleID": "SV-46510r1_rule",
"severity": "medium",
"title": "The application server must validate the digital signature of signed web service messages.\n",
"version": "SRG-APP-000131-AS-000091"
},
"V-35224": {
"checkid": "C-43596r1_chk",
"checktext": "Check the AS documentation and configuration to determine if the AS provides role based access that limits the capability to change shared software libraries. Validate file permission settings to ensure library files are secured in relation to OS access. If the AS does not meet this requirement, this is a finding.",
"description": "Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users can not modify any shared library code at all.\n",
"fixid": "F-39770r1_fix",
"fixtext": "Configure the AS according to corresponding user roles and secure file system permissions. \n",
"iacontrols": null,
"id": "V-35224",
"ruleID": "SV-46511r1_rule",
"severity": "medium",
"title": "The application server must limit privileges to change the software resident within software libraries (including privileged programs).",
"version": "SRG-APP-000133-AS-000092"
},
"V-35225": {
"checkid": "C-43597r1_chk",
"checktext": "Check the AS documentation and configuration to determine if the AS provides an automated rollback capability. The rollback capability can be manually invoked or scripted. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Any changes to the components of the AS can potentially have significant effects on the overall security of the system. \n\nIn order to ensure a prompt response to failed application installations and AS upgrades, the AS must provide an automated rollback capability that allows the system to be restored to a previous known good configuration state prior to the application installation or AS upgrade.",
"fixid": "F-39771r1_fix",
"fixtext": "Configure the AS to rollback failed application installations and AS upgrades. ",
"iacontrols": null,
"id": "V-35225",
"ruleID": "SV-46512r1_rule",
"severity": "medium",
"title": "The application server must automatically implement safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.",
"version": "SRG-APP-000134-AS-000093"
},
"V-35226": {
"checkid": "C-43598r2_chk",
"checktext": "Review organization policy, AS product documentation and configuration to determine if the system can enforce the organizations requirements for remote connections. \n\nIf the system is not configured to enforce these requirements, or the remote connection settings are not in accordance with the requirements, this is a finding.\n",
"description": "Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Examples of policy requirements include, but are not limited to, authorizing remote access to the information system, limiting access based on authentication credentials, and monitoring for unauthorized access.\n",
"fixid": "F-39772r1_fix",
"fixtext": "Configure the AS to enforce remote connection settings. ",
"iacontrols": null,
"id": "V-35226",
"ruleID": "SV-46513r1_rule",
"severity": "high",
"title": "The application server must enforce requirements for remote connections to the information system.\n",
"version": "SRG-APP-000140-AS-000094"
},
"V-35234": {
"checkid": "C-43604r1_chk",
"checktext": "Review the AS documentation and configuration to determine if the AS can disable unauthorized features and capabilities. If the AS is not configured to meet this requirement, this is a finding.",
"description": "Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system. Application servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance, for example, disabling dynamic JSP reloading on production application servers as a best practice.\n",
"fixid": "F-39781r1_fix",
"fixtext": "Configure the AS to use only authorized features and capabilities. ",
"iacontrols": null,
"id": "V-35234",
"ruleID": "SV-46521r1_rule",
"severity": "medium",
"title": "The application server must adhere to the principles of least functionality by providing only essential capabilities.\n",
"version": "SRG-APP-000141-AS-000095"
},
"V-35236": {
"checkid": "C-43605r1_chk",
"checktext": "Review the AS documentation and configuration to determine if the AS has unauthorized ports disabled. If the AS is not configured to meet this requirement, this is a finding.\n\n",
"description": "Application servers provide numerous processes, features and functionalities that utilize TCP/IP ports. Some of these processes may be deemed to be unnecessary or too insecure to run on a production system. The AS must provide the capability to disable or deactivate network related services that are deemed to be non-essential to the server mission, for example, disabling a protocol or feature that opens a listening port that is prohibited by DoD ports and protocols. For a list of approved ports and protocols reference the DoD ports and protocols web site at https://powhatan.iiie.disa.mil/ports/cal.html",
"fixid": "F-39783r1_fix",
"fixtext": "Configure the AS to use only authorized ports, protocols, and services. ",
"iacontrols": null,
"id": "V-35236",
"ruleID": "SV-46523r1_rule",
"severity": "medium",
"title": "The application server must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.",
"version": "SRG-APP-000142-AS-000096"
},
"V-35238": {
"checkid": "C-43606r1_chk",
"checktext": "Review the AS documentation and configuration to determine if the AS can disable automatic execution of deployed applications. Ensure this capability extends to a restart of the AS. If the AS is not configured to meet this requirement, this is a finding.\n\n",
"description": "The application server must provide a capability to halt or otherwise disable the automatic execution of deployed applications until such time that the application is considered part of the established application server baseline. Deployment to the application server should not provide a means for automatic application start up should the application server itself encounter a restart condition.",
"fixid": "F-39784r1_fix",
"fixtext": "Configure the AS to force newly uploaded applications to be approved prior to execution. ",
"iacontrols": null,
"id": "V-35238",
"ruleID": "SV-46525r1_rule",
"severity": "low",
"title": "The application server must utilize automated mechanisms to prevent program execution on the information system.\n",
"version": "SRG-APP-000143-AS-000097"
},
"V-35241": {
"checkid": "C-43608r1_chk",
"checktext": "Review the AS documentation and configuration to determine if the AS provides transaction recovery capabilities. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. Use of transactions prevents databases from being left in inconsistent states due to incomplete updates and ensures message delivery, which is a data integrity issue.\n\nThe application server must provide a transaction recovery capability for hosted applications.\n",
"fixid": "F-39786r1_fix",
"fixtext": "Configure the AS to recover transactions.",
"iacontrols": null,
"id": "V-35241",
"ruleID": "SV-46528r1_rule",
"severity": "low",
"title": "The application server must implement transaction recovery for transaction-based processes.",
"version": "SRG-APP-000144-AS-000098"
},
"V-35254": {
"checkid": "C-43609r1_chk",
"checktext": "Review the AS configuration and organizational policy to determine backup strategy. Backups must be consistent with recovery time and recovery point objectives. If application level data are not backed up on an automated basis, this is a finding.\n",
"description": " Information system backup is a critical step in maintaining data assurance and availability. \n\nApplication-level information includes all data relevant to the successful recovery of the application domain. \nBackups shall be consistent with organizational recovery time and recovery point objectives. \n\nThe application server must provide the capability to back up the application domains and application related configuration information.",
"fixid": "F-39787r1_fix",
"fixtext": "Implement automated application-level backup strategy. \n",
"iacontrols": null,
"id": "V-35254",
"ruleID": "SV-46541r1_rule",
"severity": "medium",
"title": "The application server must conduct automated backups of application-level information contained in the application server.",
"version": "SRG-APP-000146-AS-000099"
},
"V-35257": {
"checkid": "C-43625r1_chk",
"checktext": "Review the AS configuration and organizational policy to determine backup strategy. Backups must be consistent with recovery time and recovery point objectives. If application server configuration data are not backed up on an automated basis, this is a finding.",
"description": "Information system backup is a critical step in maintaining data assurance and availability. \n\nApplication server configuration information includes all data relevant to the successful recovery of the application server itself. \nBackups shall be consistent with organizational recovery time and recovery point objectives. \n\nThe application server must be configured to automatically invoke backups of the application server configuration information.\n",
"fixid": "F-39803r1_fix",
"fixtext": "Implement automated system level backup strategy and include AS configuration data. ",
"iacontrols": null,
"id": "V-35257",
"ruleID": "SV-46544r1_rule",
"severity": "medium",
"title": "The application server must back up application server configuration data on an automated basis.",
"version": "SRG-APP-000146-AS-000100"
},
"V-35299": {
"checkid": "C-43668r1_chk",
"checktext": "Review AS documentation and configuration settings to determine if the AS requires the use of individual accounts to identify and authenticate AS users and user processes. If the AS does not meet this requirement, this is a finding.\n",
"description": "To assure accountability and prevent unauthorized access, AS users must be uniquely identified and authenticated. \n\n\nThe application server must uniquely identify and authenticate application server users or processes acting on behalf of users. This is typically accomplished via the use of a user store which is either local (OS based) or centralized (LDAP) in nature.\n",
"fixid": "F-39845r1_fix",
"fixtext": "Create and configure the appropriate accounts and align them in their respective roles as identified in the product documentation.",
"iacontrols": null,
"id": "V-35299",
"ruleID": "SV-46586r1_rule",
"severity": "high",
"title": "The application server must uniquely identify and authenticate users (or processes acting on behalf of users).\n",
"version": "SRG-APP-000148-AS-000101"
},
"V-35300": {
"checkid": "C-43669r1_chk",
"checktext": "Review the AS configuration to ensure the system is authenticating via multifactor authentication. If all aspects of AS management interfaces are not authenticating users via multifactor authentication methods, this is a finding. If the AS is not configured for multifactor authentication for network access, this is a finding.\n",
"description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something a user knows (e.g., password/PIN); \n(ii) something a user has (e.g., cryptographic identification device, token); or \n(iii) something a user is (e.g., biometric). A CAC meets this definition.\n\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nNetwork access is defined as access to a DoD information system by a user (or process acting on behalf of a user) communicating via a network connection. \n\n\nWhen accessing the AS via a network connection, administrative access to the application server must be CAC-enabled.\n",
"fixid": "F-39846r1_fix",
"fixtext": "Configure the AS to authenticate users via multifactor authentication for network access.",
"iacontrols": null,
"id": "V-35300",
"ruleID": "SV-46587r1_rule",
"severity": "medium",
"title": "The application server must use multifactor authentication for network access to privileged accounts.",
"version": "SRG-APP-000149-AS-000102"
},
"V-35301": {
"checkid": "C-43670r1_chk",
"checktext": "Review the AS documentation and configuration to determine if the AS is configured to require multifactor authentication. If the AS is not configured for multifactor authentication for local access, this is a finding. \n\nIf the AS is not capable of using CAC based authentication for local access to privileged accounts, this is a finding.",
"description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something a user knows (e.g., password/PIN); \n(ii) something a user has (e.g., cryptographic identification device, token); or \n(iii) something a user is (e.g., biometric). \n\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\n\n\nLocal Access is defined as access to a DoD information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. \n\n\nWhen accessing the AS via a local connection, also known as a console connection, administrative access to the application server must be CAC-enabled.",
"fixid": "F-39847r1_fix",
"fixtext": "Configure the application server to use CAC based authentication mechanisms for local access to privileged accounts.",
"iacontrols": null,
"id": "V-35301",
"ruleID": "SV-46588r1_rule",
"severity": "medium",
"title": "The application server must use CAC based authentication mechanisms for local access to privileged accounts.",
"version": "SRG-APP-000151-AS-000103"
},
"V-35302": {
"checkid": "C-43671r1_chk",
"checktext": "Review the AS documentation and configuration to determine if the AS individually authenticates users prior to authenticating via a role or group. Review AS logs to verify user accesses requiring authentication can be traced back to an individual account. If the AS does not authenticate users on an individual basis, this is a finding.\n",
"description": "To assure individual accountability and prevent unauthorized access, AS users (and any processes acting on behalf of AS users) must be individually identified and authenticated. \n\nA group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. \n\nApplication servers must ensure that individual users are authenticated prior to authenticating via role or group authentication. This is to ensure that there is non-repudiation for actions taken.",
"fixid": "F-39848r1_fix",
"fixtext": "Configure the AS to authenticate users individually prior to allowing any group based authentication. ",
"iacontrols": null,
"id": "V-35302",
"ruleID": "SV-46589r1_rule",
"severity": "high",
"title": "The application server must authenticate users individually prior to using a group authenticator.",
"version": "SRG-APP-000153-AS-000104"
},
"V-35303": {
"checkid": "C-43672r1_chk",
"checktext": "Review AS documentation and configuration to ensure the AS is configured to utilize a CAC when authenticating administrative users. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. \n\n\nTechniques used to address this include protocols that use nonce's (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS-Security), time-synchronous or challenge-response one-time authenticators and CAC's. \n\nApplication servers typically provide management access via a web server-based interface or via command line scripted access. As such, the application server must take the necessary steps to ensure the authentication mechanisms built into the application server do not allow for replay based attacks that could compromise privileged accounts. CAC authentication meets these requirements.\n",
"fixid": "F-39849r1_fix",
"fixtext": "Configure the AS to utilize CAC based authentication for network access to privileged accounts. ",
"iacontrols": null,
"id": "V-35303",
"ruleID": "SV-46590r1_rule",
"severity": "high",
"title": "The application server must use CAC based authentication mechanisms for network access to privileged accounts.\n",
"version": "SRG-APP-000156-AS-000105"
},
"V-35304": {
"checkid": "C-43673r1_chk",
"checktext": "Review AS documentation to ensure the AS provides extensions to the SOAP protocol that provide secure authentication. Review policy and data owner protection requirements in order to identify sensitive data. If secure authentication protocols are not utilized to protect data identified by data owner as requiring protection, this is a finding.\n",
"description": "Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service, which is a repeatable process used to make data available to remote clients, should not be confused with a web server. \n\nMany web services utilize SOAP which in turn utilizes XML and HTTP as a transport. Natively, SOAP does not provide security protections. As such, the application server must provide security extensions to enhance SOAP capabilities so as to ensure that secure authentication mechanisms are employed to protect sensitive data. The WS_Security suite is a widely used and acceptable SOAP security extension.",
"fixid": "F-39850r1_fix",
"fixtext": "Configure the AS to utilize secure authentication when SOAP web services are used to access sensitive data. \n",
"iacontrols": null,
"id": "V-35304",
"ruleID": "SV-46591r1_rule",
"severity": "high",
"title": "The application server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.",
"version": "SRG-APP-000156-AS-000106"
},
"V-35305": {
"checkid": "C-43674r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. \n\n\nRationale for non-applicability: All accounts on the AS are used for management of the application server or the applications themselves. The AS is only accessed by authorized administrators serving in roles used to manage specific functionality of the server. This requirement is NA. Non-privileged accounts will not be present.\n",
"fixid": "F-39851r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35305",
"ruleID": "SV-46592r1_rule",
"severity": "medium",
"title": "Applications using multifactor authentication when accessing non-privileged accounts via the network must utilize replay resistant authentication.",
"version": "SRG-APP-000157-AS-NA"
},
"V-35306": {
"checkid": "C-43675r1_chk",
"checktext": "Review AS documentation, application data protection requirements and configuration to ensure the AS provides an SSL mutual authentication capability. If data protection requirements require mutual authentication and the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device.\n\nDevice authentication is accomplished via the use of certificates and protocols such as SSL mutual authentication. \n\nDevice authentication is performed when the AS is providing web services capabilities and data protection requirements mandate the need to establish the identity of the connecting device otherwise known as the consumer.\n",
"fixid": "F-39852r1_fix",
"fixtext": "Configure the AS to perform mutual authentication of web service consumers as required by application design.",
"iacontrols": null,
"id": "V-35306",
"ruleID": "SV-46593r1_rule",
"severity": "high",
"title": "The application server must mutually authenticate web services-based devices when establishing a connection.\n",
"version": "SRG-APP-000158-AS-000108"
},
"V-35307": {
"checkid": "C-43676r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS utilizes cryptographic methods for mutually authenticating remote devices. If the AS does not utilize cryptographic methods, this is a finding.\n",
"description": "Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device, as deemed appropriate by the organization. \n\nThe required strength of the device authentication mechanism is determined by the security categorization of the information system. \n\nRemote network connection is any connection with a device communicating through an external network (e.g., the Internet). \n\nBidirectional authentication provides a means for both connecting parties to mutually authenticate one another, and cryptographic authentication provides a secure means of authenticating without the use of clear text passwords. The lack of a cryptographic method that can be employed when mutually authenticating introduces an integrity and confidentiality risk to the system.\n",
"fixid": "F-39853r1_fix",
"fixtext": " Configure the AS to use cryptographic methods such as SSL when mutually authenticating.",
"iacontrols": null,
"id": "V-35307",
"ruleID": "SV-46594r1_rule",
"severity": "medium",
"title": "Applications managing devices must authenticate devices before establishing remote network connections using bidirectional authentication between devices that are cryptographic.",
"version": "SRG-APP-000159-AS-000109"
},
"V-35308": {
"checkid": "C-43677r1_chk",
"checktext": "Review AS product documentation and configuration to determine if the AS automatically authenticates the remote user, device or application. Verify the AS creates a security token and incorporates services such as LDAP, Kerberos or AD to dynamically manage identifiers, attributes, and associated access restrictions. If the AS does not meet this requirement, this is a finding.\n",
"description": "Dynamically managing identifiers typically involves authenticating the remote user or device and then creating and assigning a security token that is used as the identifier. \n\nAttribute management involves utilizing services such as LDAP, Kerberos and AD to determine the role and access restrictions associated with the identity. Authorization is granting or denying access to the requested resource based on identity and the associated role. \n\n\nThe AS must be able to dynamically manage the identifiers, attributes, and access authorizations of users, devices and applications that attempt to utilize or otherwise access the application services provided by the AS.\n",
"fixid": "F-39854r2_fix",
"fixtext": "Configure the AS to dynamically manage identifiers, attributes, and associated access authorizations. ",
"iacontrols": null,
"id": "V-35308",
"ruleID": "SV-46595r1_rule",
"severity": "medium",
"title": "The application server must dynamically manage identifiers, attributes, and associated access authorizations.\n",
"version": "SRG-APP-000162-AS-000110"
},
"V-35309": {
"checkid": "C-43678r1_chk",
"checktext": "Review the AS configuration to ensure the AS disables device accounts after an organization defined time period of inactivity. If the AS is not configured to disable inactive device accounts, or is not configured to utilize a centralized device account store that meets this requirement, this is a finding.\n",
"description": "A device account represents a remote system or device rather than a user. \nInactive device accounts pose a risk to the AS system and the applications residing on the AS. Accounts used for device access must be disabled if they are not being used. \n\n\nDisabling access to inactive devices greatly reduces the risk that the system will be misused, hijacked, or will have data compromised. It is acceptable for the AS to be configured to utilize a centralized device account store such as LDAP or AD that provides this ability.\n",
"fixid": "F-39855r1_fix",
"fixtext": "Configure the AS to disable inactive device accounts per the organization's specified period of inactivity. ",
"iacontrols": null,
"id": "V-35309",
"ruleID": "SV-46596r1_rule",
"severity": "medium",
"title": "The application server must disable device accounts after an organization defined time period of inactivity.\n",
"version": "SRG-APP-000163-AS-000111"
},
"V-35310": {
"checkid": "C-43679r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS enforces minimum password length. If the AS is not configured to minimum password length, or is not configured to utilize a centralized user store that meets this requirement, this is a finding.",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword length is one of several factors that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nApplication servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS provides the user store and enforces authentication, the AS must enforce minimum password length.\n",
"fixid": "F-39856r1_fix",
"fixtext": "Configure the AS to enforce the minimum password length when creating or changing a password. ",
"iacontrols": null,
"id": "V-35310",
"ruleID": "SV-46597r1_rule",
"severity": "medium",
"title": "The application server must enforce minimum password length.",
"version": "SRG-APP-000164-AS-000112"
},
"V-35311": {
"checkid": "C-43681r2_chk",
"checktext": "Review AS documentation and configuration to determine if the AS prohibits password reuse for the defined number of password changes. If the AS is not configured to prohibit password reuse for the defined number of password changes, or is not configured to utilize a centralized user store that meets this requirement, this is a finding.\n",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nTo meet password policy requirements, passwords need to be changed at specific policy-based intervals. However, if the application server allows the user to reuse their password when that password has exceeded its defined lifetime, the end result is a defacto reuse of an existing password. \n\nApp servers have the capability to utilize LDAP, certificates (tokens), or user IDs and passwords in order to authenticate. When the AS utilizes user IDs and passwords, the AS must prohibit the reuse of the user's password for the organization defined number of password changes.\n",
"fixid": "F-39857r1_fix",
"fixtext": "Configure the AS to prohibit password reuse for the organization defined number of generations.",
"iacontrols": null,
"id": "V-35311",
"ruleID": "SV-46598r1_rule",
"severity": "medium",
"title": "The application server must prohibit password reuse for the organization defined number of generations.\n",
"version": "SRG-APP-000165-AS-000113"
},
"V-35312": {
"checkid": "C-43682r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS enforces the requirement that users utilize a configurable number of upper case characters when creating or changing their passwords. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nUse of a complex password helps to increase the time and resources required to compromise the password. \n\nApplication servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS provides the user store and enforces authentication, the AS must enforce the organization's password complexity requirements, which includes the requirement to use a specific number of upper case characters.\n",
"fixid": "F-39858r1_fix",
"fixtext": "Configure the AS to require users to utilize a specific number of upper case characters when creating or changing their passwords. \n",
"iacontrols": null,
"id": "V-35312",
"ruleID": "SV-46599r1_rule",
"severity": "medium",
"title": "The application server must enforce password complexity by the number of upper case characters used.\n",
"version": "SRG-APP-000166-AS-000114"
},
"V-35313": {
"checkid": "C-43683r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS enforces the requirement that users utilize a configurable number of lower case characters when creating or changing their passwords. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nUse of a complex password helps to increase the time and resources required to compromise the password. \n\nApplication servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS provides the user store and enforces authentication, the AS must enforce the organization's password complexity requirements, which includes the requirement to use a specific number of lower case characters.\n",
"fixid": "F-39859r1_fix",
"fixtext": "Configure the AS to require users to utilize a specific number of lower case characters when creating or changing their passwords. ",
"iacontrols": null,
"id": "V-35313",
"ruleID": "SV-46600r1_rule",
"severity": "medium",
"title": "The application server must enforce password complexity by the number of lower case characters used.\n",
"version": "SRG-APP-000167-AS-000115"
},
"V-35314": {
"checkid": "C-43684r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS enforces the requirement that users utilize a configurable number of numeric characters when creating or changing their password. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nUse of a complex password helps to increase the time and resources required to compromise the password. \n\nApplication servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS provides the user store and enforces authentication, the AS must enforce the organizations password complexity requirements that includes the requirement to use a specific number of numeric characters when passwords are created or changed.",
"fixid": "F-39860r1_fix",
"fixtext": "Configure the AS to require users to utilize a specific number of numeric characters when creating or changing their passwords. ",
"iacontrols": null,
"id": "V-35314",
"ruleID": "SV-46601r1_rule",
"severity": "medium",
"title": "The application server must enforce password complexity by the number of numeric characters used.\n",
"version": "SRG-APP-000168-AS-000116"
},
"V-35315": {
"checkid": "C-43685r1_chk",
"checktext": "Review AS documentation and server configuration to determine if the AS enforces the requirement that users utilize a configurable number of special characters when creating or changing their password. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nUse of a complex password helps to increase the time and resources required to compromise the password. \n\nApplication servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS provides the user store and enforces authentication, the AS must enforce the organizations password complexity requirements that includes the requirement to use a specific number of special characters.\n",
"fixid": "F-39861r1_fix",
"fixtext": " Configure the AS to require users to utilize a specific number of special characters when creating or changing their password. ",
"iacontrols": null,
"id": "V-35315",
"ruleID": "SV-46602r1_rule",
"severity": "medium",
"title": "The application server must enforce password complexity by the number of special characters used.\n",
"version": "SRG-APP-000169-AS-000117"
},
"V-35316": {
"checkid": "C-43686r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS enforces the requirement to enforce the number of characters that get changed when passwords are changed. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nUse of a complex password helps to increase the time and resources required to compromise the password. \n\nApplication servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS provides the user store and enforces authentication, the AS must enforce the organization's password complexity requirements, which includes the requirement to enforce the number of characters that get changed when passwords are changed.\n",
"fixid": "F-39862r1_fix",
"fixtext": "Configure the AS to enforce the number of characters that get changed when passwords are changed.",
"iacontrols": null,
"id": "V-35316",
"ruleID": "SV-46603r1_rule",
"severity": "medium",
"title": "The application server must enforce the number of characters that get changed when passwords are changed.\n",
"version": "SRG-APP-000170-AS-000118"
},
"V-35317": {
"checkid": "C-43687r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS enforces the requirement to encrypt passwords when they are stored. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. \n\nApplication servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS is responsible for creating or storing passwords, the AS must enforce the use of encryption when those passwords are stored.",
"fixid": "F-39863r1_fix",
"fixtext": "Configure the AS to encrypt passwords for storage. ",
"iacontrols": null,
"id": "V-35317",
"ruleID": "SV-46604r1_rule",
"severity": "high",
"title": "The application server must encrypt stored passwords.",
"version": "SRG-APP-000171-AS-000119"
},
"V-35318": {
"checkid": "C-43688r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS enforces the requirement to encrypt passwords when they are transmitted. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission. \n\nApp servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the AS transmits or receives passwords, the passwords must be encrypted.\n\n",
"fixid": "F-39864r1_fix",
"fixtext": "Configure the AS to encrypt passwords for transmission. ",
"iacontrols": null,
"id": "V-35318",
"ruleID": "SV-46605r1_rule",
"severity": "high",
"title": "The application server must encrypt passwords during transmission.",
"version": "SRG-APP-000172-AS-000120"
},
"V-35319": {
"checkid": "C-43689r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS enforces the requirement to encrypt LDAP traffic. If the AS is not configured to meet this requirement, this is a finding.",
"description": "Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission. \n\nApp servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the AS utilizes LDAP, the LDAP traffic must be encrypted.\n",
"fixid": "F-39865r1_fix",
"fixtext": "Configure the AS to encrypt LDAP traffic. \n",
"iacontrols": null,
"id": "V-35319",
"ruleID": "SV-46606r1_rule",
"severity": "high",
"title": "The application server must utilize encryption when using LDAP for authentication.",
"version": "SRG-APP-000172-AS-000121"
},
"V-35320": {
"checkid": "C-43691r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS enforces the minimum lifetime restrictions on password changes. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Password minimum lifetime is defined as: the minimum period of time, (typically in days) a user's password must be in effect before the user can change it. \n\nApp servers have the capability to utilize LDAP, certificates (tokens), or user IDs and passwords in order to authenticate. When the AS utilizes user IDs and passwords, the AS must enforce the organization defined minimum lifetime restrictions for password changes.",
"fixid": "F-39866r1_fix",
"fixtext": "Configure the AS minimum lifetime restriction value for passwords. ",
"iacontrols": null,
"id": "V-35320",
"ruleID": "SV-46607r1_rule",
"severity": "medium",
"title": "The application server must enforce password minimum lifetime restrictions.",
"version": "SRG-APP-000173-AS-000122"
},
"V-35321": {
"checkid": "C-43692r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS enforces the maximum lifetime restrictions on password changes. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Password maximum lifetime is defined as: the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it. \n\nApp servers have the capability to utilize LDAP, certificates (tokens), or user IDs and passwords in order to authenticate. When the AS utilizes user IDs and passwords, the AS must enforce the organization defined maximum lifetime restrictions for password changes.\n",
"fixid": "F-39868r1_fix",
"fixtext": "Configure the AS maximum lifetime restriction value for passwords. \n",
"iacontrols": null,
"id": "V-35321",
"ruleID": "SV-46608r1_rule",
"severity": "medium",
"title": "The application server must enforce password maximum lifetime restrictions.",
"version": "SRG-APP-000174-AS-000123"
},
"V-35322": {
"checkid": "C-43693r1_chk",
"checktext": "Review the AS documentation and configuration to determine if the AS provides PKI functionality that validates certificates by constructing a certification path with status information to an accepted trust anchor. If the AS does not perform this requirement, this is a finding.\n",
"description": "A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. \n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. \n\nPath validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. \n\nStatus information for certification paths includes, certificate revocation lists or online certificate status protocol responses.\n",
"fixid": "F-39869r1_fix",
"fixtext": "Configure the AS to validate certificates using a trusted certificate path with status information to an accepted trust anchor. ",
"iacontrols": null,
"id": "V-35322",
"ruleID": "SV-46609r1_rule",
"severity": "medium",
"title": "The application server, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor",
"version": "SRG-APP-000175-AS-000124"
},
"V-35324": {
"checkid": "C-43694r1_chk",
"checktext": "Review AS configuration and documentation to ensure the java keystores are protected so as to enforce only authorized access to private keys. Approved protection mechanisms are OS file permissions, passwords and encryption based mechanisms that encrypt key values contained within the file. If the AS is not configured to enforce authorized access to private keys, this is a finding.",
"description": "The cornerstone of the PKI is the private key used to encrypt or digitally sign information. \n\nIf the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user. \n\nBoth the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. Java based application servers utilize the Java keystore which provides storage for cryptographic keys and certificates. The keystore is usually maintained in a file stored on the file system.\n",
"fixid": "F-39870r1_fix",
"fixtext": "Configure the keystore to protect keystore information from unauthorized access. ",
"iacontrols": null,
"id": "V-35324",
"ruleID": "SV-46611r1_rule",
"severity": "high",
"title": " The application server, when using PKI-based authentication, must restrict keystore access to authorized users.",
"version": "SRG-APP-000176-AS-000125"
},
"V-35325": {
"checkid": "C-43695r1_chk",
"checktext": "Review AS documentation to ensure the AS provides a PKI integration capability that meets DoD PKI infrastructure requirements. If the AS is not configured to meet this requirement, this is a finding.",
"description": "The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. \n\nApplication servers must provide the capability to utilize and meet requirements of the DoD Enterprise PKI infrastructure for application authentication.",
"fixid": "F-39872r1_fix",
"fixtext": "Configure the AS to utilize the DoD Enterprise PKI infrastructure. \n",
"iacontrols": null,
"id": "V-35325",
"ruleID": "SV-46612r1_rule",
"severity": "medium",
"title": "The application server must ensure that PKI-based authentication maps the authenticated identity to the user account.",
"version": "SRG-APP-000177-AS-000126"
},
"V-35328": {
"checkid": "C-43696r2_chk",
"checktext": "Review AS documentation and configuration to determine if any interfaces which are provided for authentication purposes display the user's password when it is typed into the data entry field. If authentication information is not obfuscated when entered, this is a finding.\n",
"description": "To prevent the compromise of authentication information during the authentication process, the application server authentication screens must obfuscate input so an unauthorized user can not view a password, PIN or any other authenticator value as it is being typed.\n\n\nThis can occur when a user is authenticating to the AS through the web management interface. The AS must obfuscate all passwords, PIN's or other authenticator information when typed. User ID is not required to be obfuscated.\n",
"fixid": "F-39874r1_fix",
"fixtext": "Configure the AS to not display passwords or PIN's when they are typed.",
"iacontrols": null,
"id": "V-35328",
"ruleID": "SV-46615r1_rule",
"severity": "high",
"title": "The application server must obscure display of authentication information during the authentication process.\n",
"version": "SRG-APP-000178-AS-000127"
},
"V-35329": {
"checkid": "C-43697r1_chk",
"checktext": "Review AS documentation and configuration to determine if the encryption modules utilized for authentication are FIPS 140-2 compliant. Reference the following NIST site to identify validated encryption modules: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm\n\nIf the encryption modules used for authentication are not FIPS 140-2 validated, this is a finding.",
"description": "Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. \n\nFIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA certified hardware-based encryption modules. \n\nApplication servers must provide FIPS-compliant encryption modules when authenticating users and processes.\n",
"fixid": "F-39875r1_fix",
"fixtext": "Configure the AS to utilize FIPS 140-2 approved encryption modules when authenticating users and processes. ",
"iacontrols": null,
"id": "V-35329",
"ruleID": "SV-46616r1_rule",
"severity": "medium",
"title": "The Application Server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.\n",
"version": "SRG-APP-000179-AS-000129"
},
"V-35330": {
"checkid": "C-43698r2_chk",
"checktext": "Review AS documentation and configuration to determine if the encryption modules utilized for storage of data are FIPS 140-2 compliant. Reference the following NIST site to identify validated encryption modules: \n\nhttp://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm\n\nIf the encryption modules used for storage of data are not FIPS 140-2 validated, this is a finding.",
"description": "Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. \n\nFIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA certified hardware based encryption modules. \n\nApplication servers must provide FIPS compliant encryption modules when storing encrypted data and configuration settings.\n",
"fixid": "F-39876r1_fix",
"fixtext": "Configure the AS to utilize FIPS 140-2 approved encryption modules when the AS is storing data.",
"iacontrols": null,
"id": "V-35330",
"ruleID": "SV-46617r1_rule",
"severity": "medium",
"title": "The Application Server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.\n",
"version": "SRG-APP-000179-AS-000128"
},
"V-35331": {
"checkid": "C-43699r1_chk",
"checktext": "Review the AS configuration to determine if the system is configured to utilize cryptographic encryption like TLS for non-local maintenance connections. If the AS does not utilize cryptographic encryption, this is a finding.\n",
"description": "Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. \n\nApplication servers provide an HTTP-oriented remote management capability that is used for managing the application server as well as uploading and deleting applications that are hosted on the app server. Application servers need to ensure the communication channels used to remotely access the system utilize cryptographic mechanisms such as TLS.\n",
"fixid": "F-39877r1_fix",
"fixtext": "Configure the AS to use cryptographic encryption to protect non-local maintenance session integrity and confidentiality.",
"iacontrols": null,
"id": "V-35331",
"ruleID": "SV-46618r1_rule",
"severity": "medium",
"title": "The application server must employ cryptographic encryption to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.\n",
"version": "SRG-APP-000184-AS-000130"
},
"V-35332": {
"checkid": "C-43700r1_chk",
"checktext": "Review the AS configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. If the AS is not authenticating through the Enterprise Authentication Mechanism, this is a finding.\n",
"description": "Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. \n\nApplication servers will typically utilize an HTTP interface for providing both local and remote maintenance and diagnostic sessions. In these instances, an acceptable strong identification and authentication technique consists of utilizing two-factor authentication via secured HTTPS connections. If the application server also provides maintenance and diagnostic access via a fat client or other client-based connection, then that client must also utilize two-factor authentication and use FIPS-approved encryption modules for establishing transport connections.\n",
"fixid": "F-39878r1_fix",
"fixtext": "Configure the AS to authenticate through the Enterprise Authentication Mechanism.",
"iacontrols": null,
"id": "V-35332",
"ruleID": "SV-46619r1_rule",
"severity": "medium",
"title": "The application server must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions\n",
"version": "SRG-APP-000185-AS-000131"
},
"V-35333": {
"checkid": "C-43701r1_chk",
"checktext": "Review the AS configuration to determine if the system is configured to terminate all sessions and network connections when non-local maintenance is completed. If the AS is not set to terminate these sessions, this is a finding.\n",
"description": "Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. \n\nApplication servers will typically utilize an HTTP interface for providing both local and remote maintenance and diagnostic sessions. The application server needs to ensure all sessions and network connections are terminated when non-local maintenance is completed.",
"fixid": "F-39879r1_fix",
"fixtext": "Configure the AS to terminate all sessions and network connections when non-local maintenance is completed.",
"iacontrols": null,
"id": "V-35333",
"ruleID": "SV-46620r1_rule",
"severity": "medium",
"title": "The application server must terminate all sessions and network connections when non-local maintenance is completed.\n",
"version": "SRG-APP-000186-AS-000132"
},
"V-35334": {
"checkid": "C-43702r1_chk",
"checktext": "Review the AS configuration and organizational requirements to ensure cryptographic mechanisms are used to protect information in storage. If information in storage is not protected to the level the organization requires, this is a finding.\n",
"description": "When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. \n\nFewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. \n\nAs part of a defense-in-depth strategy, data owners and DoD consider routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information. \n\nThe strength of mechanisms is commensurate with the classification and sensitivity of the information. \n\nThe application server must directly provide, or provide access to, cryptographic libraries and functionality that allow applications to encrypt data when it is stored.\n",
"fixid": "F-39880r1_fix",
"fixtext": "Configure the AS to utilize cryptographic mechanisms to protect information in storage to the level specified by the organization. ",
"iacontrols": null,
"id": "V-35334",
"ruleID": "SV-46621r1_rule",
"severity": "medium",
"title": "The application server must employ cryptographic mechanisms to protect information in storage.\n",
"version": "SRG-APP-000188-AS-000133"
},
"V-35335": {
"checkid": "C-43703r1_chk",
"checktext": "Review the AS configuration to verify the system terminates network connections after an organization defined time period of inactivity. If communications are not terminated after an organization-defined time period of inactivity, this is a finding.",
"description": "If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a certain period of inactivity is a method for mitigating the risk of this vulnerability.\n\nThe application server must provide a mechanism for timing out or otherwise terminating inactive web sessions.\n",
"fixid": "F-39881r1_fix",
"fixtext": "Configure the AS to terminate network connections after the organization defined time period of inactivity.",
"iacontrols": null,
"id": "V-35335",
"ruleID": "SV-46622r1_rule",
"severity": "low",
"title": "The application server must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity.\n",
"version": "SRG-APP-000190-AS-000134"
},
"V-35336": {
"checkid": "C-43704r2_chk",
"checktext": "Review the AS configuration to determine if the AS establishes a trusted path for an administrator to enter authentication credentials (password or CAC PIN). If the AS does not provide a trusted path, this is a finding.\n",
"description": " Without a trusted communication path, the AS is vulnerable to a man-in-the-middle attack.\n\nApplication server user interfaces are used for management of the application server so the communications path between client and server must be trusted or management of the server may be compromised.\n",
"fixid": "F-39882r1_fix",
"fixtext": "Configure the AS to establish a trusted communications path between all AS managers/administrators and the systems authentication mechanism. ",
"iacontrols": null,
"id": "V-35336",
"ruleID": "SV-46623r1_rule",
"severity": "medium",
"title": "The application server must establish a trusted communications path between the user and organization defined security functions within the information system.\n",
"version": "SRG-APP-000191-AS-000135"
},
"V-35337": {
"checkid": "C-43705r1_chk",
"checktext": "Review AS configuration, and the NIST FIPS certificate to validate the AS uses NIST-approved or NSA-approved key management technology and processes when producing, controlling or distributing symmetric and asymmetric keys. If the AS does not use this NIST-approved or NSA-approved key management technology and processes, this is a finding.",
"description": "A symmetric encryption key must be protected during transmission. The public portion of an asymmetric key pair can be freely distributed without fear of compromise and the private portion of the key must be protected. The AS will provide software libraries that applications can programmatically utilize so as to encrypt and decrypt information. These AS libraries must use NIST-approved or NSA-approved key management technology and processes when producing, controlling, or distributing asymmetric and asymmetric keys.\n",
"fixid": "F-39883r1_fix",
"fixtext": "Configure the AS to utilize NIST-approved or NSA-approved key management technology when the AS produces, controls, and distributes symmetric and asymmetric cryptographic keys. ",
"iacontrols": null,
"id": "V-35337",
"ruleID": "SV-46624r1_rule",
"severity": "medium",
"title": "Application servers must use NIST-approved or NSA-approved key management technology and processes.\n",
"version": "SRG-APP-000193-AS-000136"
},
"V-35338": {
"checkid": "C-43706r3_chk",
"checktext": "Review the AS configuration to determine if the AS utilizes approved PKI Class 3 or Class 4 certificates. If the AS is not configured to use approved DoD or CNS certificates, this is a finding.\n",
"description": "Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The AS must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business to business transactions.\n",
"fixid": "F-39884r2_fix",
"fixtext": "Configure the AS to use DoD or CNS approved Class 3 or Class 4 PKI certificates. ",
"iacontrols": null,
"id": "V-35338",
"ruleID": "SV-46625r1_rule",
"severity": "high",
"title": "The application server must use DoD or CNS approved PKI Class 3 or Class 4 certificates.",
"version": "SRG-APP-000195-AS-000137"
},
"V-35341": {
"checkid": "C-43709r1_chk",
"checktext": "Review policy documents to identify classified data that is compartmentalized and requires cryptographic protection. Review system configuration to identify the encryption modules utilized to protect the compartmentalized data. If the encryption modules used to protect the compartmentalized data are not NSA approved, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. \n\nUse of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Encryption modules/algorithms are the mathematical procedures used for encrypting data.\n\n\n\nNSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as:\n\n\"Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms are used to protect systems requiring the most stringent protection mechanisms.\"\n\nAlthough persons may have a security clearance, they may not have a \"need to know\" and are required to be separated from the information in question. The application server must employ NSA-approved cryptography to protect classified information from those individuals who have no \"need to know\" or when encryption of compartmentalized data is required by data classification.",
"fixid": "F-39887r2_fix",
"fixtext": "Configure the application server to utilize NSA-approved cryptography when protecting classified compartmentalized data.",
"iacontrols": null,
"id": "V-35341",
"ruleID": "SV-46628r1_rule",
"severity": "medium",
"title": "The application server must utilize NSA-approved cryptography when protecting classified compartmentalized data.\n",
"version": "SRG-APP-000196-AS-000138"
},
"V-35342": {
"checkid": "C-43710r1_chk",
"checktext": "Review the AS configuration to determine if the AS utilizes FIPS-validated encryption modules when implementing cryptographic protection. If the AS does not meet this requirement, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. \n\nUse of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. \n\nApplication servers must utilize FIPS-approved encryption modules when protecting unclassified sensitive data.\n",
"fixid": "F-39888r1_fix",
"fixtext": "Configure the AS to use FIPS-approved encryption modules. ",
"iacontrols": null,
"id": "V-35342",
"ruleID": "SV-46629r1_rule",
"severity": "medium",
"title": "The application server must employ FIPS-validated cryptography to protect unclassified information.",
"version": "SRG-APP-000197-AS-000139"
},
"V-35343": {
"checkid": "C-43711r1_chk",
"checktext": "Review system documentation to identify that NSA has approved the cryptography used to protect classified data and applications resident on the device. If NSA has not approved the cryptography for classified data and applications, this is a finding.\n",
"description": "Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. \n\nNSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as:\n\n\"Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms \nare used to protect systems requiring the most stringent protection mechanisms.\" \n\nNSA-approved cryptography is required to be used for classified information system processing. \n\nThe application server must utilize NSA-approved encryption modules when protecting classified data. This means using AES and other approved encryption modules.\n",
"fixid": "F-39889r1_fix",
"fixtext": "Utilize NSA-approved cryptography to protect classified information. \n",
"iacontrols": null,
"id": "V-35343",
"ruleID": "SV-46630r1_rule",
"severity": "high",
"title": "The application server must employ NSA-approved cryptography to protect classified information.",
"version": "SRG-APP-000198-AS-000140"
},
"V-35344": {
"checkid": "C-43712r1_chk",
"checktext": "Review policy documents to identify data that is compartmentalized and requires cryptographic protection. Review system configuration to identify the encryption modules utilized to protect the compartmentalized data. If the encryption modules used to protect the compartmentalized data are not FIPS validated, this is a finding.",
"description": "Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. FIPS 140-2 Security Requirements for Cryptographic Modules can be found at the following web site: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf. \n\nAlthough persons may have a security clearance, they may not have a \"need to know\" and are required to be separated from the information in question. The application server must employ FIPS-validated cryptography to protect unclassified information from those individuals who have no \"need to know\" or when encryption of compartmentalized data is required by the data owner.",
"fixid": "F-39890r1_fix",
"fixtext": "Configure the AS to utilize FIPS validated cryptography when protecting unclassified, compartmentalized data. ",
"iacontrols": null,
"id": "V-35344",
"ruleID": "SV-46631r1_rule",
"severity": "medium",
"title": "The application server must utilize FIPS validated cryptography when protecting unclassified compartmentalized data.",
"version": "SRG-APP-000199-AS-000141"
},
"V-35347": {
"checkid": "C-43714r1_chk",
"checktext": "Review the AS configuration to ensure the system is configured to protect the integrity and availability of publicly available information and applications. If the system is configured otherwise, this is a finding.",
"description": "The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications with such protection likely being implemented as part of other security controls. \n\nApplication servers must protect the integrity of publicly available information.",
"fixid": "F-39892r1_fix",
"fixtext": "Configure the AS to protect the integrity and availability of publicly available information and applications. ",
"iacontrols": null,
"id": "V-35347",
"ruleID": "SV-46634r1_rule",
"severity": "medium",
"title": "The application server must protect the integrity and availability of publicly available information and applications.\n",
"version": "SRG-APP-000201-AS-000142"
},
"V-35361": {
"checkid": "C-43726r1_chk",
"checktext": "Review AS documentation to validate the AS binds policy sets with information exchanged between information systems. If the AS does not bind policy sets with information exchanged between information systems, this is a finding.",
"description": "When data is exchanged between information systems, the security attributes associated with said data needs to be maintained. \n\nApplication servers provide a capability to exchange data between multiple web service hops. In application server terms, this is referred to as message layer security. While transport layer security ensures data security between two points, message layer security is built into the message itself and provides security across multiple hops. \n\nPolicy sets are used to specify how the message is to be protected (e.g., encrypt the entire message, portions of the message, or just sign the message). The application server must bind policy sets to messages when message layer security is employed.\n",
"fixid": "F-39908r1_fix",
"fixtext": "Configure the AS to bind policy sets that are used to protect messages. ",
"iacontrols": null,
"id": "V-35361",
"ruleID": "SV-46648r1_rule",
"severity": "medium",
"title": "The application server must associate security attributes with information exchanged between information systems.",
"version": "SRG-APP-000203-AS-000143"
},
"V-35368": {
"checkid": "C-43730r1_chk",
"checktext": "Review AS documentation to validate the AS is capable of cryptographically signing the messages that are exchanged between other AS systems. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Application servers provide a capability to exchange data between multiple web service hops. In application server terms, this is referred to as message layer security. While transport layer security ensures data security between two points, message layer security is built into the message itself and provides security across multiple hops. \n\nWhen data is exchanged between information systems, the integrity of said data needs to be validated. \n\nApplication servers must be able to validate the integrity of data messages. This is accomplished via the use of cryptographic means such as utilizing cryptographic signatures and data signing.\n",
"fixid": "F-39912r1_fix",
"fixtext": "Configure the AS to cryptographically sign messages when specified by application design or policy. ",
"iacontrols": null,
"id": "V-35368",
"ruleID": "SV-46655r1_rule",
"severity": "medium",
"title": "The application server must validate the integrity of security attributes exchanged between systems.\n",
"version": "SRG-APP-000204-AS-000144"
},
"V-35371": {
"checkid": "C-43734r1_chk",
"checktext": "Review the AS configuration to determine if hosted applets are digitally signed as per mobile code policy. If the AS is not configured to digitally sign hosted mobile code applets, this is a finding.",
"description": "Mobile code technologies include: Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. \n\nDoDI 8552.01 policy pertains to the use of mobile code technologies within DoD information systems. \n\nApplication servers must meet policy requirements regarding the deployment and/or use of mobile code. This includes digitally signing applets in order to provide a means for the client to establish application authenticity.\n",
"fixid": "F-39917r1_fix",
"fixtext": "Configure the AS to digitally sign hosted mobile code applets as per DoD policy",
"iacontrols": null,
"id": "V-35371",
"ruleID": "SV-46658r1_rule",
"severity": "medium",
"title": "The application server, when hosting mobile applet code must be configured to host only digitally signed mobile code.",
"version": "SRG-APP-000208-AS-000145"
},
"V-35376": {
"checkid": "C-43739r1_chk",
"checktext": "Review the AS documentation and configuration to verify that the AS separates admin functionality from hosted application functionality. If the AS does not separate AS admin functionality from hosted application functionality, this is a finding.\n",
"description": "Application server management functionality includes functions necessary to administer the application server, and requires privileged access via one of the accounts assigned to a management role. \n\nThe separation of AS administration functionality from hosted application functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, network addresses, network ports, or combinations of these methods, as appropriate.",
"fixid": "F-39923r1_fix",
"fixtext": "Configure the AS so that admin management functionality and hosted applications are separated. ",
"iacontrols": null,
"id": "V-35376",
"ruleID": "SV-46663r1_rule",
"severity": "medium",
"title": "The application server must separate hosted application functionality from AS management functionality.\n",
"version": "SRG-APP-000211-AS-000146"
},
"V-35381": {
"checkid": "C-43742r1_chk",
"checktext": "Review the AS configuration and documentation to ensure the AS provides mutual authentication capabilities. If the AS does not provide the ability for applications to utilize mutual authentication, this is a finding.\n",
"description": "This control focuses on communications protection at the session, versus packet level. \n\nAt the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session tokens or session IDs in order to establish application user identity. Proper use of session IDs addresses man-in-the-middle attacks, including session hijacking or insertion of false information into a session. \n\nApplication servers must provide the capability to perform mutual authentication. Mutual authentication is when both the client and the server authenticate each other.\n",
"fixid": "F-39927r1_fix",
"fixtext": "Configure the AS to mutually authenticate during the entire session as required by application design and policy.",
"iacontrols": null,
"id": "V-35381",
"ruleID": "SV-46668r1_rule",
"severity": "medium",
"title": "The application server must ensure authentication of both client and server during the entire session.",
"version": "SRG-APP-000219-AS-000147"
},
"V-35415": {
"checkid": "C-43761r1_chk",
"checktext": "Review the AS configuration and organizational policy to determine if the system is configured to terminate administrator sessions upon administrator logout or any other organization or policy defined session termination events such as idle time limit exceeded. If the configuration is not set to terminate administrator sessions per defined events, this is a finding.\n",
"description": "If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a logout event or after a certain period of inactivity is a method for mitigating the risk of this vulnerability. When a user management session becomes idle, or when a user logs out of the management interface, the AS must terminate the session.",
"fixid": "F-39959r1_fix",
"fixtext": "Configure the AS to terminate administrative sessions upon logout or any other organization or policy defined session termination events. ",
"iacontrols": null,
"id": "V-35415",
"ruleID": "SV-46702r1_rule",
"severity": "medium",
"title": "The application server must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.",
"version": "SRG-APP-000220-AS-000148"
},
"V-35419": {
"checkid": "C-43769r1_chk",
"checktext": "Manually terminating an AS management session allows users to immediately depart the physical vicinity of the system they are logged into without the risk of subsequent system users or unauthorized parties reactivating or continuing their session. User's who log into the application server management interface must have the ability to manually terminate their session.",
"description": " Manually terminating an AS management session allows users to immediately depart the physical vicinity of the system they are logged into without the risk of subsequent system users or unauthorized parties reactivating or continuing their session. User's who log into the application server management interface must have the ability to manually terminate their session.\n",
"fixid": "F-39962r1_fix",
"fixtext": "Configure the AS to provide a logout functionality to allow the user to manually terminate the session. ",
"iacontrols": null,
"id": "V-35419",
"ruleID": "SV-46706r1_rule",
"severity": "medium",
"title": "The application server management interface must provide a logout functionality to allow the user to manually terminate the session.",
"version": "SRG-APP-000221-AS-000149"
},
"V-35420": {
"checkid": "C-43771r1_chk",
"checktext": "Review the AS configuration to determine if the AS generates a unique session identifier for each session. Request an administrator log into the server and view the logs to verify a unique session identifier was assigned to the session. If the AS does not generate a unique session identifier for each session, this is a finding.",
"description": " Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. \n\nApplication servers must generate a unique session identifier for each application session so as to prevent session hijacking.\n",
"fixid": "F-39964r1_fix",
"fixtext": "Configure the AS to generate a unique session identifier for each session. ",
"iacontrols": null,
"id": "V-35420",
"ruleID": "SV-46707r1_rule",
"severity": "low",
"title": "The application server must generate a unique session identifier for each session.",
"version": "SRG-APP-000222-AS-000150"
},
"V-35421": {
"checkid": "C-43772r1_chk",
"checktext": "Review the AS configuration to determine if the AS recognizes only system-generated session identifiers. If the AS does not recognize only system-generated session identifiers, this is a finding.",
"description": "This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. \n\nUnique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers. \n\nUnique session IDs address man-in-the-middle attacks including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.\n",
"fixid": "F-39965r1_fix",
"fixtext": "Design the AS to recognize only system-generated session identifiers. ",
"iacontrols": null,
"id": "V-35421",
"ruleID": "SV-46708r1_rule",
"severity": "low",
"title": "The application server must recognize only system-generated session identifiers.",
"version": "SRG-APP-000223-AS-000151"
},
"V-35422": {
"checkid": "C-43773r1_chk",
"checktext": "Review the AS configuration, AS documentation, and organizational policy to determine if the AS generates unique session identifiers according to organization-defined randomness requirements. Determine how the AS generates the session identifier. Request an administrator log into the server and view the logs to verify a unique session identifier was assigned to the session. If the AS does not generate unique session identifiers with organization-defined randomness requirements, this is a finding.\n",
"description": "This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence, at each end of a communications session, in the ongoing identity of the other party and in the validity of the information being transmitted. \n\nUnique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers. \n\nUnique session IDs address man-in-the-middle attacks including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.\n\nOrganizations can define the randomness of unique session identifiers when deemed necessary (e.g., sessions in service-oriented architectures providing web-based services).\n\n\n",
"fixid": "F-39966r1_fix",
"fixtext": "Configure the AS to generate unique session identifiers according to the organization-defined randomness requirements.",
"iacontrols": null,
"id": "V-35422",
"ruleID": "SV-46709r1_rule",
"severity": "low",
"title": "The application server must generate unique session identifiers with organization defined randomness requirements.\n",
"version": "SRG-APP-000224-AS-000152"
},
"V-35423": {
"checkid": "C-43774r1_chk",
"checktext": "Review the AS configuration and documentation to ensure the system is configured to perform complete application deployments. If the AS is not configured to ensure complete application deployments or provides no rollback functionality, this is a finding.\n",
"description": " Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. \n\nWhen an application is deployed to the application server, if the deployment process does not complete properly and without errors, there is the potential that some application files may not be deployed or may be corrupted and an application error may occur during runtime. \n\nThe AS must be able to perform complete application deployments. A partial deployment can leave the server in an inconsistent state. Application servers may provide a transaction rollback function to address this issue.\n",
"fixid": "F-39967r1_fix",
"fixtext": "Configure the AS to detect errors that occur during application deployment and to prevent deployment if errors are encountered. ",
"iacontrols": null,
"id": "V-35423",
"ruleID": "SV-46710r1_rule",
"severity": "medium",
"title": "The application server must be configured to perform complete application deployments.",
"version": "SRG-APP-000225-AS-000153"
},
"V-35424": {
"checkid": "C-43775r1_chk",
"checktext": "Review the AS configuration and documentation to ensure the application server is configured to provide clustering functionality. If the AS is not configured to provide clustering or some form of fail-over functionality, this is a finding.\n",
"description": "Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state facilitates application restart and return to the operational mode of the organization with less disruption of mission/business processes.\n\nClustering of multiple application servers is a common approach to providing fail safe application availability. To assure application availability, the AS must provide clustering or some form of fail-over functionality.",
"fixid": "F-39968r1_fix",
"fixtext": "Configure the AS to provide application failover or participate in an application cluster which provides failover. ",
"iacontrols": null,
"id": "V-35424",
"ruleID": "SV-46711r1_rule",
"severity": "medium",
"title": "The application server must provide a clustering capability.",
"version": "SRG-APP-000225-AS-000154"
},
"V-35425": {
"checkid": "C-43776r1_chk",
"checktext": "Review the AS configuration to verify that the AS protects application files that are consolidated in preparation for deployment. Protection functionality is usually in the form of OS-related file permission protections. When deploying application files, the AS needs to leverage transmission protection mechanisms, such as TLS, SSL or VPN. If the AS is not configured to protect application files, this is a finding.\n",
"description": "Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. \n\nIf the AS does not protect the application files that are created before and during the application deployment process, there is a risk that the application could be compromised prior to deployment.\n",
"fixid": "F-39969r1_fix",
"fixtext": "Configure the AS to protect the confidentiality of application files prior to deployment and utilize data encryption such as TLS, SSL VPN, or IPSEC tunnel when deploying the application. \n",
"iacontrols": null,
"id": "V-35425",
"ruleID": "SV-46712r1_rule",
"severity": "medium",
"title": "The application server must protect the confidentiality of applications and leverage transmission protection mechanisms such as TLS and SSL VPN when deploying applications.",
"version": "SRG-APP-000230-AS-000155"
},
"V-35426": {
"checkid": "C-43777r1_chk",
"checktext": "Review the AS configuration to ensure the system is protecting the confidentiality and integrity of AS log data. If the AS is configured to use an external log collection tool, review tool documentation and configuration to verify the tool meets the requirement. \n\nIf the AS is not configured to protect its log data, or does not utilize an external log collection solution that provides this capability, this is a finding.\n",
"description": "This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. \n\nApplication servers generate information throughout the course of their use, most notably, log data.\n\nApplication servers must provide the capability to protect log data so as to ensure confidentiality and integrity. Configuring the AS to utilize an external log management system that provides this capability is also acceptable practice.\n",
"fixid": "F-39970r2_fix",
"fixtext": "Configure the AS to employ cryptographic mechanisms to ensure confidentiality and integrity of application server data. \n",
"iacontrols": null,
"id": "V-35426",
"ruleID": "SV-46713r1_rule",
"severity": "medium",
"title": "The application server must employ cryptographic mechanisms to ensure confidentiality and integrity of application server log data.",
"version": "SRG-APP-000231-AS-000156"
},
"V-35427": {
"checkid": "C-43778r1_chk",
"checktext": "Review organization policy and documentation to identify the data identified by data owner as requiring cryptographic protection. Review the AS configuration to ensure the system is protecting the confidentiality and integrity of data at rest as required by data owner. If the AS is not configured to protect the identified data, this is a finding.\n",
"description": "Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Alternative physical protection measures include, protected distribution systems.\n\nIn order to prevent unauthorized disclosure or modification of the information, application servers must protect data at rest by using cryptographic mechanisms.",
"fixid": "F-39971r1_fix",
"fixtext": "Configure the AS to employ cryptographic mechanisms to ensure confidentiality and integrity of application server data at rest. \n",
"iacontrols": null,
"id": "V-35427",
"ruleID": "SV-46714r1_rule",
"severity": "medium",
"title": "The application server must employ cryptographic mechanisms to protect data at rest.",
"version": "SRG-APP-000232-AS-000157"
},
"V-35428": {
"checkid": "C-43779r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. \n\n\nSeparation and isolation is met through application virtualization. Isolated applications contain their own security functionality within the application layer. CCI-001087 requires application isolation and virtualization within the application server itself. This requirement will apply to the applications residing on top of the AS, but not the AS itself.\n",
"fixid": "F-39972r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35428",
"ruleID": "SV-46715r1_rule",
"severity": "medium",
"title": "The application server must isolate security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to, and protecting the integrity of software.",
"version": "SRG-APP-000233-AS-NA"
},
"V-35429": {
"checkid": "C-43780r1_chk",
"checktext": "Review AS product documentation and server configuration to determine if the AS automatically terminates emergency accounts. If the AS does not automatically terminate emergency accounts after the DoD defined time period, this is a finding.\n",
"description": " Emergency application accounts are typically created due to an unforeseen operational event or could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support related activity. When these types of accounts are created, there is a risk that the temporary account may remain in place and active after the support representative has left. \n\nIn the event emergency application accounts are required, the application must ensure that accounts that are designated as temporary in nature shall automatically terminate these accounts after an organization defined time period. Such a process and capability greatly reduces the risk that accounts will be misused, hijacked, or application data compromised. \n\nTo address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such an integration allows the application developer to off-load those access control functions and focus on core application features and functionality. \n\nExamples of enterprise level authentication/access mechanisms include but are not limited to Active Directory and LDAP.\n\nThe application must provide or utilize a mechanism to automatically terminate accounts that have been designated as temporary or emergency accounts after an organization defined time period. \n\nApplication servers provide either a local user store or they integrate with enterprise user stores like LDAP or Active Directory. When the AS is the authoritative user store, the application server must be able to automatically terminate accounts designated as being used for emergency purposes after the DoD defined time period.",
"fixid": "F-39973r1_fix",
"fixtext": "Configure the AS to automatically terminate emergency accounts.",
"iacontrols": null,
"id": "V-35429",
"ruleID": "SV-46716r1_rule",
"severity": "medium",
"title": "The application server must automatically terminate emergency accounts after a DoD-defined time period.",
"version": "SRG-APP-000234-AS-000159"
},
"V-35430": {
"checkid": "C-43781r1_chk",
"checktext": "Review the AS documentation to determine if the AS provides a virtualized environment for each application instance. If this capability is not performed by the AS, this is a finding.\n",
"description": " Isolating applications is accomplished by means of an isolation boundary (implemented via partitions and domains) that controls access to, and protects the integrity of, the software that performs security functions. The AS must maintain a separate execution domain (e.g., address space) for each executing process.\n",
"fixid": "F-39974r1_fix",
"fixtext": "Configure the AS so that each application runs in its own virtualized environment.",
"iacontrols": null,
"id": "V-35430",
"ruleID": "SV-46717r1_rule",
"severity": "medium",
"title": "The application server must implement an application isolation boundary.",
"version": "SRG-APP-000236-AS-000160"
},
"V-35431": {
"checkid": "C-43782r1_chk",
"checktext": "Review the AS documentation to determine if the AS provides automated mechanisms for alerting personnel of inappropriate or unusual activities with security implications. If this capability is not built directly into the application server, or the application server does not integrate with existing security infrastructure that provides this capability, this is a finding.\n",
"description": "Manual notification procedures do not offer the reliability and speed of an automated notification solution. Application servers must utilize automated mechanisms to alert security personnel of inappropriate or unusual activities that have security implications. If this capability is not built directly into the application server, the application server must be able to integrate with existing security infrastructure that provides this capability.",
"fixid": "F-39975r1_fix",
"fixtext": "Configure the AS to automatically alert security personnel when unusual or security-related events occur. ",
"iacontrols": null,
"id": "V-35431",
"ruleID": "SV-46718r1_rule",
"severity": "medium",
"title": "The application server must provide automated mechanisms that can be used to alert security personnel of inappropriate or unusual activities with security implications.",
"version": "SRG-APP-000237-AS-000161"
},
"V-35432": {
"checkid": "C-43783r1_chk",
"checktext": "Review the AS configuration to ensure the system is protecting the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. If the AS is not configured in this fashion, this is a finding.\n",
"description": " Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points. It is therefore imperative the application take steps to validate and assure the integrity of data while at these stages of processing. \n\nThe application server must ensure the integrity of data that is pending transfer for deployment is maintained. If the application were to simply transmit aggregated, packaged or transformed data without ensuring the data was not manipulated during these processes, then the integrity of the data and the application itself may be called into question.\n",
"fixid": "F-39976r1_fix",
"fixtext": "Configure the AS to protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. \n",
"iacontrols": null,
"id": "V-35432",
"ruleID": "SV-46719r1_rule",
"severity": "low",
"title": "The application server must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment.\n",
"version": "SRG-APP-000239-AS-000162"
},
"V-35434": {
"checkid": "C-43788r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS can be configured to limit the number of concurrent connections. If the AS cannot be configured to limit the number of concurrent HTTP connections, this is a finding.",
"description": "Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks. When utilizing an application server in a high risk environment (such as a DMZ), the amount of access to the system from various sources usually increases as does the system's risk of becoming more susceptible to DoS attacks. \n\nThe application server must be able to be configured to withstand or minimize the risk of DoS attacks. This can be partially achieved if the AS provides configuration options that limit the number of allowed concurrent HTTP connections.\n",
"fixid": "F-39978r2_fix",
"fixtext": "Configure the AS to limit the number of concurrent HTTP sessions.",
"iacontrols": null,
"id": "V-35434",
"ruleID": "SV-46721r1_rule",
"severity": "medium",
"title": "The application server must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.",
"version": "SRG-APP-000245-AS-000163"
},
"V-35435": {
"checkid": "C-43789r1_chk",
"checktext": "Review AS documentation to determine if the AS can assign a priority level or otherwise allocate application resource requests. This is sometimes referred to as workload management. If the AS cannot meet this requirement, this is a finding.\n",
"description": "Priority protection helps the application server prevent a lower-priority application process from delaying or interfering with any higher-priority application processes. If the application server is not capable of managing application resource requests, the AS could become overwhelmed by a high volume of low priority resource requests which can cause an availability issue.\n\nThis requirement only applies to Mission Assurance Category 1 systems and does not apply to information systems with a Mission Assurance Category of 2 or 3.",
"fixid": "F-39979r1_fix",
"fixtext": "Configure the AS to prioritize application resource requirements. ",
"iacontrols": null,
"id": "V-35435",
"ruleID": "SV-46722r1_rule",
"severity": "medium",
"title": "The application server must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.\n",
"version": "SRG-APP-000248-AS-000164"
},
"V-35436": {
"checkid": "C-43790r1_chk",
"checktext": "Review the AS configuration to determine if the system checks the validity of information inputs. If this function cannot be performed, this is a finding.",
"description": " Invalid user input occurs when a user inserts data or characters into an applications data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. \n\nApplication servers must ensure their management interfaces perform data input validation checks. Input validation consists of evaluating user input and ensuring that only allowed characters are utilized. An example is ensuring that the interfaces are not susceptible to SQL injection attacks.\n",
"fixid": "F-39980r1_fix",
"fixtext": "Configure the AS to check the validity of information inputs. ",
"iacontrols": null,
"id": "V-35436",
"ruleID": "SV-46723r1_rule",
"severity": "medium",
"title": "The application server must check the validity of data inputs.",
"version": "SRG-APP-000251-AS-000165"
},
"V-35437": {
"checkid": "C-43791r1_chk",
"checktext": "Review AS documentation and configuration to determine if the AS fails securely in the event of an operational failure. If the AS cannot be configured to fail securely, this is a finding.\n",
"description": "Fail secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold. \n\nAn example of secure failure is when an application server is configured for secure LDAP (LDAPS) authentication. If the AS fails to make a successful LDAPS connection it does not try to use unencrypted LDAP instead.\n",
"fixid": "F-39981r1_fix",
"fixtext": "Configure the AS to fail securely in the event of operational failure. \n",
"iacontrols": null,
"id": "V-35437",
"ruleID": "SV-46724r1_rule",
"severity": "medium",
"title": "The application server must fail securely in the event of an operational failure.",
"version": "SRG-APP-000254-AS-000166"
},
"V-35438": {
"checkid": "C-43792r1_chk",
"checktext": "Review AS configuration, and encryption certificates to validate that the server supports AES encryption for data in transit. Confirm that at least AES 128 bit encryption is used. If the AS does not provide AES encryption for sensitive data in transit, this is a finding",
"description": "Preventing the disclosure of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. \n\nIf data in transit is unencrypted, it is vulnerable to disclosure. If approved cryptographic algorithms are not used, encryption strength cannot be assured. \n\nThe application server must utilize approved encryption when transmitting sensitive data.\n\n",
"fixid": "F-39982r1_fix",
"fixtext": "Configure the AS to use AES 128 or AES 256 encryption for data in transit. ",
"iacontrols": null,
"id": "V-35438",
"ruleID": "SV-46725r1_rule",
"severity": "medium",
"title": "The application server must employ approved cryptographic mechanisms when transmitting sensitive data.\n",
"version": "SRG-APP-000264-AS-000167"
},
"V-35439": {
"checkid": "C-43793r1_chk",
"checktext": "Review the AS configuration to determine if the system identifies potentially security-relevant error conditions on the server. If this function is not performed, this is a finding.",
"description": "The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application server is able to identify and handle error conditions is guided by organizational policy and operational requirements. Adequate logging levels and system performance capabilities need to be balanced with data protection requirements. \n\nApplication servers must have the capability to log at various levels which can provide log entries for potential security related error events.\n\nAn example is the capability for the application server to assign a criticality level to a failed login attempt error message, a security-related error message being of a higher criticality.\n",
"fixid": "F-39983r1_fix",
"fixtext": "Configure the AS to identify potentially security-relevant error conditions on the server. \n",
"iacontrols": null,
"id": "V-35439",
"ruleID": "SV-46726r1_rule",
"severity": "low",
"title": "The application server must identify potentially security-relevant error conditions.",
"version": "SRG-APP-000265-AS-000168"
},
"V-35440": {
"checkid": "C-43794r1_chk",
"checktext": "Review system documentation and logs to determine if the AS writes sensitive information such as passwords or private keys into the logs. If the AS writes sensitive or potentially harmful information into the logs, this is a finding.",
"description": "Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. \n\nThe application server must not log sensitive information such as passwords, private keys, or other sensitive data. This requirement pertains to logs that are generated by the application server and application server processes, not the applications that may reside on the application server. Those errors are out of the scope of these requirements.\n",
"fixid": "F-39984r1_fix",
"fixtext": "Configure the AS to not write sensitive information into the logs.",
"iacontrols": null,
"id": "V-35440",
"ruleID": "SV-46727r1_rule",
"severity": "medium",
"title": "The application server must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.\n",
"version": "SRG-APP-000266-AS-000169"
},
"V-35441": {
"checkid": "C-43795r1_chk",
"checktext": "Review the AS configuration and documentation to determine if the AS will restrict access to error messages so only the authorized users may view or otherwise access them. If the AS cannot be configured to restrict access to error messages to only authorized users, this is a finding.\n",
"description": "If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. \n\nApplication servers must protect the error messages that are created by the application server. All AS users' accounts are used for the management of the server and the applications residing on the AS. All accounts are assigned to a certain role with corresponding access rights. The AS must restrict access to error messages so only authorized personnel may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.\n",
"fixid": "F-39985r1_fix",
"fixtext": "Configure the AS to restrict access to error messages so only the authorized users may view or otherwise access them.",
"iacontrols": null,
"id": "V-35441",
"ruleID": "SV-46728r1_rule",
"severity": "medium",
"title": "The application server must restrict error messages so only authorized personnel may view them.",
"version": "SRG-APP-000267-AS-000170"
},
"V-35442": {
"checkid": "C-43796r1_chk",
"checktext": "Review the AS configuration to ensure the system can enforce the requirement that if a server component failure is detected, the AS must activate an alarm and/or automatically shut down the affected application instance. If this function cannot be performed, this is a finding.\n",
"description": "Predictable failure prevention requires organizational planning to address application server failure issues. If components key to maintaining application server security fail to function, the system could continue operating in an insecure state. \n\nAn application server instance represents a singular application running on the AS.\n\nIt is critical that a balance is achieved so the requirement can be met while not simultaneously causing a denial of service to other coexisting application instances that are not affected by the failure.\n\nThe application server must alarm for such conditions and/or automatically shut down the application instance.\n",
"fixid": "F-39986r1_fix",
"fixtext": "Configure the AS to activate an alarm or shutdown the affected application instance if a server component failure is detected. ",
"iacontrols": null,
"id": "V-35442",
"ruleID": "SV-46729r1_rule",
"severity": "low",
"title": "The application server must activate an alarm or automatically shut down the application server instance if an application component failure is detected.",
"version": "SRG-APP-000268-AS-000171"
},
"V-35443": {
"checkid": "C-43797r1_chk",
"checktext": "Verify the presence of an automated patch management tool. If there is no patch management system or if is not functioning as expected, this is a finding.\n",
"description": "The organization (including any contractor to the organization) shall promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling shall also be addressed expeditiously. Left un-patched, software may be vulnerable to a variety of exploits that could disclose sensitive information or lead to subsequent security breaches. An automated patch management tool can mitigate this risk.\n",
"fixid": "F-39987r1_fix",
"fixtext": "Incorporate the AS into the automated patch management process. ",
"iacontrols": null,
"id": "V-35443",
"ruleID": "SV-46730r1_rule",
"severity": "medium",
"title": "The application server must directly employ or allow the utilization of automated patch management tools to facilitate flaw remediation.",
"version": "SRG-APP-000271-AS-000172"
},
"V-35444": {
"checkid": "C-43798r1_chk",
"checktext": "Review the AS configuration to ensure the AS can be configured to notify response personnel identified by name and/or role when it detects changes to the security configuration or security-related operational errors. If the AS does not notify in these cases, this is a finding.\n",
"description": " Incident response applications are, by their nature, designed to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is the accurate and timely notification of events. \n\nApplication servers can act as a resource for incident responders by providing information and notifications needed for support personnel to respond to application server incidents. Notifications can be made more efficient by the utilization of groups containing the members who would be responding to a particular alarm or event.\n\n\n",
"fixid": "F-39988r1_fix",
"fixtext": "Configure the AS to notify a list of response personnel when the AS detects changes to the security configuration or security-related operational errors. \n",
"iacontrols": null,
"id": "V-35444",
"ruleID": "SV-46731r1_rule",
"severity": "medium",
"title": "The application server must provide system notifications to a list of response personnel who are identified by name and/or role.",
"version": "SRG-APP-000286-AS-000173"
},
"V-35445": {
"checkid": "C-43799r1_chk",
"checktext": "Review the AS configuration to determine if the AS uses cryptographic mechanisms to protect the integrity of audit tools. If the AS does not use cryptographic mechanisms to protect the integrity of audit tools, this is a finding.\n",
"description": " Protecting the integrity of the tools used for auditing purposes is a critical step to ensuring the integrity of audit data. Audit data includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. \n\nIt is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. \n\nTo address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated or replaced. An example is a checksum hash of the file or files.\n\nApplication server audit tools must use cryptographic mechanisms to protect the integrity of the tools or allow cryptographic protection mechanisms to be applied to their tools.",
"fixid": "F-39989r1_fix",
"fixtext": "Configure the AS to use cryptographic mechanisms to protect the integrity of audit tools. ",
"iacontrols": null,
"id": "V-35445",
"ruleID": "SV-46732r1_rule",
"severity": "medium",
"title": "The application server must use cryptographic mechanisms to protect the integrity of the application server audit tools.",
"version": "SRG-APP-000290-AS-000174"
},
"V-35446": {
"checkid": "C-43800r1_chk",
"checktext": "Review AS product documentation and server configuration to determine if the AS can be configured to notify staff when accounts are created. If the AS is not configured to meet this requirement, this is a finding.",
"description": "Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. \n\nApplication servers provide either a local user store or they integrate with enterprise user stores like LDAP or Active Directory. When the AS is the authoritative user store, the application server must be able to notify designated individuals when new accounts are created.\n",
"fixid": "F-39990r1_fix",
"fixtext": "Configure the AS to automatically notify appropriate personnel when accounts are created. ",
"iacontrols": null,
"id": "V-35446",
"ruleID": "SV-46733r1_rule",
"severity": "medium",
"title": "The application server must notify administrators when accounts are created.",
"version": "SRG-APP-000291-AS-000175"
},
"V-35447": {
"checkid": "C-43801r1_chk",
"checktext": "Review AS product documentation and server configuration to determine if the AS is configured to notify staff when accounts are modified. If the AS is not configured to meet this requirement, this is a finding.",
"description": "Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify or copy an existing account. \n\nApplication servers provide either a local user store or they integrate with enterprise user stores like LDAP or Active Directory. When the AS is the authoritative user store, the application server must be able to notify designated individuals when new accounts are modified.",
"fixid": "F-39991r1_fix",
"fixtext": "Configure the AS to automatically notify appropriate personnel when accounts are modified. \n",
"iacontrols": null,
"id": "V-35447",
"ruleID": "SV-46734r1_rule",
"severity": "medium",
"title": "The application server must notify appropriate individuals when accounts are modified.",
"version": "SRG-APP-000292-AS-000176"
},
"V-35448": {
"checkid": "C-43802r1_chk",
"checktext": "Review AS product documentation and server configuration to determine if the AS is configured to notify staff when accounts are disabled. If the AS is not configured to meet this requirement, this is a finding.",
"description": "When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. \n\nApplication servers provide either a local user store or they can integrate with enterprise user stores like LDAP. As such, the authentication method employed by the application server must be able to notify designated individuals when accounts are disabled.",
"fixid": "F-39992r1_fix",
"fixtext": "Configure the AS to automatically notify appropriate personnel when accounts are disabled. \n",
"iacontrols": null,
"id": "V-35448",
"ruleID": "SV-46735r1_rule",
"severity": "medium",
"title": "The application server must notify appropriate individuals when account disabling actions are taken.",
"version": "SRG-APP-000293-AS-000177"
},
"V-35449": {
"checkid": "C-43803r1_chk",
"checktext": "Review AS product documentation and server configuration to determine if the AS is configured to notify staff when accounts are terminated. If the AS is not configured to meet this requirement, this is a finding.",
"description": "When application accounts are terminated, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. \n\nApplication servers provide either a local user store or they can integrate with enterprise user stores like LDAP. As such, the application server must be able to notify designated individuals when accounts are terminated.\n",
"fixid": "F-39993r1_fix",
"fixtext": "Configure the AS to automatically notify appropriate personnel when accounts are terminated. \n",
"iacontrols": null,
"id": "V-35449",
"ruleID": "SV-46736r1_rule",
"severity": "medium",
"title": "The application server must notify appropriate individuals when accounts are terminated.",
"version": "SRG-APP-000294-AS-000178"
},
"V-35450": {
"checkid": "C-43804r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. \n\nThe session lock is implemented at the point where session activity can be determined. This is typically at the operating system level, but may be at the application level. \n\nWhen the application design specifies that the application, rather than the operating system, will determine when to lock the session, the application session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed. \n\nAn example of obfuscation is a screensaver creating a viewable pattern that overwrites the entire screen rendering the screen contents unreadable. \n\nThis requirement relates to screen locks. The Application Server user interface is web-based and will utilize the OS controls to detect periods of inactivity that require the session lock to be activated. This requirement is better met by OS controls.\n",
"fixid": "F-39994r1_fix",
"fixtext": "This requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35450",
"ruleID": "SV-46737r1_rule",
"severity": "medium",
"title": "The application server management interface must ensure that the screen display is obfuscated when an application session lock event occurs.",
"version": "SRG-APP-000002-AS-NA"
},
"V-35451": {
"checkid": "C-43805r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock, but may be at the application level where the application interface window is secured instead. The organization defines the period of inactivity that shall pass before a session lock is initiated so this must be configurable. \n\nThis requirement relates to screen locks. The application server user interface is web-based and will utilize the OS controls to detect periods of inactivity that require the session lock to be activated. This requirement is better met by OS controls.",
"fixid": "F-39995r1_fix",
"fixtext": "This requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35451",
"ruleID": "SV-46738r1_rule",
"severity": "medium",
"title": "The application server must initiate a session lock after an organization defined time period of system or application inactivity has transpired.",
"version": "SRG-APP-000003-AS-NA"
},
"V-35452": {
"checkid": "C-43806r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. \n\nThe session lock is implemented at the point where session activity can be determined. This is typically at the operating system level, but may be at the application level. Rather than be forced to wait for a period of time to pass before the user session can be locked, applications need to provide users with the ability to manually invoke a session lock so users may secure their application should the need arise for them to temporarily vacate the immediate physical vicinity. \n\nThis requirement relates to screen locks. The application server user interface is web-based and will utilize the OS controls to detect periods of inactivity that require the session lock to be activated. This requirement is better met by OS controls.\n",
"fixid": "F-39996r1_fix",
"fixtext": "This requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35452",
"ruleID": "SV-46739r1_rule",
"severity": "medium",
"title": "The application server management interface must ensure that users can directly initiate session lock mechanisms which prevent further access to the system.",
"version": "SRG-APP-000004-AS-NA"
},
"V-35453": {
"checkid": "C-43807r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. \n\nThe session lock is implemented at the point where session activity can be determined. This is typically determined and performed at the operating system level, but in some instances it may be at the application level. \n\nRegardless of where the session lock is determined and implemented, once invoked the session lock shall remain in place until the user re-authenticates. No other system or application activity aside from re-authentication shall unlock the system. \n\nThis requirement relates to screen locks. The application server user interface is web-based and will utilize the OS controls to detect periods of inactivity that require the session lock to be activated. This requirement is better met by OS controls.",
"fixid": "F-40332r1_fix",
"fixtext": "This requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35453",
"ruleID": "SV-46740r1_rule",
"severity": "medium",
"title": "The application server must have the ability to retain a session lock remaining in effect until the user re-authenticates using established identification and authentication procedures.\n",
"version": "SRG-APP-000005-AS-NA"
},
"V-35477": {
"checkid": "C-43830r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. \n\nThese attributes are typically associated with internal data structures (e.g., data records, buffers, files) within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. \n\nOrganizations define the security attributes of their data (e.g., classified, FOUO).\n\nWhen application data is created and/or combined, data security attributes defined by organizational policy must be dynamically created and/or updated to reflect the potential change in data sensitivity and characteristics.\n\nIf the application does not dynamically reconfigure the data security attributes as data is created and combined, there is the possibility that classified data may become comingled with unclassified data resulting in a data compromise. \n\nThis is an application layer requirement. The AS does not create or combine application information.",
"fixid": "F-40018r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35477",
"ruleID": "SV-46764r1_rule",
"severity": "medium",
"title": "The application server must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.",
"version": "SRG-APP-000009-AS-NA"
},
"V-35478": {
"checkid": "C-43831r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. \n\nThese attributes are typically associated with internal data structures (e.g., records, buffers, files, registry keys) within the information system and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. \n\nExamples of application security attributes are classified, FOUO, sensitive, etc. \n\nSecurity attributes need to be displayed in human readable form in order to determine how the data should be disseminated, handled and what distribution instructions apply to the data. When applications generate or output data, the associated security attributes need to be displayed.\n\nObjects output from the information system include pages, screens, or equivalent. \n\nOutput devices include printers and video displays on computer terminals, monitors, screens on notebook/laptop computers and personal digital assistants. \n\nThe AS is not responsible for outputting data for purposes of dissemination or distribution. This is a hosted application layer requirement.\n",
"fixid": "F-40019r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35478",
"ruleID": "SV-46765r1_rule",
"severity": "medium",
"title": "The application server must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions\n",
"version": "SRG-APP-000013-AS-NA"
},
"V-35479": {
"checkid": "C-43832r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Organizations need to monitor for unauthorized remote access connections to information systems in order to determine if break-in attempts or other unauthorized activity is occurring. There are already other SRG requirements for applications to generate audit connection logs to record connection activity. It is for the organization to determine which of those audited connections is unauthorized. \n\nThis task is usually handled by the IDS, log alarming, or some other security mechanism specifically designed to automate and address this requirement. \n\nThis requirement is NA for applications not designed to monitor for unauthorized remote connections to information systems. Applications designed to meet this requirement must be able to do so on an organization defined frequency.\n\nThe AS is not designed to monitor unauthorized remote connections to information systems.\n",
"fixid": "F-40020r1_fix",
"fixtext": "This requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35479",
"ruleID": "SV-46766r1_rule",
"severity": "medium",
"title": "The application server must monitor for unauthorized remote connections to the information system on an organization defined frequency.\n",
"version": "SRG-APP-000018-AS-NA"
},
"V-35480": {
"checkid": "C-43833r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). \n\nIn order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized. \n\nMonitoring for unauthorized connections is usually handled by configuration management software, log alarming, IDS, or some other security mechanism specifically designed to automate and address this requirement. \n\nApplication servers do not manage mobile devices. They could host the applications that perform mobile management tasks, but do not have mobile management capabilities.\n",
"fixid": "F-40021r1_fix",
"fixtext": "is requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35480",
"ruleID": "SV-46767r1_rule",
"severity": "medium",
"title": "The application server must monitor for unauthorized connections of mobile devices to organizational information systems.",
"version": "SRG-APP-000021-AS-NA"
},
"V-35481": {
"checkid": "C-43834r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). \n\nThis requirement is designed to address vulnerabilities arising when mobile devices such as USB memory sticks or other mobile storage devices are automatically mounted and applications are automatically invoked without user knowledge or acceptance.\n\nApplication servers do not manage mobile devices and do not allow mobile devices to connect to them as part of their operability requirements. They could host the applications that perform mobile management tasks, but do not have mobile management capabilities.\n",
"fixid": "F-40022r1_fix",
"fixtext": "This requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35481",
"ruleID": "SV-46768r1_rule",
"severity": "medium",
"title": "Applications must not enable information system functionality providing the capability for automatic execution of code on mobile devices without user direction.",
"version": "SRG-APP-000022-AS-NA"
},
"V-35482": {
"checkid": "C-43835r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "User-based collaboration and information sharing applications present challenges regarding classification and dissemination of information generated and shared among the application users. These types of applications are intended to share information created and stored within the application; however, not all users have a need to view all data created or stored within the collaboration tool. \n\nThis control primarily applies to the discretionary sharing of information resources by data owners. This type of service is unrelated to AS functionality as the AS is a Role Based Access Control (RBAC) model.\n",
"fixid": "F-40023r1_fix",
"fixtext": "This requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35482",
"ruleID": "SV-46769r1_rule",
"severity": "medium",
"title": "The application server must employ automated mechanisms enabling authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.",
"version": "SRG-APP-000032-AS-NA"
},
"V-35483": {
"checkid": "C-43836r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Dual authorization requires two distinct approving authorities to approve the use of an application command prior to it being invoked. This capability is typically reserved for specific application functionality where the application owner, data owner or organization requires an additional assurance that certain application commands are only invoked under the utmost authority. When a policy is defined stating that certain commands contained within an application require dual authorization before they may be invoked, or when an organization defines a set of application-related privileged commands requiring dual authorization, the application must support those requirements. \n\nThe IA posture of the AS does not warrant dual authorization.",
"fixid": "F-40024r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35483",
"ruleID": "SV-46770r1_rule",
"severity": "medium",
"title": "The application server must enforce dual authorization, based on organizational policies and procedures for organization defined privileged commands.",
"version": "SRG-APP-000034-AS-NA"
},
"V-35484": {
"checkid": "C-43837r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains). \n\nDAC is a type of access control methodology serving as a means of restricting access to objects and data based on the identity of subjects and/or groups to which they belong. It is discretionary in the sense that application users with the appropriate permissions to access an application resource or data have the discretion to pass that permission on to another user either directly or indirectly.\n\nThe AS utilizes RBAC and does not allow individual users to specify or control sharing of AS objects.\n",
"fixid": "F-40025r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35484",
"ruleID": "SV-46771r1_rule",
"severity": "medium",
"title": "The application must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights, and including or excluding access to the g\n",
"version": "SRG-APP-000036-AS-NA"
},
"V-35498": {
"checkid": "C-43838r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent accesses to that information. \n\nApplication-specific examples of flow control enforcement can be found in information protection software (e.g., guards, proxies, gateways, and cross domain solutions (CDS)) employing rule sets or establishing configuration settings restricting information system services or providing message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a CDS.\n",
"fixid": "F-40039r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35498",
"ruleID": "SV-46785r1_rule",
"severity": "medium",
"title": "Applications providing information flow control must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.",
"version": "SRG-APP-000038-AS-NA"
},
"V-35499": {
"checkid": "C-43839r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \n\nFrom an application perspective, flow control is established once application data flow modeling has been completed. Data flow modeling can be described as:\n\nthe process of identifying, modeling and documenting how data moves around an information system. Data flow modeling examines processes (activities that transform data from one form to another), data stores (the holding areas for data), external entities (what sends data into a system or receives data from a system, and data flows (routes by which data can flow). \n\nOnce the application data flows have been identified, corresponding flow controls can be applied at the appropriate points.\n\nApplication specific examples of flow control enforcement can be found in information protection software (e.g., guards, proxies, gateways and cross domain solutions) employing rule sets or establishing configuration settings restricting information system services or provide message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a cross domain solution.",
"fixid": "F-40040r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35499",
"ruleID": "SV-46786r1_rule",
"severity": "medium",
"title": "The application must enforce approved authorizations for controlling the flow of information between interconnected systems.",
"version": "SRG-APP-000039-AS-NA"
},
"V-35500": {
"checkid": "C-43841r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": " Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent accesses to that information. \n\nApplication-specific examples of flow control enforcement can be found in information protection software (e.g., guards, proxies, gateways, and cross domain solutions (CDS)) employing rule sets or establishing configuration settings restricting information system services or providing message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nInformation flow control only applies to a CDS. An AS is not a CDS, guard, or proxy.",
"fixid": "F-40042r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35500",
"ruleID": "SV-46787r1_rule",
"severity": "medium",
"title": "The application server must use explicit security attributes on information, source, and destination objects as a basis for flow control decisions.",
"version": "SRG-APP-000040-AS-NA"
},
"V-35501": {
"checkid": "C-43842r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": " Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent access to that information. \n\nApplication-specific examples of flow control enforcement can be found in information protection software (e.g., guards, proxies, gateways and cross domain solutions (CDS)) employing rule sets or establishing configuration settings restricting information system services or providing message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nA crucial part of any flow control solution is the ability to create policy filters. Policy filters serve to enact and enforce the organizational policy as it pertains to controlling data flow. \n\nOrganization defined security policy filters include, for example, file type checking filters, structured data filters, unstructured data filters, metadata content filters, and hidden content filters. \n\nInformation flow control only applies to a CDS. An AS is not a CDS.",
"fixid": "F-40043r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35501",
"ruleID": "SV-46788r1_rule",
"severity": "medium",
"title": "Applications providing information flow control must provide the capability for privileged administrators to enable/disable security policy filters.",
"version": "SRG-APP-000041-AS-NA"
},
"V-35502": {
"checkid": "C-43843r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Application specific examples of flow control enforcement can be found in information protection software (e.g., guards, proxies, gateways and cross domain solutions (CDS)) employing rule sets or establishing configuration settings restricting information system services or providing message filtering capability based on content (e.g., using key word searches or document characteristics). \n\nA crucial part of any flow control solution is the ability to create policy filters. Policy filters serve to enact and enforce the organizational policy as it pertains to controlling data flow. Organization defined security policy filters include, for example, file type checking filters, structured data filters, unstructured data filters, metadata content filters, and hidden content filters. \n\nInformation flow control only applies to a CDS. An AS is not a CDS\n\n\n",
"fixid": "F-40044r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35502",
"ruleID": "SV-46789r1_rule",
"severity": "medium",
"title": "Application servers providing information flow controls must provide the capability for privileged administrators to configure security policy filters to support different organizational security policies.",
"version": "SRG-APP-000042-AS-NA"
},
"V-35503": {
"checkid": "C-43844r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent access to that information. \n\nFlow control is based on the characteristics of the information and/or the information path. Applications providing flow control must identify data type, specification, and usage when transferring information between different security domains so policy restrictions may be applied.\n\nA security domain is defined as a domain implementing a security policy and is administered by a single authority.\n\nData type, specification and usage includes, using file naming to reflect the type of data being transferred and limiting data transfer based on file type. \n\nInformation flow control only applies to a CDS. An AS is not a CDS.\n",
"fixid": "F-40045r1_fix",
"fixtext": "This requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35503",
"ruleID": "SV-46790r1_rule",
"severity": "medium",
"title": "The application server must identify data type, specification, and usage when transferring information between different security domains",
"version": "SRG-APP-000043-AS-NA"
},
"V-35529": {
"checkid": "C-43869r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) employing rule sets or establishing configuration settings restricting information system services, or providing a packet-filtering capability based on header information or message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nPolicy rules for cross domain transfers include, limitations on embedding components/information types within other components/information types, prohibiting more than two-levels of embedding, and prohibiting the transfer of archived information types. \n\nInformation flow control only applies to a CDS. An AS is not a CDS.\n",
"fixid": "F-40070r1_fix",
"fixtext": "This requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35529",
"ruleID": "SV-46816r1_rule",
"severity": "medium",
"title": "The application server, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.\n\n",
"version": "SRG-APP-000044-AS-NA"
},
"V-35532": {
"checkid": "C-43871r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \n\nSpecific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) employing rule sets or establish configuration settings restricting information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nExamples of constraints include ensuring: (i) character data fields only contain printable ASCII; (ii) character data fields only contain alpha-numeric characters; (iii) character data fields do not contain special characters; (iv) maximum field sizes and file lengths are enforced based upon organization defined security policy. \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a cross domain solution.\n",
"fixid": "F-40073r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35532",
"ruleID": "SV-46819r1_rule",
"severity": "medium",
"title": "Applications, when transferring information between different security domains, must implement or incorporate policy filters that constrain data object and structure attributes according to organizational security policy requirements.\n",
"version": "SRG-APP-000045-AS-NA"
},
"V-35533": {
"checkid": "C-43873r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \n\nSpecific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, application layer gateways, cross domain guards, content filters) employing rule sets or establish configuration settings restricting information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nActions to support this requirement include, but are not limited to: checking all transferred information for malware, implementing dirty word list searches on transferred information, and applying the same protection measures to metadata (e.g., security attributes) that is applied to the information payload. \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a cross domain solution.\n",
"fixid": "F-40074r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35533",
"ruleID": "SV-46820r1_rule",
"severity": "medium",
"title": "The application server must detect unsanctioned information being transmitted across security domains.",
"version": "SRG-APP-000046-AS-NA"
},
"V-35534": {
"checkid": "C-43874r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": " The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. \n\nInformation flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \n\nSpecific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) employing rule sets or establish configuration settings restricting information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nActions to support this requirement include, but are not limited to: checking all transferred information for malware, implementing dirty word list searches on transferred information, and applying the same protection measures to metadata (e.g., security attributes) that is applied to the information payload. \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a cross domain solution.\n",
"fixid": "F-40075r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35534",
"ruleID": "SV-46821r1_rule",
"severity": "medium",
"title": "Applications must prohibit the transfer of unsanctioned information in accordance with security policy.",
"version": "SRG-APP-000047-AS-NA"
},
"V-35535": {
"checkid": "C-43876r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": " Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent access to that information. \n\nTransferring information between interconnected information systems of differing security policies introduces risk that such transfers violate one or more policies. While security policy violations may not be absolutely prohibited, policy guidance from information owners/stewards is implemented at the policy enforcement point between the interconnected systems. Specific architectural solutions are mandated, when required, to reduce the potential for undiscovered vulnerabilities. \n\nArchitectural solutions include: (i) prohibiting information transfers between interconnected systems (i.e., implementing access only, one way transfer mechanisms); (ii) employing hardware mechanisms to enforce unitary information flow directions; and (iii) implementing fully tested, re-grading mechanisms to reassign security attributes and associated security labels. \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a CDS.",
"fixid": "F-40077r1_fix",
"fixtext": "This requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35535",
"ruleID": "SV-46822r1_rule",
"severity": "medium",
"title": "The application server must enforce security policies regarding information on interconnected systems.",
"version": "SRG-APP-000048-AS-NA"
},
"V-35537": {
"checkid": "C-43877r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \n\nSpecific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) employing rule sets or establish configuration settings restricting information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nAttribution, (e.g., the ability to attribute actions to certain individuals) is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in an information system, allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific organizations/individuals. \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a cross domain solution.\n",
"fixid": "F-40078r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35537",
"ruleID": "SV-46824r1_rule",
"severity": "medium",
"title": "The application server must uniquely identify source domains for information transfer.",
"version": "SRG-APP-000049-AS-NA"
},
"V-35539": {
"checkid": "C-43879r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. \n\nInformation flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \n\nSpecific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) employing rule sets or establish configuration settings restricting information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nAttribution, (e.g., the ability to attribute actions to certain individuals) is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in an information system, allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific organizations/individuals. \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a cross domain solution.\n",
"fixid": "F-40079r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35539",
"ruleID": "SV-46826r1_rule",
"severity": "medium",
"title": "The application server must uniquely authenticate source domains for information transfer.",
"version": "SRG-APP-000050-AS-NA"
},
"V-35540": {
"checkid": "C-43880r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \n\nSpecific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) employing rule sets or establish configuration settings restricting information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a cross domain solution.\n",
"fixid": "F-40081r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35540",
"ruleID": "SV-46827r1_rule",
"severity": "medium",
"title": "The application server must uniquely identify destination domains for information transfer.",
"version": "SRG-APP-000051-AS-NA"
},
"V-35542": {
"checkid": "C-43882r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "The application server enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent access to that information. \n\nAttribution is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in an information system, allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific organizations/individuals. Binding security attributes to information allows policy enforcement mechanisms to act on that information and enforce policy.\n\n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a CDS\n",
"fixid": "F-40083r1_fix",
"fixtext": "This requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35542",
"ruleID": "SV-46829r1_rule",
"severity": "medium",
"title": "The application server must bind security attributes to information to facilitate information flow policy enforcement.\n",
"version": "SRG-APP-000052-AS-NA"
},
"V-35544": {
"checkid": "C-43884r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": " Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent accesses to that information. \n\nAttribution (i.e., the ability to attribute actions to certain individuals) is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in an information system allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific organizations/individuals. \n\nIn order to identify problems that may occur when binding security attributes to information, tracking and/or auditing of these binding events must take place. \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a CDS.\n",
"fixid": "F-40085r1_fix",
"fixtext": "This requirement is NA for the AS SRG.\n",
"iacontrols": null,
"id": "V-35544",
"ruleID": "SV-46831r1_rule",
"severity": "medium",
"title": "The application server must track problems associated with the binding of security attributes to data.",
"version": "SRG-APP-000053-AS-NA"
},
"V-35546": {
"checkid": "C-43886r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent accesses to that information. \n\nInformation flow enforcement mechanisms compare security attributes on all information (data content and data structure), and source and destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by the information flow policy. Information flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information. \n\nApp servers are not information flow devices. Information flow control only applies to a CDS. An AS is not a CDS.",
"fixid": "F-40087r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35546",
"ruleID": "SV-46833r1_rule",
"severity": "medium",
"title": "The application server must enforce information flow control using protected processing domains (e.g., domain type enforcement) as a basis for flow control decisions.",
"version": "SRG-APP-000054-AS-NA"
},
"V-35549": {
"checkid": "C-43889r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent access to that information. \n\nInformation flow control applies to a CDS. An AS is not a CDS, guard, or proxy.\n",
"fixid": "F-40090r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35549",
"ruleID": "SV-46836r1_rule",
"severity": "medium",
"title": "The application server must enforce information flow using dynamic control, based on policy that allows or disallows information flow based on changing conditions or operational considerations.",
"version": "SRG-APP-000055-AS-NA"
},
"V-35552": {
"checkid": "C-43891r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent access to that information. \n\nThe AS itself does not transmit encrypted data. The AS provides the capability for hosted applications to transmit encrypted data. This is a hosted application requirement.\n",
"fixid": "F-40092r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35552",
"ruleID": "SV-46839r1_rule",
"severity": "medium",
"title": "Application servers must prevent encrypted data from bypassing content-checking mechanisms.",
"version": "SRG-APP-000056-AS-NA"
},
"V-35554": {
"checkid": "C-43894r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent access to that information. \n\nInformation flow enforcement mechanisms compare security attributes on all information (data content and data structure) and source and destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by the information flow policy. \n\nEmbedding of data within other data is often used for the surreptitious transfer of data. For example, embedding data within an image file (e.g., .jpg) is referred to as steganography and is used to circumvent protections in place to protect information.\n\nThe AS does not manage application data content. The AS provides an application hosting capability and this requirement would apply to hosted applications but not the AS.\n",
"fixid": "F-40095r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35554",
"ruleID": "SV-46841r1_rule",
"severity": "medium",
"title": "Application servers must enforce organization defined limitations on the embedding of data types within other data types.",
"version": "SRG-APP-000057-AS-NA"
},
"V-35556": {
"checkid": "C-43896r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent access to that information. \n\nInformation flow enforcement mechanisms compare security attributes on all information (data content and data structure) and source and destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by the information flow policy. \n\nMetadata is defined as data providing information about one or more other pieces of data, such as purpose of the data, author/creator of the data, network location of where data was created, and application-specific data information. \n\nInformation flow control only applies to a CDS. An AS is not a CDS.",
"fixid": "F-40097r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35556",
"ruleID": "SV-46843r1_rule",
"severity": "medium",
"title": "Application servers must enforce information flow control on metadata.\n",
"version": "SRG-APP-000058-AS-NA"
},
"V-35559": {
"checkid": "C-43898r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information), without explicit regard to subsequent access to that information. \n\nInformation flow enforcement mechanisms compare security attributes on all information (data content and data structure) and source and destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information not explicitly allowed by the information flow policy. \n\nSecurity policy filters are defined by the organization and include, dirty word filters, file type checking filters, structured data filters, unstructured data filters, metadata content filters, and hidden content filters. \n\nInformation flow control only applies to a CDS. An AS is not a CDS.\n",
"fixid": "F-40099r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35559",
"ruleID": "SV-46846r1_rule",
"severity": "medium",
"title": "The application server must use security policy filters as a basis for making information flow control decisions.\n\n",
"version": "SRG-APP-000059-AS-NA"
},
"V-35562": {
"checkid": "C-43901r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": " Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. \n\nSpecific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, application gateways, guards, cross domain systems) employing rule sets or establish configuration settings restricting information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on content (e.g., using key word searches or document characteristics). \n\nThe ability to identify source and destination points for information flowing in an information system, allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific organizations/individuals. \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a cross domain solution.\n",
"fixid": "F-40103r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35562",
"ruleID": "SV-46849r1_rule",
"severity": "medium",
"title": "The application server must uniquely authenticate destination domains when transferring information.\n",
"version": "SRG-APP-000060-AS-NA"
},
"V-35564": {
"checkid": "C-43904r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "There are security-related issues arising from software brought into the information system specifically for diagnostic and repair actions. (e.g., a software packet sniffer installed on a system in order to troubleshoot system traffic, or a vendor installing or running a diagnostic application in order to troubleshoot an issue with a vendor supported system).\n\nThis requirement ensures the media containing the application is scanned for malicious code prior to use. \n\nApp servers do not scan for malicious code. This requirement does not apply.\n",
"fixid": "F-40105r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35564",
"ruleID": "SV-46851r1_rule",
"severity": "medium",
"title": "Applications scanning for malicious code must scan all media used for system maintenance prior to use.\n",
"version": "SRG-APP-000073-AS-NA"
},
"V-35567": {
"checkid": "C-43906r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non-repudiation services are obtained by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).\n\nWhen it comes to data review and data release, there must be a correlation between the data that is reviewed and the person who performs the review. \n\nThe application server is not designed to produce or release information. This requirement relates to applications that are designed to output data and therefore would not employ notions of chain of custody.\n",
"fixid": "F-40107r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35567",
"ruleID": "SV-46854r1_rule",
"severity": "medium",
"title": "The application server must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.",
"version": "SRG-APP-000083-AS-NA"
},
"V-35569": {
"checkid": "C-43909r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "This non-repudiation control enhancement is intended to mitigate the risk that information could be modified between review and transfer/release particularly when transfer is occurring between security domains. \n\nIn those instances where the application is transferring data intended for release across security domains, the application must validate the binding of the reviewer's identity to the information at the transfer/release point prior to transfer/release from one security domain to another security domain. \n\nThe application server itself is not designed to produce or release information and therefore does not employ notions of chain of custody. This requirement relates to applications that are designed to output data.\n",
"fixid": "F-40110r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35569",
"ruleID": "SV-46856r1_rule",
"severity": "medium",
"title": "The application server must validate the binding of the reviewers identity to the information at the transfer/release point prior to transfer/release from one security domain to another security domain.",
"version": "SRG-APP-000084-AS-NA"
},
"V-35571": {
"checkid": "C-43911r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nIn some instances, DoD may require customized application-related events to be logged. The application server must have the capability to include organization defined detailed information in the audit records for audit events. \nAn example of detailed information that DoD may require in audit records is full-text recording of privileged commands or the individual identities of group account users. \n\nThe AS hosts multiple applications with varying features and capabilities while providing a limited set of management functions. This requirement is better met by applying it to the application residing on top of the AS rather than the AS itself.\n",
"fixid": "F-40112r1_fix",
"fixtext": "This requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35571",
"ruleID": "SV-46858r1_rule",
"severity": "medium",
"title": "The application server must include organization defined additional, detailed information in the audit records for audit events identified by type, location, or subject.",
"version": "SRG-APP-000101-AS-NA"
},
"V-35572": {
"checkid": "C-43912r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "It is critical that, when a system is at risk of failing to process audit logs as required, actions are automatically taken to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n\nAS functionality is designed for application hosting and does not include threshold management of auditing-related traffic. This requirement is better met by a network traffic QoS solution that can meter and assign priorities to specific types of traffic.\n",
"fixid": "F-40113r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35572",
"ruleID": "SV-46859r1_rule",
"severity": "medium",
"title": "The application must enforce configurable traffic volume thresholds representing auditing capacity for network traffic.\n",
"version": "SRG-APP-000105-AS-NA"
},
"V-35575": {
"checkid": "C-43915r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "It is critical when a system is at risk of failing to process audit logs as required; actions are automatically taken to mitigate the failure or risk of failure. \n\nRejecting or delaying network traffic is not a role that the application server plays. AS functionality is designed for application hosting and does not include threshold management of audit traffic. This requirement is better met by a network traffic QoS solution that can meter and assign priorities to specific types of traffic.",
"fixid": "F-40116r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35575",
"ruleID": "SV-46862r1_rule",
"severity": "medium",
"title": "The application server must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds.",
"version": "SRG-APP-000106-AS-NA"
},
"V-35576": {
"checkid": "C-43917r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "It is critical when a system is at risk of failing to process audit logs as required; it takes action to mitigate the failure. If the system were to continue processing without auditing enabled, actions can be taken on the system that cannot be tracked and recorded for later forensic analysis. \n\nDue to the critical services of the AS, the server should never be automatically shut down as that could cause an application DoS. This requirement is better met by utilizing AS failover or system monitoring capabilities.\n",
"fixid": "F-40118r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35576",
"ruleID": "SV-46863r1_rule",
"severity": "medium",
"title": "The application server must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists.",
"version": "SRG-APP-000107-AS-NA"
},
"V-35577": {
"checkid": "C-43918r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Applications are typically designed to incorporate their audit logs into the auditing sub-system hosted by the operating system. However, in some instances application developers may decide to forego the audit capabilities offered by the operating system and maintain application audit logs separately. \n\nThe protection of audit records from unauthorized or accidental deletion or modification requires that information systems be able to produce audit records on hardware-enforced write-once media. \n\nApplications that do not write audit records to a resource (e.g., underlying OS or separate system) that is capable of producing audit records on hardware-enforced, write-once media must provide the capability to do so. This requirement is related to backup of records and not real-time creation of audit records.\n\nExamples of such hardware devices include, but are not limited to CD-R and DVD-R. \n\nThis requirement is not applicable to an AS. It is applicable to a central audit management system.",
"fixid": "F-40333r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35577",
"ruleID": "SV-46864r1_rule",
"severity": "medium",
"title": "The application server must have the capability to produce audit records on hardware-enforced, write-once media.\n",
"version": "SRG-APP-000124-AS-NA"
},
"V-35578": {
"checkid": "C-43920r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Regarding access restrictions for changes made to organization defined information system components and system level information, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. \n\nA two-person rule requires two separate individuals to acknowledge and approve those changes. A two-person rule for changes to critical application components helps to reduce risks pertaining to availability and integrity.\n\nThe IA posture of the AS does not warrant application of the two-person rule.\n",
"fixid": "F-40119r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35578",
"ruleID": "SV-46865r1_rule",
"severity": "medium",
"title": "The application server must support the enforcement of a two-person rule for changes to organization defined application components and system-level information.\n",
"version": "SRG-APP-000132-AS-NA"
},
"V-35580": {
"checkid": "C-43922r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. \n\nRather than visiting each and every system when making application configuration changes, organizations will employ automated tools that can make changes across all systems. \n\nThe AS is not a configuration management application. This requirement does not apply.\n",
"fixid": "F-40121r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35580",
"ruleID": "SV-46867r1_rule",
"severity": "medium",
"title": "Configuration management applications must employ automated mechanisms to centrally manage configuration settings.",
"version": "SRG-APP-000135-AS-NA"
},
"V-35582": {
"checkid": "C-43924r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. \n\nRather than visiting each and every system when making application configuration changes, organizations will employ automated tools that can make changes across all systems. \n\n\"Centrally apply\" means to apply settings from a centralized location. To support this requirement, configuration management applications will employ automated mechanisms to centrally apply configuration settings, and applications in general will ensure they do not hinder the use of such tools. \n\nThe AS is not a configuration management application. This requirement does not apply.\n",
"fixid": "F-40123r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35582",
"ruleID": "SV-46869r1_rule",
"severity": "medium",
"title": "Configuration management applications must employ automated mechanisms to centrally apply configuration settings.",
"version": "SRG-APP-000136-AS-NA"
},
"V-35584": {
"checkid": "C-43926r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. \n\nRather than visiting each and every system when making configuration changes, organizations will employ automated tools that can make changes across all systems. This greatly increases efficiency and manageability of systems and applications in a large scale environment. \n\n\"Centrally verify\" means to verify settings have taken effect from a centralized location. \n\nThe AS is not a configuration management application. This requirement does not apply.\n",
"fixid": "F-40125r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35584",
"ruleID": "SV-46871r1_rule",
"severity": "medium",
"title": "Configuration management applications must employ automated mechanisms to centrally verify configuration settings.",
"version": "SRG-APP-000137-AS-NA"
},
"V-35586": {
"checkid": "C-43928r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": " Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. \n\nResponses to unauthorized changes to configuration settings can include alerting designated organizational personnel, restoring mandatory/organization defined configuration settings, or in the extreme case, halting affected information system processing. \n\n\"Centrally respond\" means to respond to unauthorized changes to settings that have taken effect from a centralized location. \n\nThe AS is not a configuration management application. This requirement does not apply.\n",
"fixid": "F-40127r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35586",
"ruleID": "SV-46873r1_rule",
"severity": "medium",
"title": "Configuration management applications must employ automated mechanisms to centrally respond to unauthorized changes to configuration settings.",
"version": "SRG-APP-000138-AS-NA"
},
"V-35588": {
"checkid": "C-43930r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. \n\nIncident Response teams require input from authoritative sources in order to investigate events that have occurred. Configuration management solutions are a logical source for providing information regarding system configuration changes. \n\nThe AS is not a configuration management application. This requirement does not apply.\n",
"fixid": "F-40129r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35588",
"ruleID": "SV-46875r1_rule",
"severity": "medium",
"title": "Configuration management solutions must track unauthorized, security-relevant configuration changes.\n",
"version": "SRG-APP-000139-AS-NA"
},
"V-35590": {
"checkid": "C-43932r1_chk",
"checktext": "This requirement is NA for the AS SRG",
"description": " Information system backup is a critical step in maintaining data assurance and availability. \n\nUser-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user-generated data is backed up at a defined frequency. This includes data stored on file systems, within databases, or within any other storage media.\n\nApplications performing backups must be capable of backing up user-level information per the DoD defined frequency. \n\nThe AS is not a backup or disaster recovery application. This requirement does not apply.\n",
"fixid": "F-40131r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35590",
"ruleID": "SV-46877r1_rule",
"severity": "medium",
"title": "Backup/Disaster Recovery-oriented applications must be capable of backing up user-level information per a defined frequency.",
"version": "SRG-APP-000145-AS-NA"
},
"V-35593": {
"checkid": "C-43934r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Information system backup is a critical step in maintaining data assurance and availability. \n\nInformation system and security related documentation contains information pertaining to system configuration and security settings. \n\nBackups shall be consistent with organizational recovery time and recovery point objectives. \n\nThe AS does not manage documentation and is not a backup or disaster recovery device. The requirement is NA.\n",
"fixid": "F-40133r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35593",
"ruleID": "SV-46880r1_rule",
"severity": "medium",
"title": "The application must support and must not impede organizational requirements to conduct backups of information system documentation, including security-related documentation, per organization defined frequency.",
"version": "SRG-APP-000147-AS-NA"
},
"V-35595": {
"checkid": "C-43937r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Multifactor authentication is defined as using two or more factors to achieve authentication. \n\nRationale for non-applicability: All accounts on the AS are privileged in some manner. The AS is only accessed by authorized administrators with full control over all functionality and by other authorized administrators serving in roles used to manage specific functionality of the server. Non-privileged accounts will not be present.\n",
"fixid": "F-40136r1_fix",
"fixtext": "This requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35595",
"ruleID": "SV-46882r1_rule",
"severity": "medium",
"title": "The application server must use multifactor authentication for network access to non-privileged accounts.\n",
"version": "SRG-APP-000150-AS-NA"
},
"V-35596": {
"checkid": "C-43938r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Multifactor authentication is defined as using two or more factors to achieve authentication. \n\nRationale for non-applicability: All accounts on the AS are privileged in some manner. The AS is only accessed by authorized administrators serving in roles used to manage specific functionality of the server. Non-privileged accounts will not be present.\n",
"fixid": "F-40137r1_fix",
"fixtext": "This requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35596",
"ruleID": "SV-46883r1_rule",
"severity": "medium",
"title": "The application server must use multifactor authentication for local access to non-privileged accounts.\n",
"version": "SRG-APP-000152-AS-NA"
},
"V-35598": {
"checkid": "C-43941r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Out Of Band 2 Factor Authentication (OOB2FA) is defined as when one of the authentication factors is provided by a device that is separate from the system that is used to gain access. \n\nFor example, a mobile device such as a smart phone is registered within the application to an application user. Upon a successful authentication, the system sends instructions to the registered mobile device in the form of on-screen prompts instructing the user on how to complete the login process.\n\nOOB2FA employs separate communication channels where at least one is independently maintained and trusted to authenticate an end user. \n\nThe AS does not provide or utilize OOB2FA. This requirement is NA.\n",
"fixid": "F-40139r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35598",
"ruleID": "SV-46885r1_rule",
"severity": "medium",
"title": "Applications using multifactor authentication when accessing privileged accounts via the network must provide one of the factors by a device that is separate from the information system gaining access.",
"version": "SRG-APP-000154-AS-NA"
},
"V-35599": {
"checkid": "C-43942r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Out Of Band 2 Factor Authentication is defined as when one of the authentication factors is provided by a device that is separate from the system that is used to gain access. \n\nFor example, a mobile device such as a smart phone is registered within the application to an application user. Upon a successful authentication, the system sends instructions to the registered mobile device in the form of on-screen prompts instructing the user on how to complete the login process.\n\nOOB2FA employs separate communication channels where at least one is independently maintained and trusted to authenticate an end user. \n\nThe AS does not provide or utilize OOB2FA. This requirement is NA.\n",
"fixid": "F-40140r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35599",
"ruleID": "SV-46886r1_rule",
"severity": "medium",
"title": "Applications using multifactor authentication when accessing non-privileged accounts via the network must provide one of the factors by a device separate from the information system gaining access.\n",
"version": "SRG-APP-000155-AS-NA"
},
"V-35600": {
"checkid": "C-43943r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device, as deemed appropriate by the organization. \n\nThe required strength of the device authentication mechanism is determined by the security categorization of the information system. \n\nBidirectional authentication provides a means for both connecting parties to mutually authenticate one another and cryptographic authentication provides a secure means of authenticating without the use of clear text passwords. \n\nThis requirement is intended to address devices that manage or allow wireless devices to connect to the network. This does not apply to an AS.",
"fixid": "F-40141r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35600",
"ruleID": "SV-46887r1_rule",
"severity": "medium",
"title": "Applications managing network connections for devices must authenticate devices before establishing wireless network connections by using bidirectional authentication that are cryptographic.",
"version": "SRG-APP-000160-AS-NA"
},
"V-35601": {
"checkid": "C-43944r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Device authentication is a solution enabling an organization to manage both users and devices. \n\nThe application typically uses either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for identification or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and/or wide area networks. \n\nBidirectional authentication provides a means for both connecting parties to mutually authenticate one another, and cryptographic authentication provides a secure means of authenticating without the use of clear text passwords. \n\nThis requirement is intended to address devices that manage or allow wireless devices to connect to the network. This does not apply to an AS.\n",
"fixid": "F-40142r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35601",
"ruleID": "SV-46888r1_rule",
"severity": "medium",
"title": "Applications managing network connectivity must have the capability to authenticate devices before establishing network connections by using bidirectional authentication that are cryptographic.\n",
"version": "SRG-APP-000161-AS-NA"
},
"V-35602": {
"checkid": "C-43945r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). \n\nThe application server is not designed to be accessed by non-organizational users. This requirement will apply to applications hosted on the AS but not the AS itself.\n",
"fixid": "F-40143r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35602",
"ruleID": "SV-46889r1_rule",
"severity": "medium",
"title": "The application server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).",
"version": "SRG-APP-000180-AS-NA"
},
"V-35603": {
"checkid": "C-43946r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "When responding to a security incident, a capability must exist allowing authorized personnel to disable a particular system if the system exhibits a security violation and the organization determines an action is warranted. \n\nOrganizations shall define a list of security violations that warrant an immediate disabling of a system. \n\nApplication servers are not designed to address incident response scenarios. This requirement does not apply.",
"fixid": "F-40144r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35603",
"ruleID": "SV-46890r1_rule",
"severity": "medium",
"title": "Applications that are designed and intended to address incident response scenarios must provide a configurable capability to automatically disable an information system if any of the organization defined security violations are detected.\n",
"version": "SRG-APP-000181-AS-NA"
},
"V-35604": {
"checkid": "C-43947r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Incident tracking is a method of monitoring networks and systems for activity indicative of viral infection or system attack. \n\nMonitoring for this type of activity provides the organization with the capability to proactively detect and respond to attacks. Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) and other electronic databases of incidents. \n\nApplication servers are not designed to address incident response scenarios. This requirement does not apply.\n",
"fixid": "F-40145r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35604",
"ruleID": "SV-46891r1_rule",
"severity": "medium",
"title": "Applications related to incident tracking must support organizational requirements to employ automated mechanisms to assist in the tracking of security incidents",
"version": "SRG-APP-000182-AS-NA"
},
"V-35605": {
"checkid": "C-43948r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.\nExamples of types of applications used for non-local maintenance and diagnostic activities are provided below. Use as an example does not imply compliance with policy requirements or approval for use. Examples include but are not limited to:\n\n- Terminal Services\n- Remote Desktop\n- Dameware\n- VNC (all variants)\n\nApplication servers are not used for non-local maintenance sessions.\n\n",
"fixid": "F-40146r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35605",
"ruleID": "SV-46892r1_rule",
"severity": "medium",
"title": "Applications used for non-local maintenance sessions must protect those sessions through the use of a strong authenticator tightly bound to the user.",
"version": "SRG-APP-000183-AS-NA"
},
"V-35606": {
"checkid": "C-43949r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "When data is written to portable digital media such as thumb drives, floppy diskettes, compact disks, magnetic tape, etc., there is risk of data loss. \n\nWhen the organization has determined that the risk warrants it, data written to portable digital media must be encrypted. \n\nApplication servers are not designed to write data to USB drives.\n",
"fixid": "F-40147r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35606",
"ruleID": "SV-46893r1_rule",
"severity": "medium",
"title": "Applications employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media.",
"version": "SRG-APP-000187-AS-NA"
},
"V-35607": {
"checkid": "C-43950r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Scanning software is purpose-built to check for vulnerabilities in the information system and hosted applications and is also used to enumerate platforms, software flaws, and improper configurations. \n\nScanning software includes the capability to scan for specific functions, applications, ports, protocols, and services that should not be accessible to users or devices and for improperly configured or incorrectly operating information flow mechanisms. \n\nThis is a vulnerability scanner server requirement. Application servers do not detect the presence of unauthorized software.\n",
"fixid": "F-40148r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35607",
"ruleID": "SV-46894r1_rule",
"severity": "medium",
"title": "Application software used to detect the presence of unauthorized software must employ automated detection mechanisms and notify designated organizational officials in accordance with the organization defined frequency.\n",
"version": "SRG-APP-000189-AS-NA"
},
"V-35608": {
"checkid": "C-43951r1_chk",
"checktext": "The requirement is NA for the AS SRG.\n",
"description": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. \n\nIn addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users.\n\nThis requirement applies solely to symmetric type cryptographic keys. An AS will more often than not utilize asymmetric type crypto keys however it is possible that an AS might rarely use a symmetric key. While this requirement could potentially apply, it was decided to utilize CCI-001140 as that requirement addresses both symmetric and asymmetric crypto keys.\n",
"fixid": "F-40149r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35608",
"ruleID": "SV-46895r1_rule",
"severity": "medium",
"title": "Applications involved in the production, control, and distribution of symmetric cryptographic keys must use NIST-approved or NSA-approved key management technology and processes.",
"version": "SRG-APP-000192-AS-NA"
},
"V-35609": {
"checkid": "C-43952r1_chk",
"checktext": "The requirement is NA for the AS SRG.\n",
"description": "Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. \n\n\nThis requirement only addresses Class 3 certificates. CCI-001143 addresses both Class3 and Class 4 certificate usage. Class 4 certificates are used for \"business to business\" certificates which includes web service oriented applications. This requirement is NA, will use CCI-001143 as it covers both classes of certificates and addresses AS functionality and capability better.\n",
"fixid": "F-40150r2_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35609",
"ruleID": "SV-46896r1_rule",
"severity": "medium",
"title": "Applications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 certificates or prepositioned keying material.",
"version": "SRG-APP-000194-AS-NA"
},
"V-35610": {
"checkid": "C-43953r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "The need to verify security functionality applies to all security functions. \n\nFor those security functions not able to execute automated self-tests the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required. Information system transitional states include, startup, restart, shutdown, and abort. \n\n\nThis requirement is NA. It relates to functional testing of security specifications conducted during application development as an overall development process. This activity is not conducted on any production system including application servers.\n",
"fixid": "F-40151r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35610",
"ruleID": "SV-46897r1_rule",
"severity": "medium",
"title": "Applications must respond to security function anomalies in accordance with organization defined responses and alternative action(s).",
"version": "SRG-APP-000200-AS-NA"
},
"V-35611": {
"checkid": "C-43954r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Collaborative computing devices include networked white boards, cameras, and microphones. Collaborative software examples include instant messaging or chat clients. \n\nThis requirement is NA. App servers are not collaborative computing devices.",
"fixid": "F-40152r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35611",
"ruleID": "SV-46898r1_rule",
"severity": "medium",
"title": "Software and/or firmware used for collaborative computing devices must prohibit remote activation, excluding the organization defined exceptions where remote activation is to be allowed.\n",
"version": "SRG-APP-000202-AS-NA"
},
"V-35612": {
"checkid": "C-43955r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. \n\nFor federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. \n\nThis control focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations, for example, application-specific time services. \n\nThis is a PKI server requirement. Application servers do not produce, control, and distribute cryptographic keys.\n",
"fixid": "F-40153r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35612",
"ruleID": "SV-46899r1_rule",
"severity": "medium",
"title": "Applications must support organizational requirements to issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.",
"version": "SRG-APP-000205-AS-NA"
},
"V-35613": {
"checkid": "C-43956r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. \n\nMobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. \n\nPolicy and procedures related to mobile code address preventing the development, acquisition, or introduction of unacceptable mobile code within the information system. \n\nThis requirement is NA. Application servers are not designed to address malware issues.\n",
"fixid": "F-40154r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35613",
"ruleID": "SV-46900r1_rule",
"severity": "medium",
"title": "Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must implement detection and inspection mechanisms to identify unauthorized mobile code",
"version": "SRG-APP-000206-AS-NA"
},
"V-35614": {
"checkid": "C-43957r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. \n\nMobile code technologies include: Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. \n\nPolicy and procedures related to mobile code, address preventing the development, acquisition, or introduction of unacceptable mobile code within the information system. \n\nThis requirement relates to client systems and AV or malware scanners not application servers.",
"fixid": "F-40155r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35614",
"ruleID": "SV-46901r1_rule",
"severity": "medium",
"title": "Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must take corrective actions, when unauthorized mobile code is identified.",
"version": "SRG-APP-000207-AS-NA"
},
"V-35615": {
"checkid": "C-43958r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. \n\nMobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. \n\nThis requirement relates to client systems and not application servers. The AS does not enforce policy regarding mobile code.",
"fixid": "F-40156r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35615",
"ruleID": "SV-46902r1_rule",
"severity": "medium",
"title": "Applications designed to enforce policy pertaining to organizational use of mobile code must prevent the download and execution of prohibited mobile code.",
"version": "SRG-APP-000209-AS-NA"
},
"V-35616": {
"checkid": "C-43959r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. \n\nMobile code technologies include: Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. \n\nThis requirement relates to client systems and not application servers. The AS does not enforce policy regarding mobile code.\n",
"fixid": "F-40157r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35616",
"ruleID": "SV-46903r1_rule",
"severity": "medium",
"title": "Applications designed to enforce policy pertaining to the use of mobile code must prevent the automatic execution of mobile code in organization defined software applications and require organization defined actions prior to executing the code.\n",
"version": "SRG-APP-000210-AS-NA"
},
"V-35617": {
"checkid": "C-43960r1_chk",
"checktext": "The requirement is NA for the AS SRG.\n",
"description": "This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. \n\nA Domain Name System (DNS) server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. \n\nInformation systems using technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. The DNS security controls are consistent with, and referenced from, OMB Memorandum 08-23. \n\nThe AS does not perform DNS functions.",
"fixid": "F-40158r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35617",
"ruleID": "SV-46904r1_rule",
"severity": "medium",
"title": "The application must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.\n",
"version": "SRG-APP-000213-AS-NA"
},
"V-35618": {
"checkid": "C-43961r1_chk",
"checktext": "The requirement is NA for the AS SRG.",
"description": "This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service.\n\nA Domain Name System (DNS) server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. \n\nInformation systems using technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. The DNS security controls are consistent with, and referenced from, OMB Memorandum 08-23. \n\nThe AS does not perform DNS functions.",
"fixid": "F-40159r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35618",
"ruleID": "SV-46905r1_rule",
"severity": "medium",
"title": "Applications, when operating as part of a distributed, hierarchical namespace, must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among p",
"version": "SRG-APP-000214-AS-NA"
},
"V-35627": {
"checkid": "C-43970r1_chk",
"checktext": "The requirement is NA for the AS SRG.\n",
"description": "A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients. \n\nAuthoritative DNS servers are examples of authoritative sources. Information systems using technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. \n\nThe AS doesn't perform DNS functions.",
"fixid": "F-40167r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35627",
"ruleID": "SV-46914r1_rule",
"severity": "medium",
"title": "The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.",
"version": "SRG-APP-000215-AS-NA"
},
"V-35628": {
"checkid": "C-43971r1_chk",
"checktext": "The requirement is NA for the AS SRG.\n",
"description": "A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients. \n\nAuthoritative DNS servers are examples of authoritative sources. Information systems using technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. \n\nThe AS doesn't perform DNS functions.\n",
"fixid": "F-40168r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35628",
"ruleID": "SV-46915r1_rule",
"severity": "medium",
"title": "The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.\n",
"version": "SRG-APP-000216-AS-NA"
},
"V-35630": {
"checkid": "C-43973r1_chk",
"checktext": "The requirement is NA for the AS SRG.\n",
"description": "A recursive resolving or caching Domain Name System (DNS) server is an example of an information system providing name/address resolution service for local clients. \n\nAuthoritative DNS servers are examples of authoritative sources owning DNS data. Information systems using technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. \n",
"fixid": "F-40170r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35630",
"ruleID": "SV-46917r1_rule",
"severity": "medium",
"title": "The application must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service",
"version": "SRG-APP-000217-AS-NA"
},
"V-35632": {
"checkid": "C-43975r1_chk",
"checktext": "The requirement is NA for the AS SRG.",
"description": "A Domain Name System (DNS) server is an example of an information system providing name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are typically at least two authoritative DNS servers, one configured as primary and the other as secondary. \n\nAdditionally, the two servers are commonly located in two different network subnets and geographically separated (i.e., not located in the same physical facility). With regard to role separation, DNS servers with an internal role, only process name/address resolution requests from within the organization (i.e., internal clients). \n\nDNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks including the Internet). The set of clients that can access an authoritative DNS server in a particular role is specified by the organization (e.g., by address ranges, explicit lists). \n\nThe AS does not perform DNS functions.",
"fixid": "F-40172r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35632",
"ruleID": "SV-46919r1_rule",
"severity": "medium",
"title": "Applications that collectively provide name/address resolution service for an organization must implement internal/external role separation.",
"version": "SRG-APP-000218-AS-NA"
},
"V-35633": {
"checkid": "C-43976r1_chk",
"checktext": "The requirement is NA for the AS SRG.\n",
"description": "Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. \n\nPreserving information system state information helps to facilitate system restart and return to the operational mode of the organization with less disruption of mission/business processes. \n\nThis is an application layer requirement best met by the application that resides on top of the AS. This is not an AS configurable parameter.",
"fixid": "F-40174r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35633",
"ruleID": "SV-46920r1_rule",
"severity": "medium",
"title": "Applications must preserve any organization defined system state information in the event of a system failure.",
"version": "SRG-APP-000226-AS-NA"
},
"V-35634": {
"checkid": "C-43977r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Applications designed to manage the connection of mobile devices to information systems must be able to enforce organizational connectivity requirements or work in conjunction with enterprise tools designed to enforce policy requirements. \n\nMobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices).\n\nOrganizational connectivity requirements may include usage restrictions and implementation guidance related to mobile devices. \n\nScanning devices for malicious code may be required prior to connecting, as well as updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared).\n\nApplication Servers do not manage mobile devices. They could host the applications that perform mobile management tasks, but do not have mobile management capabilities.\n",
"fixid": "F-40176r1_fix",
"fixtext": "This requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35634",
"ruleID": "SV-46921r1_rule",
"severity": "medium",
"title": "The application server must enforce requirements regarding the connection of mobile devices to organizational information systems.",
"version": "SRG-APP-000227-AS-NA"
},
"V-35636": {
"checkid": "C-43979r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Maintaining system and network integrity requires that all systems on the network are identified and accounted for. Without an accurate accounting of systems utilizing the network, the opportunity exists for the introduction of rogue systems. The significance of this type of security compromise increases exponentially over time and could become a persistent threat. Therefore, organizations must employ automated mechanisms to detect the addition of unauthorized devices. \n\nThis is a configuration management application requirement that does not apply to application servers.",
"fixid": "F-40178r1_fix",
"fixtext": "The requirement is NA. No fix is required",
"iacontrols": null,
"id": "V-35636",
"ruleID": "SV-46923r1_rule",
"severity": "medium",
"title": "The application server must disable network access by unauthorized components/devices or notify designated organizational officials.",
"version": "SRG-APP-000228-AS-NA"
},
"V-35639": {
"checkid": "C-43981r1_chk",
"checktext": "The requirement is NA for the AS SRG.",
"description": "A Honey Pot is an organization-designated information system and/or application that includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. \n\nThe AS is not a Honey Pot and does not trap, detect, or deflect attempts to attack the system.",
"fixid": "F-40181r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35639",
"ruleID": "SV-46926r1_rule",
"severity": "medium",
"title": "Only a Honey Pot information system and/or application must include components that proactively seek to identify web-based malicious code. Honey Pot systems must not be shared or used for any purpose other than described.",
"version": "SRG-APP-000229-AS-NA"
},
"V-35641": {
"checkid": "C-43983r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Application functionality is typically broken down into modules that perform various tasks or roles. Examples of non-privileged application functionality include, but are not limited to, application modules written for displaying data or printing reports. \n\nThis is an information flow requirement. Information flow control applies to applications like a CDS. An AS is not a CDS.",
"fixid": "F-40183r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35641",
"ruleID": "SV-46928r1_rule",
"severity": "medium",
"title": "The application server must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.\n",
"version": "SRG-APP-000235-AS-NA"
},
"V-35643": {
"checkid": "C-43985r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "The AS must isolate security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to, and protecting the integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process. \n\n\nSeparation and isolation is met through application virtualization. This requirement will apply to applications residing on top of the AS, but not to the AS itself. Requirement is NA.",
"fixid": "F-40185r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35643",
"ruleID": "SV-46930r1_rule",
"severity": "medium",
"title": "The application server must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.",
"version": "SRG-APP-000238-AS-NA"
},
"V-35645": {
"checkid": "C-43987r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Organizations may require applications or application components to be non-modifiable or to be stored and executed on non-writable storage. Use of non-modifiable storage ensures the integrity of the software program from the point of creation of the read-only image and eliminates the possibility of malicious code insertion. Application servers are installed and are modifiable. This requirement does not apply.",
"fixid": "F-40187r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35645",
"ruleID": "SV-46932r1_rule",
"severity": "medium",
"title": "Applications required to be non-modifiable must support organizational requirements to provide components that contain no writable storage capability. These components must be persistent across restart and/or power on/off.",
"version": "SRG-APP-000240-AS-NA"
},
"V-35647": {
"checkid": "C-43989r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Organizations may require the information system to load the operating environment from hardware-enforced, read-only media. The term operating environment is defined as the code upon which applications are hosted, for example, a monitor, executive, operating system, or application running directly on the hardware platform. \n\nHardware-enforced, read-only media include CD-R/DVD-R disk drives. Use of non-modifiable storage ensures the integrity of the software program from the point of creation of the read-only image. This requirement is NA. Application servers are installed and do not load and execute from CD-ROM.",
"fixid": "F-40189r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35647",
"ruleID": "SV-46934r1_rule",
"severity": "medium",
"title": "Applications must, for organization defined information system components, load and execute the operating environment from hardware-enforced, read-only media.",
"version": "SRG-APP-000241-AS-NA"
},
"V-35649": {
"checkid": "C-43991r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Use of non-modifiable storage ensures the integrity of the software program from the point of creation of the read-only image. Organizations may require the information system to load specified applications from hardware-enforced, read-only media. Hardware-enforced, read-only media include CD-R/DVD-R disk drives. This requirement is NA. Application servers are installed, they do not load and execute from CD-ROM.",
"fixid": "F-40191r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35649",
"ruleID": "SV-46936r1_rule",
"severity": "medium",
"title": "Applications must support organization defined requirements to load and execute from hardware-enforced, read-only media.",
"version": "SRG-APP-000242-AS-NA"
},
"V-35652": {
"checkid": "C-43994r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Shared resources include memory, input/output queues, and network interface cards. \nMulti-level security is out of the scope of this SRG. The requirement is NA.",
"fixid": "F-40194r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35652",
"ruleID": "SV-46939r1_rule",
"severity": "medium",
"title": "The application server must not share resources used to interface with systems operating at different security levels.",
"version": "SRG-APP-000244-AS-NA"
},
"V-35654": {
"checkid": "C-43996r1_chk",
"checktext": "The requirement is NA for the AS SRG.\n",
"description": "When it comes to DoS attacks most of the attention is paid to ensuring that systems and applications are not victims of these attacks. \n\nWhile it is true that those accountable for systems want to ensure they are not affected by a DoS attack, they also need to ensure their systems and applications are not used to launch such an attack against others. To that extent, a variety of technologies exist to limit, or in some cases, eliminate the effects of DoS attacks. \n\nFor example, boundary protection devices can filter certain types of packets to protect devices from being directly affected by DoS attacks. Limiting system resources that are allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. \n\nApplications and application developers must take the steps needed to ensure that users cannot use these applications to launch DoS attacks against other systems and networks. An example would be designing applications to include mechanisms that throttle network traffic so that users are not able to generate unlimited network traffic via the application. \n\nThe methods employed to counter this risk will be dependent upon the potential application layer methods that can be used to exploit it. \n\nThis is an application layer requirement. The AS itself is not designed to throttle traffic or to be placed at a boundary. This role is better met with an XML firewall.",
"fixid": "F-40196r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35654",
"ruleID": "SV-46941r1_rule",
"severity": "medium",
"title": "The application server must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.",
"version": "SRG-APP-000246-AS-NA"
},
"V-35657": {
"checkid": "C-43999r1_chk",
"checktext": "The requirement is NA for the AS SRG.",
"description": "In the case of application DoS attacks, care must be taken when designing the application so as to ensure that the application makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations requiring large amounts of time to complete can bog down if too many requests for the service are encountered within a short period of time. \n\nThe methods employed to meet this requirement will vary depending upon the technology the application utilizes. However, a variety of technologies exist to limit, or in some cases, eliminate the effects of application related DoS attacks. Employing increased capacity and bandwidth combined with specialized application layer protection devices and service redundancy may reduce the susceptibility to some DoS attacks. \n\nThis is an application layer requirement. The AS itself is not designed to throttle traffic or be placed at a boundary. This role is better met with an XML firewall.\n",
"fixid": "F-40199r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35657",
"ruleID": "SV-46944r1_rule",
"severity": "medium",
"title": "The application server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.\n",
"version": "SRG-APP-000247-AS-NA"
},
"V-35659": {
"checkid": "C-44001r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "In regards to boundary controls such as routers and firewalls, examples of restricting and prohibiting communications include restricting external web traffic only to organizational web servers within managed interfaces and prohibiting external traffic that appears to be spoofing an internal address as the source. The requirement is NA. App servers are not firewalls.",
"fixid": "F-40201r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35659",
"ruleID": "SV-46946r1_rule",
"severity": "medium",
"title": "Applications functioning in the capacity of a firewall must check incoming communications to ensure the communications are coming from an authorized source and are routed to an authorized destination.",
"version": "SRG-APP-000249-AS-NA"
},
"V-35661": {
"checkid": "C-44003r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "A host-based boundary protection mechanism is a host-based firewall. Host-based boundary protection mechanisms are employed on mobile devices, such as notebook/laptop computers, and other types of mobile devices where such boundary protection mechanisms are available. The requirement is NA. App servers are not firewalls.\n",
"fixid": "F-40203r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35661",
"ruleID": "SV-46948r1_rule",
"severity": "medium",
"title": "The application must be capable of implementing host-based boundary protection mechanisms for servers, workstations, and mobile devices.",
"version": "SRG-APP-000250-AS-NA"
},
"V-35662": {
"checkid": "C-44004r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "This control enhancement is intended to protect the network addresses of information system components that are part of the managed interface from discovery through common tools and techniques used to identify devices on a network. The requirement is NA. This is a firewall requirement that does not apply to an AS.\n",
"fixid": "F-40204r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35662",
"ruleID": "SV-46949r1_rule",
"severity": "medium",
"title": "Boundary protection applications must prevent discovery of specific system components (or devices) composing a managed interface.",
"version": "SRG-APP-000252-AS-NA"
},
"V-35663": {
"checkid": "C-44005r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Automated mechanisms used to enforce protocol formats include, deep packet inspection firewalls and XML gateways. These devices verify adherence to the protocol specification (e.g., IEEE) at the application layer and serve to identify significant vulnerabilities that cannot be detected by devices operating at the network or transport layer. It is impractical to expect protocol format inspection to be conducted manually. This requirement is NA. This task is for an XML gateway or application firewall, application servers are not expected to provide this level of functionality.",
"fixid": "F-40205r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35663",
"ruleID": "SV-46950r1_rule",
"severity": "medium",
"title": "The application server must employ automated mechanisms to enforce strict adherence to protocol format.",
"version": "SRG-APP-000253-AS-NA"
},
"V-35664": {
"checkid": "C-44006r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Access into an organization's internal network and to key internal boundaries must be tightly controlled and managed. Applications monitoring and/or controlling communications at the external boundary of the system and at key internal boundaries must be capable of preventing public access into the organization's internal networks except as appropriately mediated by managed interfaces. The requirement is NA. App servers are not designed to be firewalls.",
"fixid": "F-40206r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35664",
"ruleID": "SV-46951r1_rule",
"severity": "medium",
"title": "Boundary protection applications must be capable of preventing public access into the organizations internal networks except as appropriately mediated by managed interfaces.",
"version": "SRG-APP-000255-AS-NA"
},
"V-35667": {
"checkid": "C-44008r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "A firewall default deny all is a firewall configuration setting that will force the administrator to explicitly allow network or application traffic rather than allowing all traffic by default. The purpose is to prevent unmanaged access into the internal network or in the case of an application firewall, to application content, features, or functionality. The requirement is NA. App servers are not designed to be firewalls.",
"fixid": "F-40208r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35667",
"ruleID": "SV-46954r1_rule",
"severity": "medium",
"title": "Any software application designed to function as a firewall must be capable of employing a default deny all configuration.",
"version": "SRG-APP-000256-AS-NA"
},
"V-35669": {
"checkid": "C-44011r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings that are not configurable by the user of that device. An example of a non-remote communications path from a remote device is a virtual private network. When a non-remote connection is established using a virtual private network, the configuration settings prevent split-tunneling. Split-tunneling might otherwise be used by remote users to communicate with the information system as an extension of that system and to communicate with local resources such as a printer or file server. Since the remote device, when connected by a non-remote connection, becomes an extension of the information system, allowing dual communications paths such as split-tunneling would be, in effect, allowing unauthorized external connections into the system. Requirement is NA. This is a split tunneling requirement that doesn't apply to application servers.",
"fixid": "F-40211r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35669",
"ruleID": "SV-46956r1_rule",
"severity": "medium",
"title": "Applications providing remote connectivity must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communications path with resources in external networks.",
"version": "SRG-APP-000257-AS-NA"
},
"V-35671": {
"checkid": "C-44013r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "External networks are networks outside the control of the organization. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Proxy servers are also configurable with organization defined lists of authorized and unauthorized websites. The requirement is NA. App servers are not proxies.",
"fixid": "F-40213r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35671",
"ruleID": "SV-46958r1_rule",
"severity": "medium",
"title": "Proxy applications must support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses.",
"version": "SRG-APP-000258-AS-NA"
},
"V-35674": {
"checkid": "C-44016r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Detecting internal actions that may pose a security threat to external information systems is sometimes termed extrusion detection. Extrusion detection at the information system boundary includes the analysis of network traffic (incoming as well as, outgoing) looking for indications of an internal threat to the security of external systems. The requirement is NA. App servers are not extrusion detection devices.",
"fixid": "F-40216r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35674",
"ruleID": "SV-46961r1_rule",
"severity": "medium",
"title": "Applications performing extrusion detection must be capable of denying network traffic and auditing internal users (or malicious code) posing a threat to external information systems.",
"version": "SRG-APP-000259-AS-NA"
},
"V-35676": {
"checkid": "C-44018r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Senders of spam messages are continually modifying their tactics and source email addresses in order to elude protection mechanisms. To stay up to date with the changing threat and to identify spam messages, it is critical that spam protection mechanisms are kept current. This requirement is NA. \n\nApplication servers do not provide spam management capabilities.",
"fixid": "F-40218r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35676",
"ruleID": "SV-46963r1_rule",
"severity": "medium",
"title": "Applications that serve to protect organizations and individuals from spam messages must incorporate update mechanisms updating protection mechanisms and signature definitions when new application releases are available, in accordance with organizational",
"version": "SRG-APP-000260-AS-NA"
},
"V-35678": {
"checkid": "C-44020r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Originators of spam emails are constantly changing their source email addresses in order to defeat spam countermeasures; therefore, spam software must be constantly updated to address the changing threat. A manual update procedure is labor intensive and does not scale well in an enterprise environment which necessitates an automatic update capability. \n\nApplication servers do not provide spam management capabilities.",
"fixid": "F-40220r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35678",
"ruleID": "SV-46965r1_rule",
"severity": "medium",
"title": "Applications that are utilized to address the issue of spam and provide protection from spam must automatically update any and all spam protection measures including signature definitions.",
"version": "SRG-APP-000261-AS-NA"
},
"V-35679": {
"checkid": "C-44021r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Organizations are required to employ integrity verification applications on information systems to look for evidence of information tampering, errors, and omissions. The organization is also required to employ good software engineering practices with regard to commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, and cryptographic hashes) and use tools to automatically monitor the integrity of the information system and the applications it hosts. \n\nApplication servers are not used for integrity checking. This requirement is more in line with a tool like Tripwire.",
"fixid": "F-40221r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35679",
"ruleID": "SV-46966r1_rule",
"severity": "medium",
"title": "Applications utilized for integrity verification must detect unauthorized changes to software and information.",
"version": "SRG-APP-000262-AS-NA"
},
"V-35680": {
"checkid": "C-44022r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "For those security functions that are not able to execute automated self-tests, the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required. Information system transitional states include startup, restart, shutdown, and abort. ",
"fixid": "F-40222r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35680",
"ruleID": "SV-46967r1_rule",
"severity": "medium",
"title": "The application server must provide automated support for the management of distributed security testing.",
"version": "SRG-APP-000263-AS-NA"
},
"V-35681": {
"checkid": "C-44023r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. \nThe requirement is NA. The AS does not provide a patch management capability.",
"fixid": "F-40223r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35681",
"ruleID": "SV-46968r1_rule",
"severity": "medium",
"title": "Applications providing patch management capabilities must support the organizational requirements to install software updates automatically.",
"version": "SRG-APP-000269-AS-NA"
},
"V-35682": {
"checkid": "C-44024r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). To support this requirement, an automated process or mechanism is required. \n\nThis role is usually assigned to patch management software that is deployed in order to track the number of systems installed in the network, as well as the types of software installed on these systems, the corresponding versions, and the related flaws that require patching. The requirement is NA. The AS does not provide a patch management capability.",
"fixid": "F-40224r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35682",
"ruleID": "SV-46969r1_rule",
"severity": "medium",
"title": "Applications serving to determine the state of information system components with regard to flaw remediation (patching) must use automated mechanisms to make that determination. The automation schedule must be determined on an organization defined basis.\n",
"version": "SRG-APP-000270-AS-NA"
},
"V-35683": {
"checkid": "C-44025r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Anti-virus and malicious software detection applications utilize signature definitions in order to identify viruses and other malicious software. These signature definitions need to be constantly updated in order to identify the new threats that are discovered every day. All anti-virus and malware software shall come with an update mechanism that automatically updates these signatures. The organization (including any contractor to the organization) is required to promptly install security-relevant malicious code protection software updates (e.g., anti-virus signature updates and hot fixes). Malicious code includes viruses, worms, Trojan horses, and Spyware. The requirement is NA. The AS does not provide malicious code protection.",
"fixid": "F-40225r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35683",
"ruleID": "SV-46970r1_rule",
"severity": "medium",
"title": "The application must automatically update malicious code protection mechanisms, including signature definitions. Examples include anti-virus signatures and malware data files employed to identify and/or block malicious software from executing.",
"version": "SRG-APP-000272-AS-NA"
},
"V-35684": {
"checkid": "C-44026r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Malicious code protection software must be protected so as to prevent a non-privileged user or malicious piece of software from disabling the protection mechanism. A common tactic of malware is to identify the type of malicious code protection software running on the system and deactivate it. Malicious code includes viruses, worms, Trojan horses, and Spyware. \n\nExamples include the capability for non-administrative user's to turn off or otherwise disable anti-virus. The requirement is NA. The AS does not provide malicious code protection.",
"fixid": "F-40226r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35684",
"ruleID": "SV-46971r1_rule",
"severity": "medium",
"title": "The application must prevent non-privileged users from circumventing malicious code protection capabilities.",
"version": "SRG-APP-000273-AS-NA"
},
"V-35685": {
"checkid": "C-44027r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Malicious code protection software must be protected to prevent a non-privileged user or malicious piece of software from manipulating the protection update mechanism. \n\nMalicious code includes viruses, worms, Trojan horses, and Spyware. The requirement is NA. The AS does not provide malicious code protection.",
"fixid": "F-40227r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35685",
"ruleID": "SV-46972r1_rule",
"severity": "medium",
"title": "Malicious code protection applications must update malicious code protection mechanisms only when directed by a privileged user.",
"version": "SRG-APP-000274-AS-NA"
},
"V-35686": {
"checkid": "C-44028r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "The need to verify security functionality applies to all security functions. \n\nFor those security functions not able to execute automated self-tests, the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required. Information system transitional states include startup, restart, shutdown, and abort. This requirement relates to functional testing of security specifications conducted during the vendor's development of the application server itself. There is no way to test for this on a deployed system. The requirement is NA.",
"fixid": "F-40228r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35686",
"ruleID": "SV-46973r1_rule",
"severity": "medium",
"title": "The application server must provide notification of failed automated security tests.",
"version": "SRG-APP-000275-AS-NA"
},
"V-35687": {
"checkid": "C-44029r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": " Malicious code protection mechanisms include, but are not limited to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nMalicious code includes viruses, worms, Trojan horses, and Spyware. The requirement is NA. The AS does not provide malicious code protection.\n",
"fixid": "F-40229r1_fix",
"fixtext": "The requirement is NA. No fix is required. ",
"iacontrols": null,
"id": "V-35687",
"ruleID": "SV-46974r1_rule",
"severity": "medium",
"title": "Applications providing malicious code protection must support organizational requirements to update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration.",
"version": "SRG-APP-000276-AS-NA"
},
"V-35689": {
"checkid": "C-44031r1_chk",
"checktext": "This requirement is NA for the AS SRG.\n",
"description": "Malicious code protection mechanisms include, but are not limited to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nMalicious code includes viruses, worms, Trojan horses, and Spyware. It is not enough to simply have the software installed. This software must periodically scan the system to search for malware on an organization defined frequency. The requirement is NA. The AS does not provide malicious code protection.",
"fixid": "F-40231r1_fix",
"fixtext": "The requirement is NA. No fix is required. \n",
"iacontrols": null,
"id": "V-35689",
"ruleID": "SV-46976r1_rule",
"severity": "medium",
"title": "Applications scanning for malicious code must support organizational requirements to configure malicious code protection mechanisms to perform periodic scans of the information system on an organization defined frequency.",
"version": "SRG-APP-000277-AS-NA"
},
"V-35716": {
"checkid": "C-44059r1_chk",
"checktext": "Review the AS product documentation and configuration to determine if the AS is configured to provide automated support for account management functions. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "This requirement addresses the user management capability of the application server software, it does not address applications that reside on top of the application server. The automated mechanisms may reside within the application server itself or the application server developer/vendor may choose to utilize capabilities offered by the operating system or other user management infrastructure in order to provide automated user account management.\n\nExamples of automation include but are not limited to:\n-taking automated action on multiple user accounts designated as inactive, suspended, or terminated.\n-disabling accounts located in non-centralized account stores such as multiple servers.\n- scheduling automated jobs that perform various application server user management activities.\n\nIf the application server does not provide automated mechanisms for user account management, the potential exists for the mis-management of accounts. This includes failure to disable all of the accounts associated with a particular user or process.\n\nThe application server must provide the ability to automate user account management tasks across multiple servers, such as when there are clusters of application servers, or the application server must fully integrate with enterprise-level user account management tools that provide this capability, such as Lightweight Directory Access Protocol (LDAP) services.\n",
"fixid": "F-40259r1_fix",
"fixtext": "Configure the AS to automate user account management. ",
"iacontrols": null,
"id": "V-35716",
"ruleID": "SV-47003r1_rule",
"severity": "medium",
"title": "The application server must provide automated mechanisms for user account management.",
"version": "SRG-APP-000023-AS-000015"
},
"V-35721": {
"checkid": "C-44064r1_chk",
"checktext": "Review the AS configuration to determine if the AS is configured to automatically terminate temporary or emergency accounts. If the AS is not configured to meet this requirement, this is a finding.",
"description": "Temporary application server user accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support-related activity. When these types of accounts are created, there is a risk that the temporary account may remain in place and active after the support representative has left. \n\nTo address this risk in the event temporary or emergency accounts are required, the application server user management capability must be able to identify application server user accounts which are temporary in nature and provide a mechanism to automatically terminate these types of accounts. \n\nAn AS could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as Active Directory (AD) or LDAP is more likely to already contain provisions for automated account management whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities.",
"fixid": "F-40264r1_fix",
"fixtext": "Configure the AS to automatically terminate temporary or emergency accounts.",
"iacontrols": null,
"id": "V-35721",
"ruleID": "SV-47008r1_rule",
"severity": "medium",
"title": "The application server must provide a mechanism to automatically terminate accounts designated as being temporary or emergency after an organization defined time period.",
"version": "SRG-APP-000024-AS-000016"
},
"V-35724": {
"checkid": "C-44067r3_chk",
"checktext": "Review the AS configuration to determine if the AS is configured to automatically disable inactive accounts after 35 days of inactivity. If the AS is not configured to meet this requirement, or if the AS does not utilize a centralized user management solution (AD, LDAP etc) which is configured to meet this requirement, this is a finding.\n",
"description": "Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. \n\nApplication servers need to track periods of user inactivity and disable application server user accounts after an organization defined period of inactivity. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised. \n\nAn AS could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as AD or LDAP is more likely to already contain provisions for automated account management, whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities.",
"fixid": "F-40267r1_fix",
"fixtext": "Configure the AS to automatically disable accounts after the organization defined period of account inactivity has expired. ",
"iacontrols": null,
"id": "V-35724",
"ruleID": "SV-47011r1_rule",
"severity": "medium",
"title": "The application server must automatically disable accounts after an organization defined period of account inactivity.",
"version": "SRG-APP-000025-AS-000017"
},
"V-35727": {
"checkid": "C-44070r1_chk",
"checktext": "Review the AS product documentation and configuration to determine if the AS automatically logs account creation. If the AS is not configured to perform this requirement itself or if it does not utilize an enterprise user registry that performs this requirement, this is a finding.\n",
"description": "Application servers require user accounts for server management purposes, and if the creation of new accounts is not logged, there is limited or no capability to track or alarm on account creation. This could result in the circumvention of the normal account creation process and introduce a persistent threat. Therefore, an audit trail that documents the creation of application user accounts must exist.\n\nAn AS could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as AD or LDAP is more likely to already contain provisions for automated account management, whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities. Either way, application servers must create a log entry when accounts are created.\n",
"fixid": "F-40270r1_fix",
"fixtext": "Configure the AS to automatically log account creation, if the AS utilizes an enterprise user registry, configure the registry to automatically log account creation. \n",
"iacontrols": null,
"id": "V-35727",
"ruleID": "SV-47014r1_rule",
"severity": "medium",
"title": "The application server must automatically audit account creation.\n",
"version": "SRG-APP-000026-AS-000018"
},
"V-35733": {
"checkid": "C-44076r1_chk",
"checktext": "Review the AS product documentation and configuration to determine if the AS automatically logs account modification. If the AS is not configured to perform this requirement itself or if it does not utilize an enterprise user registry that performs this requirement, this is a finding.\n",
"description": " Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. \n\nApplication servers have the capability to contain user information in a local user store or they can leverage a centralized authentication mechanism like LDAP. Either way, the mechanism used by the app server must automatically log when user accounts are modified.\n",
"fixid": "F-40276r1_fix",
"fixtext": "Configure the AS to automatically log account modification, if the AS utilizes an enterprise user registry, configure the registry to automatically log account modification.",
"iacontrols": null,
"id": "V-35733",
"ruleID": "SV-47020r1_rule",
"severity": "medium",
"title": "The application server must automatically audit account modification.",
"version": "SRG-APP-000027-AS-000019"
},
"V-35734": {
"checkid": "C-44077r1_chk",
"checktext": "Review the AS product documentation and configuration to determine if the AS automatically logs when accounts are disabled and notifies appropriate individuals. If the AS is not configured to perform this requirement itself or if it does not utilize an enterprise user registry that performs this requirement, this is a finding.",
"description": "When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. \n\nIn order to detect and respond to events affecting user accessibility and application processing, applications must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. \n\nSuch a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. \n\nApplication servers have the capability to contain user information in a local user store or they can leverage a centralized authentication mechanism like LDAP. Either way, the mechanism used by the app server must automatically log when user accounts are disabled.",
"fixid": "F-40277r1_fix",
"fixtext": "Configure the AS to automatically log and notify when accounts are disabled. If the AS utilizes an enterprise user registry, configure the registry to automatically log and notify appropriate individuals when accounts are disabled. \n",
"iacontrols": null,
"id": "V-35734",
"ruleID": "SV-47021r1_rule",
"severity": "medium",
"title": "The application server must automatically audit account disabling actions and notify appropriate individuals.",
"version": "SRG-APP-000028-AS-000020"
},
"V-35735": {
"checkid": "C-44078r1_chk",
"checktext": "Review AS product documentation and server configuration to determine if the AS automatically logs and notifies appropriate individuals when accounts are terminated. If the AS does not automatically log and notify when accounts are terminated, this is a finding.\n",
"description": "When application accounts are terminated, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. \n\nIn order to detect and respond to events affecting user accessibility and application processing, applications must audit account terminating actions and notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. \n\nApplication servers have the capability to contain user information in a local user store or they can leverage a centralized authentication mechanism like LDAP. Either way, the mechanism employed by the app server must be able to automatically log when user accounts are terminated. The notification requirement particularly applies when the app server is using a local store as there are no other management tools being utilized.",
"fixid": "F-40278r1_fix",
"fixtext": "Configure the AS to automatically log and notify appropriate individuals when accounts are terminated. ",
"iacontrols": null,
"id": "V-35735",
"ruleID": "SV-47022r1_rule",
"severity": "low",
"title": "The application server must automatically audit account termination and notify appropriate individuals.",
"version": "SRG-APP-000029-AS-000021"
},
"V-35736": {
"checkid": "C-44079r1_chk",
"checktext": "Review the AS product documentation and configuration to determine if the AS is configured to log account usage and provide that log data in a standardized log format. If the AS is not configured to provide account usage logs in a standardized format for external tool consumption, this is a finding.",
"description": "Atypical account usage is behavior that is not part of normal usage cycles, for example, user account activity occurring after hours or on weekends. \n\nSuch a process greatly reduces the risk that compromised user accounts will continue to be used by unauthorized persons and provides logging that can be used for forensic purposes. \n\nApplication servers do not natively monitor for atypical account usage so they must be able to log account usage and provide that data to enterprise tools that are designed to monitor for atypical account behavior.",
"fixid": "F-40279r1_fix",
"fixtext": "Configure the AS to log account usage and, if necessary, to forward log data to systems that will evaluate log data for atypical usage. \n",
"iacontrols": null,
"id": "V-35736",
"ruleID": "SV-47023r1_rule",
"severity": "medium",
"title": "The application server must automatically monitor on atypical usage of accounts.",
"version": "SRG-APP-000030-AS-000022"
},
"V-35737": {
"checkid": "C-44080r1_chk",
"checktext": "Review AS documentation and configuration to ensure the AS dynamically manages user privileges and associated access authorizations. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Web services are web applications providing a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. \n\nThe World Wide Web Consortium (W3C) defines a web service as:\n\"a software system designed to support interoperable machine-to-machine interaction over a network. It has an interface described in a machine processable format (specifically, Web Services Description Language or WSDL). Other systems interact with the web service in a manner prescribed by its description using Simple Object Access Protocol (SOAP) messages typically conveyed using HTTP with an XML serialization in conjunction with other web-related standards\".\n\nWeb services provide different challenges in managing access than what is presented by typical user-based applications. In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, many service-oriented architecture implementations rely on run time access control decisions facilitated by dynamic privilege management. While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization. \n\nService Oriented Architecture (SOA)-based applications need to take this possibility into account and leverage dynamic access control methodologies, and application servers need to provide the underlying architecture to SOA-based applications.\n",
"fixid": "F-40280r1_fix",
"fixtext": "Configure the AS to dynamically manage user privileges and associated access authorizations. \n",
"iacontrols": null,
"id": "V-35737",
"ruleID": "SV-47024r1_rule",
"severity": "medium",
"title": "Service Oriented Architecture (SOA) components of the application server must dynamically manage user privileges and associated access authorizations.",
"version": "SRG-APP-000031-AS-000023"
},
"V-35738": {
"checkid": "C-44081r1_chk",
"checktext": "Review AS product documentation and configuration to determine if the system enforces authorization requirements for logical access to the system in accordance with applicable policy. If the AS is not configured to utilize access controls, this is a finding.\n",
"description": "Strong access controls are critical to securing the AS. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) must be employed by the AS to control access between users (or processes acting on behalf of users) and objects (e.g., applications, files, records, processes, application domains) in the AS.\n\nWithout stringent logical access and authorization controls, an adversary may have the ability, with very little effort, to compromise the AS and associated supporting infrastructure.",
"fixid": "F-40281r1_fix",
"fixtext": "Configure the AS to enforce approved authorizations for logical access to the system in accordance with applicable policy. ",
"iacontrols": null,
"id": "V-35738",
"ruleID": "SV-47025r1_rule",
"severity": "high",
"title": "The application server must enforce approved authorizations for logical access.",
"version": "SRG-APP-000033-AS-000024"
},
"V-35739": {
"checkid": "C-44082r1_chk",
"checktext": "Review AS product documentation and configuration to determine if role-based access controls exist. Create AS user accounts in each role and test AS functionality to verify that controls are actually enforced. If the access controls are not enforced in accordance to the organization's policy, this is a finding.\n",
"description": "Non-discretionary access controls are controls determined by policy makers, are managed centrally or by a central authority, and may not be changed at the discretion of ordinary application server users. Data protection requirements may result in a non-discretionary access control policy being specified as part of the application design. \n\nNon-discretionary access controls are employed at the application server level in order to restrict and control access to application server data and to restrict management capabilities to specific users. \n\nThe policy rule set will specify that each application server user account be assigned attributes, including information such as position or role within the application server. (e.g., admin, operator, deployer).\n\nIt is not sufficient for these roles to simply exist within the application server - they must also be enforced.",
"fixid": "F-40282r1_fix",
"fixtext": "Configure the AS according to role-based access controls and corresponding membership requirements.",
"iacontrols": null,
"id": "V-35739",
"ruleID": "SV-47026r1_rule",
"severity": "medium",
"title": "The Application Server must enforce non-discretionary access control policies over users and resources.",
"version": "SRG-APP-000035-AS-000025"
},
"V-35740": {
"checkid": "C-44083r1_chk",
"checktext": "Review product documentation and system configuration to determine if there are appropriate controls to protect encryption keys. This includes checking product documentation for encryption key ring file locations and checking file system permissions to ensure encryption keys cannot be modified by unauthorized persons, roles or processes.",
"description": "Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner possibly resulting in failure to enforce the system security policy or maintain isolation of code and data. \n\nCryptographic key management information, key configuration files for security-oriented application server services, and access control lists are examples of security-relevant information. \n\nSecure, non-operable system states are states in which the information system is not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). \n\nAccess to these types of data is to be prevented unless the application server system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential that a security configuration or data may be dynamically and perhaps, surreptitiously overwritten or changed (without going through a formal system change process that can document the changes).",
"fixid": "F-40283r1_fix",
"fixtext": "Configure the AS to protect encryption key material. \n",
"iacontrols": null,
"id": "V-35740",
"ruleID": "SV-47027r1_rule",
"severity": "medium",
"title": "The Application Server must prevent access to organization defined security-relevant information except during secure, non-operable system states.",
"version": "SRG-APP-000037-AS-000026"
},
"V-35741": {
"checkid": "C-44084r1_chk",
"checktext": "Review the AS configuration to ensure the AS records a failure event in the server audit logs if an error is encountered during an application deployment or message transfer. If this function is not configured, this is a finding.\n",
"description": "When an application transfers data, there is the chance an error or problem with the data transfer may occur. Applications need to track failures and any problems encountered when performing data transfers so problems can be identified and remediated. \n\nSome potential issues with a failed or problematic data transfer include: leaving sensitive data in a processing queue indefinitely, partial or incomplete data transfers, and corrupted data transfers. Tracking problems with data transfers also serves to create a forensic record that can be retained to assist in investigations regarding the flow of application data. \n\nThe AS must provide a tracking capability that logs any issues or problems that are associated with message queue transfers or application deployments.",
"fixid": "F-40284r1_fix",
"fixtext": "Configure the AS to record an event in the server audit logs if any errors are encountered during information transfers. ",
"iacontrols": null,
"id": "V-35741",
"ruleID": "SV-47028r1_rule",
"severity": "medium",
"title": "The application server must track problems associated with information transfer.\n",
"version": "SRG-APP-000061-AS-000027"
},
"V-35742": {
"checkid": "C-44085r1_chk",
"checktext": "Review AS product documentation and configuration to ensure roles that divide administrative duties are established or can be created. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. \n\nSeparation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. \n\nAdditionally, the person or persons accountable for monitoring the activity must be separate as well. To meet this requirement, the AS must divide administrative functionality into roles according to AS duties. \n\nApplication server vendors may choose to name their respective server management roles differently; however, all roles should be divided according to application server management functionality. \n\nFor example: \n- AS administrator: has complete control of all aspects of AS configuration and management.\n- Configuration administrator: is responsible for the persistent configuration of the server but cannot perform runtime operations (e.g., can install applications but cannot start or stop the server).\n- Operator administrator: is responsible for the runtime operations management of starting and stopping the server but cannot install applications.\n- Monitor (internal auditor or reviewer): can view configuration and runtime settings but cannot change anything.",
"fixid": "F-40285r1_fix",
"fixtext": "Create and configure the appropriate accounts and align them in their respective roles as identified in the product documentation. \n",
"iacontrols": null,
"id": "V-35742",
"ruleID": "SV-47029r1_rule",
"severity": "medium",
"title": "The Application Server must implement separation of duties by requiring administrative duties to be divided into distinct roles",
"version": "SRG-APP-000062-AS-000028"
},
"V-35743": {
"checkid": "C-44086r1_chk",
"checktext": "Review AS documentation and configuration to verify the AS provides a separate administrator account (or role) that provides sole access to AS security-relevant functions and information. If the AS does not meet this requirement, this is a finding.\n",
"description": "In order to limit exposure, the AS must control access to security functions and security relevant information. To meet this requirement, the AS must provide a privileged account, or admin role that is separate from non-privileged accounts. Access to the security functions and security relevant information must then be limited to this admin account or role. \n\n\nNot providing separate privileged and un-privileged accounts will lead to a loss of accountability regarding administrative activity.\n",
"fixid": "F-40286r1_fix",
"fixtext": "Configure the AS to utilize a separate administrator account when accessing AS security functions and security relevant information. ",
"iacontrols": null,
"id": "V-35743",
"ruleID": "SV-47030r1_rule",
"severity": "medium",
"title": "The Application Server must provide a separate, distinct administrative account when accessing AS security functions or security relevant information.",
"version": "SRG-APP-000063-AS-000029"
},
"V-35744": {
"checkid": "C-44087r1_chk",
"checktext": "Review AS documentation and audit configuration to verify the AS logs privileged activity. If the AS is not configured to log privileged activity, this is a finding.",
"description": "In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who utilize a separate distinct account when accessing privileged functions or data have their actions logged. \n\nIf privileged activity is not logged, no forensic logs can be used to establish accountability for privileged actions that occur on the system.",
"fixid": "F-40287r1_fix",
"fixtext": "Configure the AS to log privileged activity.",
"iacontrols": null,
"id": "V-35744",
"ruleID": "SV-47031r1_rule",
"severity": "medium",
"title": "The Application Server must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.",
"version": "SRG-APP-000063-AS-000030"
},
"V-35745": {
"checkid": "C-44088r1_chk",
"checktext": "Review AS documentation and configuration settings to determine if the AS Java Security Manager feature can be utilized to isolate and restrict access to system resources. If the AS is not configured to meet this requirement, this is a finding.\n",
"description": "Applications must employ the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. \n\nEmploying virtualization techniques to allow greater privilege within a virtual machine, while restricting privilege to the underlying actual machine is an example of providing separate processing domains for finer-grained allocation of user privileges. \n\nVirtualization and application isolation is a core competency of a Java-oriented application server. The Java Security Manager is used to create security policy that affects access to system resources",
"fixid": "F-40288r1_fix",
"fixtext": "Configure the AS Security Manager to limit access to system resources. ",
"iacontrols": null,
"id": "V-35745",
"ruleID": "SV-47032r1_rule",
"severity": "medium",
"title": "The application server must be able to function within separate processing domains (virtualized systems).",
"version": "SRG-APP-000064-AS-000031"
},
"V-35766": {
"checkid": "C-44112r1_chk",
"checktext": "Review AS documentation and configuration to verify the AS limits the number of failed login attempts to a defined number within a defined time period (e.g., 5 failed attempts within 15 minutes).\n\nIf the AS is not configured to meet this requirement, this is a finding.",
"description": "Anytime an authentication method is exposed so as to allow for the login to an application, there is a risk that attempts will be made to obtain unauthorized access. \n\nBy limiting the number of failed login attempts that occur within a particular time period, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account once the number of failed attempts has been exceeded.",
"fixid": "F-40312r1_fix",
"fixtext": "Configure the AS to limit the number of failed login attempts within the defined time period.",
"iacontrols": null,
"id": "V-35766",
"ruleID": "SV-47053r1_rule",
"severity": "medium",
"title": "The application server must limit the number of failed login attempts to an organization defined number of consecutive invalid attempts that occur within an organization defined time period.",
"version": "SRG-APP-000065-AS-000032"
},
"V-35768": {
"checkid": "C-44114r2_chk",
"checktext": "Review AS configuration to ensure the organization defined time period (example 15 minutes) for invalid access attempts is enforced. Ensure all access methods (web or command line) are accounted for. If no time limit is set or if the time limit is set to a value different than the organizations policy, this is a finding.",
"description": "By limiting the number of failed login attempts, the risk of unauthorized system access via automated user password guessing, otherwise known as brute forcing, is reduced. Best practice requires a time period be applied in which the number of failed attempts are counted (Example: 5 failed attempts within 5 minutes). Limits are imposed by locking the account. \n\nApplication servers provide a management capability that allows a user to login via a web interface or a command shell. Application servers also utilize either a local user store or a centralized user store such as an LDAP server. As such, the authentication method employed by the application server must be able to limit the number of consecutive invalid access attempts within the specified time period regardless of access method or user store utilized.",
"fixid": "F-40314r3_fix",
"fixtext": "Configure the AS to enforce the organization defined time period. If the AS is configured to utilize centralized user authentication (LDAP, AD), ensure they are configured to enforce the defined time out period.",
"iacontrols": null,
"id": "V-35768",
"ruleID": "SV-47055r1_rule",
"severity": "medium",
"title": "The application server must enforce the organization defined time period during which the limit of consecutive invalid access attempts by a user is counted.",
"version": "SRG-APP-000066-AS-000033"
},
"V-35770": {
"checkid": "C-44115r1_chk",
"checktext": "Review AS documentation and configuration to verify the AS can be configured to lock accounts when the maximum number of failed login attempts has been exceeded. Also verify that the account remains locked for a configurable amount of time or until an administrator unlocks the account. If the AS is not configured to meet this requirement, this is a finding.",
"description": "Anytime an authentication method is exposed so as to allow for the utilization of an application interface, there is a risk that attempts will be made to obtain unauthorized access. \n\nBy locking the account when the pre-defined number of failed login attempts has been exceeded, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. \n\nSpecifying a time period in which the account is to remain locked serves to obstruct the operation of automated password guessing tools while allowing a valid user to reinitiate login attempts after the expiration of the time period without administrative assistance.",
"fixid": "F-40316r2_fix",
"fixtext": "Configure the AS to lock the account when the maximum number of failed login attempts is exceeded and configure the time period for which the account is to remain locked.",
"iacontrols": null,
"id": "V-35770",
"ruleID": "SV-47057r1_rule",
"severity": "medium",
"title": "The Application Server must automatically lock accounts when the maximum number of unsuccessful login attempts is exceeded for an organization defined time period or until the account is unlocked by an administrator.",
"version": "SRG-APP-000067-AS-000034"
},
"V-35772": {
"checkid": "C-44117r1_chk",
"checktext": "Review the configuration settings to determine if the AS audit features protect audit information from unauthorized modification. Review file system settings to verify the AS sets secure file permissions on audit log files so as to prevent unauthorized modification. If the AS does not protect audit information from unauthorized modification, this is a finding.",
"description": "If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage.\n\nApplication servers contain admin interfaces that allow reading and manipulation of audit records. Therefore, these interfaces should not allow for the unfettered access to those records. Application servers also write audit data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access.\n\nAudit information includes all information (e.g., audit records, audit settings, transaction logs and audit reports) needed to successfully audit information system activity. Application servers must protect audit information from unauthorized modification.",
"fixid": "F-40317r1_fix",
"fixtext": "Configure the AS to protect audit information from unauthorized modification.",
"iacontrols": null,
"id": "V-35772",
"ruleID": "SV-47059r1_rule",
"severity": "low",
"title": "The application server must protect audit information from unauthorized modification.",
"version": "SRG-APP-000119-AS-000079"
},
"V-35774": {
"checkid": "C-44119r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Application Server management functionality includes functions necessary to administer the application server, and requires privileged access via one of the accounts assigned to a management role. \n\nThe separation of AS administration functionality from hosted application functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, network addresses, network ports, or combinations of these methods, as appropriate. \nThis requirement is NA. This requirement is geared towards network and firewall configurations, not application servers.",
"fixid": "F-40319r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35774",
"ruleID": "SV-47061r1_rule",
"severity": "medium",
"title": "The application server must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users.",
"version": "SRG-APP-000212-AS-NA"
},
"V-35775": {
"checkid": "C-44120r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to the application server after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. This is a requirement is NA. The application server software is not transferring data, that action is executed within the application residing on the AS.",
"fixid": "F-40320r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35775",
"ruleID": "SV-47062r1_rule",
"severity": "medium",
"title": "The application must prevent unauthorized and unintended information transfer via shared system resources.",
"version": "SRG-APP-000243-AS-NA"
},
"V-35778": {
"checkid": "C-44123r1_chk",
"checktext": "This requirement is NA for the AS SRG.",
"description": "Malicious code protection mechanisms include, but are not limited to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. \n\nMalicious code includes viruses, worms, Trojan horses, and Spyware. The requirement is NA. The AS does not provide malicious code protection.",
"fixid": "F-40323r1_fix",
"fixtext": "The requirement is NA. No fix is required.",
"iacontrols": null,
"id": "V-35778",
"ruleID": "SV-47065r1_rule",
"severity": "medium",
"title": "Applications providing malicious code protection must support organizational requirements to configure malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded, opened, or executed.",
"version": "SRG-APP-000278-AS-NA"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-35070": "true",
"V-35073": "true",
"V-35079": "true",
"V-35080": "true",
"V-35081": "true",
"V-35082": "true",
"V-35088": "true",
"V-35089": "true",
"V-35090": "true",
"V-35091": "true",
"V-35092": "true",
"V-35094": "true",
"V-35096": "true",
"V-35098": "true",
"V-35099": "true",
"V-35101": "true",
"V-35102": "true",
"V-35103": "true",
"V-35104": "true",
"V-35105": "true",
"V-35107": "true",
"V-35108": "true",
"V-35109": "true",
"V-35112": "true",
"V-35114": "true",
"V-35116": "true",
"V-35117": "true",
"V-35118": "true",
"V-35120": "true",
"V-35121": "true",
"V-35123": "true",
"V-35125": "true",
"V-35127": "true",
"V-35128": "true",
"V-35129": "true",
"V-35131": "true",
"V-35132": "true",
"V-35133": "true",
"V-35134": "true",
"V-35135": "true",
"V-35136": "true",
"V-35138": "true",
"V-35139": "true",
"V-35140": "true",
"V-35141": "true",
"V-35142": "true",
"V-35143": "true",
"V-35148": "true",
"V-35150": "true",
"V-35157": "true",
"V-35159": "true",
"V-35161": "true",
"V-35163": "true",
"V-35165": "true",
"V-35167": "true",
"V-35170": "true",
"V-35176": "true",
"V-35182": "true",
"V-35183": "true",
"V-35184": "true",
"V-35185": "true",
"V-35186": "true",
"V-35188": "true",
"V-35190": "true",
"V-35191": "true",
"V-35192": "true",
"V-35193": "true",
"V-35195": "true",
"V-35196": "true",
"V-35199": "true",
"V-35203": "true",
"V-35204": "true",
"V-35205": "true",
"V-35212": "true",
"V-35213": "true",
"V-35214": "true",
"V-35215": "true",
"V-35216": "true",
"V-35217": "true",
"V-35218": "true",
"V-35219": "true",
"V-35220": "true",
"V-35221": "true",
"V-35222": "true",
"V-35223": "true",
"V-35224": "true",
"V-35225": "true",
"V-35226": "true",
"V-35234": "true",
"V-35236": "true",
"V-35238": "true",
"V-35241": "true",
"V-35254": "true",
"V-35257": "true",
"V-35299": "true",
"V-35300": "true",
"V-35301": "true",
"V-35302": "true",
"V-35303": "true",
"V-35304": "true",
"V-35305": "true",
"V-35306": "true",
"V-35307": "true",
"V-35308": "true",
"V-35309": "true",
"V-35310": "true",
"V-35311": "true",
"V-35312": "true",
"V-35313": "true",
"V-35314": "true",
"V-35315": "true",
"V-35316": "true",
"V-35317": "true",
"V-35318": "true",
"V-35319": "true",
"V-35320": "true",
"V-35321": "true",
"V-35322": "true",
"V-35324": "true",
"V-35325": "true",
"V-35328": "true",
"V-35329": "true",
"V-35330": "true",
"V-35331": "true",
"V-35332": "true",
"V-35333": "true",
"V-35334": "true",
"V-35335": "true",
"V-35336": "true",
"V-35337": "true",
"V-35338": "true",
"V-35341": "true",
"V-35342": "true",
"V-35343": "true",
"V-35344": "true",
"V-35347": "true",
"V-35361": "true",
"V-35368": "true",
"V-35371": "true",
"V-35376": "true",
"V-35381": "true",
"V-35415": "true",
"V-35419": "true",
"V-35420": "true",
"V-35421": "true",
"V-35422": "true",
"V-35423": "true",
"V-35424": "true",
"V-35425": "true",
"V-35426": "true",
"V-35427": "true",
"V-35428": "true",
"V-35429": "true",
"V-35430": "true",
"V-35431": "true",
"V-35432": "true",
"V-35434": "true",
"V-35435": "true",
"V-35436": "true",
"V-35437": "true",
"V-35438": "true",
"V-35439": "true",
"V-35440": "true",
"V-35441": "true",
"V-35442": "true",
"V-35443": "true",
"V-35444": "true",
"V-35445": "true",
"V-35446": "true",
"V-35447": "true",
"V-35448": "true",
"V-35449": "true",
"V-35450": "true",
"V-35451": "true",
"V-35452": "true",
"V-35453": "true",
"V-35477": "true",
"V-35478": "true",
"V-35479": "true",
"V-35480": "true",
"V-35481": "true",
"V-35482": "true",
"V-35483": "true",
"V-35484": "true",
"V-35498": "true",
"V-35499": "true",
"V-35500": "true",
"V-35501": "true",
"V-35502": "true",
"V-35503": "true",
"V-35529": "true",
"V-35532": "true",
"V-35533": "true",
"V-35534": "true",
"V-35535": "true",
"V-35537": "true",
"V-35539": "true",
"V-35540": "true",
"V-35542": "true",
"V-35544": "true",
"V-35546": "true",
"V-35549": "true",
"V-35552": "true",
"V-35554": "true",
"V-35556": "true",
"V-35559": "true",
"V-35562": "true",
"V-35564": "true",
"V-35567": "true",
"V-35569": "true",
"V-35571": "true",
"V-35572": "true",
"V-35575": "true",
"V-35576": "true",
"V-35577": "true",
"V-35578": "true",
"V-35580": "true",
"V-35582": "true",
"V-35584": "true",
"V-35586": "true",
"V-35588": "true",
"V-35590": "true",
"V-35593": "true",
"V-35595": "true",
"V-35596": "true",
"V-35598": "true",
"V-35599": "true",
"V-35600": "true",
"V-35601": "true",
"V-35602": "true",
"V-35603": "true",
"V-35604": "true",
"V-35605": "true",
"V-35606": "true",
"V-35607": "true",
"V-35608": "true",
"V-35609": "true",
"V-35610": "true",
"V-35611": "true",
"V-35612": "true",
"V-35613": "true",
"V-35614": "true",
"V-35615": "true",
"V-35616": "true",
"V-35617": "true",
"V-35618": "true",
"V-35627": "true",
"V-35628": "true",
"V-35630": "true",
"V-35632": "true",
"V-35633": "true",
"V-35634": "true",
"V-35636": "true",
"V-35639": "true",
"V-35641": "true",
"V-35643": "true",
"V-35645": "true",
"V-35647": "true",
"V-35649": "true",
"V-35652": "true",
"V-35654": "true",
"V-35657": "true",
"V-35659": "true",
"V-35661": "true",
"V-35662": "true",
"V-35663": "true",
"V-35664": "true",
"V-35667": "true",
"V-35669": "true",
"V-35671": "true",
"V-35674": "true",
"V-35676": "true",
"V-35678": "true",
"V-35679": "true",
"V-35680": "true",
"V-35681": "true",
"V-35682": "true",
"V-35683": "true",
"V-35684": "true",
"V-35685": "true",
"V-35686": "true",
"V-35687": "true",
"V-35689": "true",
"V-35716": "true",
"V-35721": "true",
"V-35724": "true",
"V-35727": "true",
"V-35733": "true",
"V-35734": "true",
"V-35735": "true",
"V-35736": "true",
"V-35737": "true",
"V-35738": "true",
"V-35739": "true",
"V-35740": "true",
"V-35741": "true",
"V-35742": "true",
"V-35743": "true",
"V-35744": "true",
"V-35745": "true",
"V-35766": "true",
"V-35768": "true",
"V-35770": "true",
"V-35772": "true",
"V-35774": "true",
"V-35775": "true",
"V-35778": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critial Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-35070": "true",
"V-35073": "true",
"V-35079": "true",
"V-35080": "true",
"V-35081": "true",
"V-35082": "true",
"V-35088": "true",
"V-35089": "true",
"V-35090": "true",
"V-35091": "true",
"V-35092": "true",
"V-35094": "true",
"V-35096": "true",
"V-35098": "true",
"V-35099": "true",
"V-35101": "true",
"V-35102": "true",
"V-35103": "true",
"V-35104": "true",
"V-35105": "true",
"V-35107": "true",
"V-35108": "true",
"V-35109": "true",
"V-35112": "true",
"V-35114": "true",
"V-35116": "true",
"V-35117": "true",
"V-35118": "true",
"V-35120": "true",
"V-35121": "true",
"V-35123": "true",
"V-35125": "true",
"V-35127": "true",
"V-35128": "true",
"V-35129": "true",
"V-35131": "true",
"V-35132": "true",
"V-35133": "true",
"V-35134": "true",
"V-35135": "true",
"V-35136": "true",
"V-35138": "true",
"V-35139": "true",
"V-35140": "true",
"V-35141": "true",
"V-35142": "true",
"V-35143": "true",
"V-35148": "true",
"V-35150": "true",
"V-35157": "true",
"V-35159": "true",
"V-35161": "true",
"V-35163": "true",
"V-35165": "true",
"V-35167": "true",
"V-35170": "true",
"V-35176": "true",
"V-35182": "true",
"V-35183": "true",
"V-35184": "true",
"V-35185": "true",
"V-35186": "true",
"V-35188": "true",
"V-35190": "true",
"V-35191": "true",
"V-35192": "true",
"V-35193": "true",
"V-35195": "true",
"V-35196": "true",
"V-35199": "true",
"V-35203": "true",
"V-35204": "true",
"V-35205": "true",
"V-35212": "true",
"V-35213": "true",
"V-35214": "true",
"V-35215": "true",
"V-35216": "true",
"V-35217": "true",
"V-35218": "true",
"V-35219": "true",
"V-35220": "true",
"V-35221": "true",
"V-35222": "true",
"V-35223": "true",
"V-35224": "true",
"V-35225": "true",
"V-35226": "true",
"V-35234": "true",
"V-35236": "true",
"V-35238": "true",
"V-35241": "true",
"V-35254": "true",
"V-35257": "true",
"V-35299": "true",
"V-35300": "true",
"V-35301": "true",
"V-35302": "true",
"V-35303": "true",
"V-35304": "true",
"V-35305": "true",
"V-35306": "true",
"V-35307": "true",
"V-35308": "true",
"V-35309": "true",
"V-35310": "true",
"V-35311": "true",
"V-35312": "true",
"V-35313": "true",
"V-35314": "true",
"V-35315": "true",
"V-35316": "true",
"V-35317": "true",
"V-35318": "true",
"V-35319": "true",
"V-35320": "true",
"V-35321": "true",
"V-35322": "true",
"V-35324": "true",
"V-35325": "true",
"V-35328": "true",
"V-35329": "true",
"V-35330": "true",
"V-35331": "true",
"V-35332": "true",
"V-35333": "true",
"V-35334": "true",
"V-35335": "true",
"V-35336": "true",
"V-35337": "true",
"V-35338": "true",
"V-35341": "true",
"V-35342": "true",
"V-35343": "true",
"V-35344": "true",
"V-35347": "true",
"V-35361": "true",
"V-35368": "true",
"V-35371": "true",
"V-35376": "true",
"V-35381": "true",
"V-35415": "true",
"V-35419": "true",
"V-35420": "true",
"V-35421": "true",
"V-35422": "true",
"V-35423": "true",
"V-35424": "true",
"V-35425": "true",
"V-35426": "true",
"V-35427": "true",
"V-35428": "true",
"V-35429": "true",
"V-35430": "true",
"V-35431": "true",
"V-35432": "true",
"V-35434": "true",
"V-35435": "true",
"V-35436": "true",
"V-35437": "true",
"V-35438": "true",
"V-35439": "true",
"V-35440": "true",
"V-35441": "true",
"V-35442": "true",
"V-35443": "true",
"V-35444": "true",
"V-35445": "true",
"V-35446": "true",
"V-35447": "true",
"V-35448": "true",
"V-35449": "true",
"V-35450": "true",
"V-35451": "true",
"V-35452": "true",
"V-35453": "true",
"V-35477": "true",
"V-35478": "true",
"V-35479": "true",
"V-35480": "true",
"V-35481": "true",
"V-35482": "true",
"V-35483": "true",
"V-35484": "true",
"V-35498": "true",
"V-35499": "true",
"V-35500": "true",
"V-35501": "true",
"V-35502": "true",
"V-35503": "true",
"V-35529": "true",
"V-35532": "true",
"V-35533": "true",
"V-35534": "true",
"V-35535": "true",
"V-35537": "true",
"V-35539": "true",
"V-35540": "true",
"V-35542": "true",
"V-35544": "true",
"V-35546": "true",
"V-35549": "true",
"V-35552": "true",
"V-35554": "true",
"V-35556": "true",
"V-35559": "true",
"V-35562": "true",
"V-35564": "true",
"V-35567": "true",
"V-35569": "true",
"V-35571": "true",
"V-35572": "true",
"V-35575": "true",
"V-35576": "true",
"V-35577": "true",
"V-35578": "true",
"V-35580": "true",
"V-35582": "true",
"V-35584": "true",
"V-35586": "true",
"V-35588": "true",
"V-35590": "true",
"V-35593": "true",
"V-35595": "true",
"V-35596": "true",
"V-35598": "true",
"V-35599": "true",
"V-35600": "true",
"V-35601": "true",
"V-35602": "true",
"V-35603": "true",
"V-35604": "true",
"V-35605": "true",
"V-35606": "true",
"V-35607": "true",
"V-35608": "true",
"V-35609": "true",
"V-35610": "true",
"V-35611": "true",
"V-35612": "true",
"V-35613": "true",
"V-35614": "true",
"V-35615": "true",
"V-35616": "true",
"V-35617": "true",
"V-35618": "true",
"V-35627": "true",
"V-35628": "true",
"V-35630": "true",
"V-35632": "true",
"V-35633": "true",
"V-35634": "true",
"V-35636": "true",
"V-35639": "true",
"V-35641": "true",
"V-35643": "true",
"V-35645": "true",
"V-35647": "true",
"V-35649": "true",
"V-35652": "true",
"V-35654": "true",
"V-35657": "true",
"V-35659": "true",
"V-35661": "true",
"V-35662": "true",
"V-35663": "true",
"V-35664": "true",
"V-35667": "true",
"V-35669": "true",
"V-35671": "true",
"V-35674": "true",
"V-35676": "true",
"V-35678": "true",
"V-35679": "true",
"V-35680": "true",
"V-35681": "true",
"V-35682": "true",
"V-35683": "true",
"V-35684": "true",
"V-35685": "true",
"V-35686": "true",
"V-35687": "true",
"V-35689": "true",
"V-35716": "true",
"V-35721": "true",
"V-35724": "true",
"V-35727": "true",
"V-35733": "true",
"V-35734": "true",
"V-35735": "true",
"V-35736": "true",
"V-35737": "true",
"V-35738": "true",
"V-35739": "true",
"V-35740": "true",
"V-35741": "true",
"V-35742": "true",
"V-35743": "true",
"V-35744": "true",
"V-35745": "true",
"V-35766": "true",
"V-35768": "true",
"V-35770": "true",
"V-35772": "true",
"V-35774": "true",
"V-35775": "true",
"V-35778": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critial Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-35070": "true",
"V-35073": "true",
"V-35079": "true",
"V-35080": "true",
"V-35081": "true",
"V-35082": "true",
"V-35088": "true",
"V-35089": "true",
"V-35090": "true",
"V-35091": "true",
"V-35092": "true",
"V-35094": "true",
"V-35096": "true",
"V-35098": "true",
"V-35099": "true",
"V-35101": "true",
"V-35102": "true",
"V-35103": "true",
"V-35104": "true",
"V-35105": "true",
"V-35107": "true",
"V-35108": "true",
"V-35109": "true",
"V-35112": "true",
"V-35114": "true",
"V-35116": "true",
"V-35117": "true",
"V-35118": "true",
"V-35120": "true",
"V-35121": "true",
"V-35123": "true",
"V-35125": "true",
"V-35127": "true",
"V-35128": "true",
"V-35129": "true",
"V-35131": "true",
"V-35132": "true",
"V-35133": "true",
"V-35134": "true",
"V-35135": "true",
"V-35136": "true",
"V-35138": "true",
"V-35139": "true",
"V-35140": "true",
"V-35141": "true",
"V-35142": "true",
"V-35143": "true",
"V-35148": "true",
"V-35150": "true",
"V-35157": "true",
"V-35159": "true",
"V-35161": "true",
"V-35163": "true",
"V-35165": "true",
"V-35167": "true",
"V-35170": "true",
"V-35176": "true",
"V-35182": "true",
"V-35183": "true",
"V-35184": "true",
"V-35185": "true",
"V-35186": "true",
"V-35188": "true",
"V-35190": "true",
"V-35191": "true",
"V-35192": "true",
"V-35193": "true",
"V-35195": "true",
"V-35196": "true",
"V-35199": "true",
"V-35203": "true",
"V-35204": "true",
"V-35205": "true",
"V-35212": "true",
"V-35213": "true",
"V-35214": "true",
"V-35215": "true",
"V-35216": "true",
"V-35217": "true",
"V-35218": "true",
"V-35219": "true",
"V-35220": "true",
"V-35221": "true",
"V-35222": "true",
"V-35223": "true",
"V-35224": "true",
"V-35225": "true",
"V-35226": "true",
"V-35234": "true",
"V-35236": "true",
"V-35238": "true",
"V-35241": "true",
"V-35254": "true",
"V-35257": "true",
"V-35299": "true",
"V-35300": "true",
"V-35301": "true",
"V-35302": "true",
"V-35303": "true",
"V-35304": "true",
"V-35305": "true",
"V-35306": "true",
"V-35307": "true",
"V-35308": "true",
"V-35309": "true",
"V-35310": "true",
"V-35311": "true",
"V-35312": "true",
"V-35313": "true",
"V-35314": "true",
"V-35315": "true",
"V-35316": "true",
"V-35317": "true",
"V-35318": "true",
"V-35319": "true",
"V-35320": "true",
"V-35321": "true",
"V-35322": "true",
"V-35324": "true",
"V-35325": "true",
"V-35328": "true",
"V-35329": "true",
"V-35330": "true",
"V-35331": "true",
"V-35332": "true",
"V-35333": "true",
"V-35334": "true",
"V-35335": "true",
"V-35336": "true",
"V-35337": "true",
"V-35338": "true",
"V-35341": "true",
"V-35342": "true",
"V-35343": "true",
"V-35344": "true",
"V-35347": "true",
"V-35361": "true",
"V-35368": "true",
"V-35371": "true",
"V-35376": "true",
"V-35381": "true",
"V-35415": "true",
"V-35419": "true",
"V-35420": "true",
"V-35421": "true",
"V-35422": "true",
"V-35423": "true",
"V-35424": "true",
"V-35425": "true",
"V-35426": "true",
"V-35427": "true",
"V-35428": "true",
"V-35429": "true",
"V-35430": "true",
"V-35431": "true",
"V-35432": "true",
"V-35434": "true",
"V-35435": "true",
"V-35436": "true",
"V-35437": "true",
"V-35438": "true",
"V-35439": "true",
"V-35440": "true",
"V-35441": "true",
"V-35442": "true",
"V-35443": "true",
"V-35444": "true",
"V-35445": "true",
"V-35446": "true",
"V-35447": "true",
"V-35448": "true",
"V-35449": "true",
"V-35450": "true",
"V-35451": "true",
"V-35452": "true",
"V-35453": "true",
"V-35477": "true",
"V-35478": "true",
"V-35479": "true",
"V-35480": "true",
"V-35481": "true",
"V-35482": "true",
"V-35483": "true",
"V-35484": "true",
"V-35498": "true",
"V-35499": "true",
"V-35500": "true",
"V-35501": "true",
"V-35502": "true",
"V-35503": "true",
"V-35529": "true",
"V-35532": "true",
"V-35533": "true",
"V-35534": "true",
"V-35535": "true",
"V-35537": "true",
"V-35539": "true",
"V-35540": "true",
"V-35542": "true",
"V-35544": "true",
"V-35546": "true",
"V-35549": "true",
"V-35552": "true",
"V-35554": "true",
"V-35556": "true",
"V-35559": "true",
"V-35562": "true",
"V-35564": "true",
"V-35567": "true",
"V-35569": "true",
"V-35571": "true",
"V-35572": "true",
"V-35575": "true",
"V-35576": "true",
"V-35577": "true",
"V-35578": "true",
"V-35580": "true",
"V-35582": "true",
"V-35584": "true",
"V-35586": "true",
"V-35588": "true",
"V-35590": "true",
"V-35593": "true",
"V-35595": "true",
"V-35596": "true",
"V-35598": "true",
"V-35599": "true",
"V-35600": "true",
"V-35601": "true",
"V-35602": "true",
"V-35603": "true",
"V-35604": "true",
"V-35605": "true",
"V-35606": "true",
"V-35607": "true",
"V-35608": "true",
"V-35609": "true",
"V-35610": "true",
"V-35611": "true",
"V-35612": "true",
"V-35613": "true",
"V-35614": "true",
"V-35615": "true",
"V-35616": "true",
"V-35617": "true",
"V-35618": "true",
"V-35627": "true",
"V-35628": "true",
"V-35630": "true",
"V-35632": "true",
"V-35633": "true",
"V-35634": "true",
"V-35636": "true",
"V-35639": "true",
"V-35641": "true",
"V-35643": "true",
"V-35645": "true",
"V-35647": "true",
"V-35649": "true",
"V-35652": "true",
"V-35654": "true",
"V-35657": "true",
"V-35659": "true",
"V-35661": "true",
"V-35662": "true",
"V-35663": "true",
"V-35664": "true",
"V-35667": "true",
"V-35669": "true",
"V-35671": "true",
"V-35674": "true",
"V-35676": "true",
"V-35678": "true",
"V-35679": "true",
"V-35680": "true",
"V-35681": "true",
"V-35682": "true",
"V-35683": "true",
"V-35684": "true",
"V-35685": "true",
"V-35686": "true",
"V-35687": "true",
"V-35689": "true",
"V-35716": "true",
"V-35721": "true",
"V-35724": "true",
"V-35727": "true",
"V-35733": "true",
"V-35734": "true",
"V-35735": "true",
"V-35736": "true",
"V-35737": "true",
"V-35738": "true",
"V-35739": "true",
"V-35740": "true",
"V-35741": "true",
"V-35742": "true",
"V-35743": "true",
"V-35744": "true",
"V-35745": "true",
"V-35766": "true",
"V-35768": "true",
"V-35770": "true",
"V-35772": "true",
"V-35774": "true",
"V-35775": "true",
"V-35778": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critial Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-35070": "true",
"V-35073": "true",
"V-35079": "true",
"V-35080": "true",
"V-35081": "true",
"V-35082": "true",
"V-35088": "true",
"V-35089": "true",
"V-35090": "true",
"V-35091": "true",
"V-35092": "true",
"V-35094": "true",
"V-35096": "true",
"V-35098": "true",
"V-35099": "true",
"V-35101": "true",
"V-35102": "true",
"V-35103": "true",
"V-35104": "true",
"V-35105": "true",
"V-35107": "true",
"V-35108": "true",
"V-35109": "true",
"V-35112": "true",
"V-35114": "true",
"V-35116": "true",
"V-35117": "true",
"V-35118": "true",
"V-35120": "true",
"V-35121": "true",
"V-35123": "true",
"V-35125": "true",
"V-35127": "true",
"V-35128": "true",
"V-35129": "true",
"V-35131": "true",
"V-35132": "true",
"V-35133": "true",
"V-35134": "true",
"V-35135": "true",
"V-35136": "true",
"V-35138": "true",
"V-35139": "true",
"V-35140": "true",
"V-35141": "true",
"V-35142": "true",
"V-35143": "true",
"V-35148": "true",
"V-35150": "true",
"V-35157": "true",
"V-35159": "true",
"V-35161": "true",
"V-35163": "true",
"V-35165": "true",
"V-35167": "true",
"V-35170": "true",
"V-35176": "true",
"V-35182": "true",
"V-35183": "true",
"V-35184": "true",
"V-35185": "true",
"V-35186": "true",
"V-35188": "true",
"V-35190": "true",
"V-35191": "true",
"V-35192": "true",
"V-35193": "true",
"V-35195": "true",
"V-35196": "true",
"V-35199": "true",
"V-35203": "true",
"V-35204": "true",
"V-35205": "true",
"V-35212": "true",
"V-35213": "true",
"V-35214": "true",
"V-35215": "true",
"V-35216": "true",
"V-35217": "true",
"V-35218": "true",
"V-35219": "true",
"V-35220": "true",
"V-35221": "true",
"V-35222": "true",
"V-35223": "true",
"V-35224": "true",
"V-35225": "true",
"V-35226": "true",
"V-35234": "true",
"V-35236": "true",
"V-35238": "true",
"V-35241": "true",
"V-35254": "true",
"V-35257": "true",
"V-35299": "true",
"V-35300": "true",
"V-35301": "true",
"V-35302": "true",
"V-35303": "true",
"V-35304": "true",
"V-35305": "true",
"V-35306": "true",
"V-35307": "true",
"V-35308": "true",
"V-35309": "true",
"V-35310": "true",
"V-35311": "true",
"V-35312": "true",
"V-35313": "true",
"V-35314": "true",
"V-35315": "true",
"V-35316": "true",
"V-35317": "true",
"V-35318": "true",
"V-35319": "true",
"V-35320": "true",
"V-35321": "true",
"V-35322": "true",
"V-35324": "true",
"V-35325": "true",
"V-35328": "true",
"V-35329": "true",
"V-35330": "true",
"V-35331": "true",
"V-35332": "true",
"V-35333": "true",
"V-35334": "true",
"V-35335": "true",
"V-35336": "true",
"V-35337": "true",
"V-35338": "true",
"V-35341": "true",
"V-35342": "true",
"V-35343": "true",
"V-35344": "true",
"V-35347": "true",
"V-35361": "true",
"V-35368": "true",
"V-35371": "true",
"V-35376": "true",
"V-35381": "true",
"V-35415": "true",
"V-35419": "true",
"V-35420": "true",
"V-35421": "true",
"V-35422": "true",
"V-35423": "true",
"V-35424": "true",
"V-35425": "true",
"V-35426": "true",
"V-35427": "true",
"V-35428": "true",
"V-35429": "true",
"V-35430": "true",
"V-35431": "true",
"V-35432": "true",
"V-35434": "true",
"V-35435": "true",
"V-35436": "true",
"V-35437": "true",
"V-35438": "true",
"V-35439": "true",
"V-35440": "true",
"V-35441": "true",
"V-35442": "true",
"V-35443": "true",
"V-35444": "true",
"V-35445": "true",
"V-35446": "true",
"V-35447": "true",
"V-35448": "true",
"V-35449": "true",
"V-35450": "true",
"V-35451": "true",
"V-35452": "true",
"V-35453": "true",
"V-35477": "true",
"V-35478": "true",
"V-35479": "true",
"V-35480": "true",
"V-35481": "true",
"V-35482": "true",
"V-35483": "true",
"V-35484": "true",
"V-35498": "true",
"V-35499": "true",
"V-35500": "true",
"V-35501": "true",
"V-35502": "true",
"V-35503": "true",
"V-35529": "true",
"V-35532": "true",
"V-35533": "true",
"V-35534": "true",
"V-35535": "true",
"V-35537": "true",
"V-35539": "true",
"V-35540": "true",
"V-35542": "true",
"V-35544": "true",
"V-35546": "true",
"V-35549": "true",
"V-35552": "true",
"V-35554": "true",
"V-35556": "true",
"V-35559": "true",
"V-35562": "true",
"V-35564": "true",
"V-35567": "true",
"V-35569": "true",
"V-35571": "true",
"V-35572": "true",
"V-35575": "true",
"V-35576": "true",
"V-35577": "true",
"V-35578": "true",
"V-35580": "true",
"V-35582": "true",
"V-35584": "true",
"V-35586": "true",
"V-35588": "true",
"V-35590": "true",
"V-35593": "true",
"V-35595": "true",
"V-35596": "true",
"V-35598": "true",
"V-35599": "true",
"V-35600": "true",
"V-35601": "true",
"V-35602": "true",
"V-35603": "true",
"V-35604": "true",
"V-35605": "true",
"V-35606": "true",
"V-35607": "true",
"V-35608": "true",
"V-35609": "true",
"V-35610": "true",
"V-35611": "true",
"V-35612": "true",
"V-35613": "true",
"V-35614": "true",
"V-35615": "true",
"V-35616": "true",
"V-35617": "true",
"V-35618": "true",
"V-35627": "true",
"V-35628": "true",
"V-35630": "true",
"V-35632": "true",
"V-35633": "true",
"V-35634": "true",
"V-35636": "true",
"V-35639": "true",
"V-35641": "true",
"V-35643": "true",
"V-35645": "true",
"V-35647": "true",
"V-35649": "true",
"V-35652": "true",
"V-35654": "true",
"V-35657": "true",
"V-35659": "true",
"V-35661": "true",
"V-35662": "true",
"V-35663": "true",
"V-35664": "true",
"V-35667": "true",
"V-35669": "true",
"V-35671": "true",
"V-35674": "true",
"V-35676": "true",
"V-35678": "true",
"V-35679": "true",
"V-35680": "true",
"V-35681": "true",
"V-35682": "true",
"V-35683": "true",
"V-35684": "true",
"V-35685": "true",
"V-35686": "true",
"V-35687": "true",
"V-35689": "true",
"V-35716": "true",
"V-35721": "true",
"V-35724": "true",
"V-35727": "true",
"V-35733": "true",
"V-35734": "true",
"V-35735": "true",
"V-35736": "true",
"V-35737": "true",
"V-35738": "true",
"V-35739": "true",
"V-35740": "true",
"V-35741": "true",
"V-35742": "true",
"V-35743": "true",
"V-35744": "true",
"V-35745": "true",
"V-35766": "true",
"V-35768": "true",
"V-35770": "true",
"V-35772": "true",
"V-35774": "true",
"V-35775": "true",
"V-35778": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-35070": "true",
"V-35073": "true",
"V-35079": "true",
"V-35080": "true",
"V-35081": "true",
"V-35082": "true",
"V-35088": "true",
"V-35089": "true",
"V-35090": "true",
"V-35091": "true",
"V-35092": "true",
"V-35094": "true",
"V-35096": "true",
"V-35098": "true",
"V-35099": "true",
"V-35101": "true",
"V-35102": "true",
"V-35103": "true",
"V-35104": "true",
"V-35105": "true",
"V-35107": "true",
"V-35108": "true",
"V-35109": "true",
"V-35112": "true",
"V-35114": "true",
"V-35116": "true",
"V-35117": "true",
"V-35118": "true",
"V-35120": "true",
"V-35121": "true",
"V-35123": "true",
"V-35125": "true",
"V-35127": "true",
"V-35128": "true",
"V-35129": "true",
"V-35131": "true",
"V-35132": "true",
"V-35133": "true",
"V-35134": "true",
"V-35135": "true",
"V-35136": "true",
"V-35138": "true",
"V-35139": "true",
"V-35140": "true",
"V-35141": "true",
"V-35142": "true",
"V-35143": "true",
"V-35148": "true",
"V-35150": "true",
"V-35157": "true",
"V-35159": "true",
"V-35161": "true",
"V-35163": "true",
"V-35165": "true",
"V-35167": "true",
"V-35170": "true",
"V-35176": "true",
"V-35182": "true",
"V-35183": "true",
"V-35184": "true",
"V-35185": "true",
"V-35186": "true",
"V-35188": "true",
"V-35190": "true",
"V-35191": "true",
"V-35192": "true",
"V-35193": "true",
"V-35195": "true",
"V-35196": "true",
"V-35199": "true",
"V-35203": "true",
"V-35204": "true",
"V-35205": "true",
"V-35212": "true",
"V-35213": "true",
"V-35214": "true",
"V-35215": "true",
"V-35216": "true",
"V-35217": "true",
"V-35218": "true",
"V-35219": "true",
"V-35220": "true",
"V-35221": "true",
"V-35222": "true",
"V-35223": "true",
"V-35224": "true",
"V-35225": "true",
"V-35226": "true",
"V-35234": "true",
"V-35236": "true",
"V-35238": "true",
"V-35241": "true",
"V-35254": "true",
"V-35257": "true",
"V-35299": "true",
"V-35300": "true",
"V-35301": "true",
"V-35302": "true",
"V-35303": "true",
"V-35304": "true",
"V-35305": "true",
"V-35306": "true",
"V-35307": "true",
"V-35308": "true",
"V-35309": "true",
"V-35310": "true",
"V-35311": "true",
"V-35312": "true",
"V-35313": "true",
"V-35314": "true",
"V-35315": "true",
"V-35316": "true",
"V-35317": "true",
"V-35318": "true",
"V-35319": "true",
"V-35320": "true",
"V-35321": "true",
"V-35322": "true",
"V-35324": "true",
"V-35325": "true",
"V-35328": "true",
"V-35329": "true",
"V-35330": "true",
"V-35331": "true",
"V-35332": "true",
"V-35333": "true",
"V-35334": "true",
"V-35335": "true",
"V-35336": "true",
"V-35337": "true",
"V-35338": "true",
"V-35341": "true",
"V-35342": "true",
"V-35343": "true",
"V-35344": "true",
"V-35347": "true",
"V-35361": "true",
"V-35368": "true",
"V-35371": "true",
"V-35376": "true",
"V-35381": "true",
"V-35415": "true",
"V-35419": "true",
"V-35420": "true",
"V-35421": "true",
"V-35422": "true",
"V-35423": "true",
"V-35424": "true",
"V-35425": "true",
"V-35426": "true",
"V-35427": "true",
"V-35428": "true",
"V-35429": "true",
"V-35430": "true",
"V-35431": "true",
"V-35432": "true",
"V-35434": "true",
"V-35435": "true",
"V-35436": "true",
"V-35437": "true",
"V-35438": "true",
"V-35439": "true",
"V-35440": "true",
"V-35441": "true",
"V-35442": "true",
"V-35443": "true",
"V-35444": "true",
"V-35445": "true",
"V-35446": "true",
"V-35447": "true",
"V-35448": "true",
"V-35449": "true",
"V-35450": "true",
"V-35451": "true",
"V-35452": "true",
"V-35453": "true",
"V-35477": "true",
"V-35478": "true",
"V-35479": "true",
"V-35480": "true",
"V-35481": "true",
"V-35482": "true",
"V-35483": "true",
"V-35484": "true",
"V-35498": "true",
"V-35499": "true",
"V-35500": "true",
"V-35501": "true",
"V-35502": "true",
"V-35503": "true",
"V-35529": "true",
"V-35532": "true",
"V-35533": "true",
"V-35534": "true",
"V-35535": "true",
"V-35537": "true",
"V-35539": "true",
"V-35540": "true",
"V-35542": "true",
"V-35544": "true",
"V-35546": "true",
"V-35549": "true",
"V-35552": "true",
"V-35554": "true",
"V-35556": "true",
"V-35559": "true",
"V-35562": "true",
"V-35564": "true",
"V-35567": "true",
"V-35569": "true",
"V-35571": "true",
"V-35572": "true",
"V-35575": "true",
"V-35576": "true",
"V-35577": "true",
"V-35578": "true",
"V-35580": "true",
"V-35582": "true",
"V-35584": "true",
"V-35586": "true",
"V-35588": "true",
"V-35590": "true",
"V-35593": "true",
"V-35595": "true",
"V-35596": "true",
"V-35598": "true",
"V-35599": "true",
"V-35600": "true",
"V-35601": "true",
"V-35602": "true",
"V-35603": "true",
"V-35604": "true",
"V-35605": "true",
"V-35606": "true",
"V-35607": "true",
"V-35608": "true",
"V-35609": "true",
"V-35610": "true",
"V-35611": "true",
"V-35612": "true",
"V-35613": "true",
"V-35614": "true",
"V-35615": "true",
"V-35616": "true",
"V-35617": "true",
"V-35618": "true",
"V-35627": "true",
"V-35628": "true",
"V-35630": "true",
"V-35632": "true",
"V-35633": "true",
"V-35634": "true",
"V-35636": "true",
"V-35639": "true",
"V-35641": "true",
"V-35643": "true",
"V-35645": "true",
"V-35647": "true",
"V-35649": "true",
"V-35652": "true",
"V-35654": "true",
"V-35657": "true",
"V-35659": "true",
"V-35661": "true",
"V-35662": "true",
"V-35663": "true",
"V-35664": "true",
"V-35667": "true",
"V-35669": "true",
"V-35671": "true",
"V-35674": "true",
"V-35676": "true",
"V-35678": "true",
"V-35679": "true",
"V-35680": "true",
"V-35681": "true",
"V-35682": "true",
"V-35683": "true",
"V-35684": "true",
"V-35685": "true",
"V-35686": "true",
"V-35687": "true",
"V-35689": "true",
"V-35716": "true",
"V-35721": "true",
"V-35724": "true",
"V-35727": "true",
"V-35733": "true",
"V-35734": "true",
"V-35735": "true",
"V-35736": "true",
"V-35737": "true",
"V-35738": "true",
"V-35739": "true",
"V-35740": "true",
"V-35741": "true",
"V-35742": "true",
"V-35743": "true",
"V-35744": "true",
"V-35745": "true",
"V-35766": "true",
"V-35768": "true",
"V-35770": "true",
"V-35772": "true",
"V-35774": "true",
"V-35775": "true",
"V-35778": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-35070": "true",
"V-35073": "true",
"V-35079": "true",
"V-35080": "true",
"V-35081": "true",
"V-35082": "true",
"V-35088": "true",
"V-35089": "true",
"V-35090": "true",
"V-35091": "true",
"V-35092": "true",
"V-35094": "true",
"V-35096": "true",
"V-35098": "true",
"V-35099": "true",
"V-35101": "true",
"V-35102": "true",
"V-35103": "true",
"V-35104": "true",
"V-35105": "true",
"V-35107": "true",
"V-35108": "true",
"V-35109": "true",
"V-35112": "true",
"V-35114": "true",
"V-35116": "true",
"V-35117": "true",
"V-35118": "true",
"V-35120": "true",
"V-35121": "true",
"V-35123": "true",
"V-35125": "true",
"V-35127": "true",
"V-35128": "true",
"V-35129": "true",
"V-35131": "true",
"V-35132": "true",
"V-35133": "true",
"V-35134": "true",
"V-35135": "true",
"V-35136": "true",
"V-35138": "true",
"V-35139": "true",
"V-35140": "true",
"V-35141": "true",
"V-35142": "true",
"V-35143": "true",
"V-35148": "true",
"V-35150": "true",
"V-35157": "true",
"V-35159": "true",
"V-35161": "true",
"V-35163": "true",
"V-35165": "true",
"V-35167": "true",
"V-35170": "true",
"V-35176": "true",
"V-35182": "true",
"V-35183": "true",
"V-35184": "true",
"V-35185": "true",
"V-35186": "true",
"V-35188": "true",
"V-35190": "true",
"V-35191": "true",
"V-35192": "true",
"V-35193": "true",
"V-35195": "true",
"V-35196": "true",
"V-35199": "true",
"V-35203": "true",
"V-35204": "true",
"V-35205": "true",
"V-35212": "true",
"V-35213": "true",
"V-35214": "true",
"V-35215": "true",
"V-35216": "true",
"V-35217": "true",
"V-35218": "true",
"V-35219": "true",
"V-35220": "true",
"V-35221": "true",
"V-35222": "true",
"V-35223": "true",
"V-35224": "true",
"V-35225": "true",
"V-35226": "true",
"V-35234": "true",
"V-35236": "true",
"V-35238": "true",
"V-35241": "true",
"V-35254": "true",
"V-35257": "true",
"V-35299": "true",
"V-35300": "true",
"V-35301": "true",
"V-35302": "true",
"V-35303": "true",
"V-35304": "true",
"V-35305": "true",
"V-35306": "true",
"V-35307": "true",
"V-35308": "true",
"V-35309": "true",
"V-35310": "true",
"V-35311": "true",
"V-35312": "true",
"V-35313": "true",
"V-35314": "true",
"V-35315": "true",
"V-35316": "true",
"V-35317": "true",
"V-35318": "true",
"V-35319": "true",
"V-35320": "true",
"V-35321": "true",
"V-35322": "true",
"V-35324": "true",
"V-35325": "true",
"V-35328": "true",
"V-35329": "true",
"V-35330": "true",
"V-35331": "true",
"V-35332": "true",
"V-35333": "true",
"V-35334": "true",
"V-35335": "true",
"V-35336": "true",
"V-35337": "true",
"V-35338": "true",
"V-35341": "true",
"V-35342": "true",
"V-35343": "true",
"V-35344": "true",
"V-35347": "true",
"V-35361": "true",
"V-35368": "true",
"V-35371": "true",
"V-35376": "true",
"V-35381": "true",
"V-35415": "true",
"V-35419": "true",
"V-35420": "true",
"V-35421": "true",
"V-35422": "true",
"V-35423": "true",
"V-35424": "true",
"V-35425": "true",
"V-35426": "true",
"V-35427": "true",
"V-35428": "true",
"V-35429": "true",
"V-35430": "true",
"V-35431": "true",
"V-35432": "true",
"V-35434": "true",
"V-35435": "true",
"V-35436": "true",
"V-35437": "true",
"V-35438": "true",
"V-35439": "true",
"V-35440": "true",
"V-35441": "true",
"V-35442": "true",
"V-35443": "true",
"V-35444": "true",
"V-35445": "true",
"V-35446": "true",
"V-35447": "true",
"V-35448": "true",
"V-35449": "true",
"V-35450": "true",
"V-35451": "true",
"V-35452": "true",
"V-35453": "true",
"V-35477": "true",
"V-35478": "true",
"V-35479": "true",
"V-35480": "true",
"V-35481": "true",
"V-35482": "true",
"V-35483": "true",
"V-35484": "true",
"V-35498": "true",
"V-35499": "true",
"V-35500": "true",
"V-35501": "true",
"V-35502": "true",
"V-35503": "true",
"V-35529": "true",
"V-35532": "true",
"V-35533": "true",
"V-35534": "true",
"V-35535": "true",
"V-35537": "true",
"V-35539": "true",
"V-35540": "true",
"V-35542": "true",
"V-35544": "true",
"V-35546": "true",
"V-35549": "true",
"V-35552": "true",
"V-35554": "true",
"V-35556": "true",
"V-35559": "true",
"V-35562": "true",
"V-35564": "true",
"V-35567": "true",
"V-35569": "true",
"V-35571": "true",
"V-35572": "true",
"V-35575": "true",
"V-35576": "true",
"V-35577": "true",
"V-35578": "true",
"V-35580": "true",
"V-35582": "true",
"V-35584": "true",
"V-35586": "true",
"V-35588": "true",
"V-35590": "true",
"V-35593": "true",
"V-35595": "true",
"V-35596": "true",
"V-35598": "true",
"V-35599": "true",
"V-35600": "true",
"V-35601": "true",
"V-35602": "true",
"V-35603": "true",
"V-35604": "true",
"V-35605": "true",
"V-35606": "true",
"V-35607": "true",
"V-35608": "true",
"V-35609": "true",
"V-35610": "true",
"V-35611": "true",
"V-35612": "true",
"V-35613": "true",
"V-35614": "true",
"V-35615": "true",
"V-35616": "true",
"V-35617": "true",
"V-35618": "true",
"V-35627": "true",
"V-35628": "true",
"V-35630": "true",
"V-35632": "true",
"V-35633": "true",
"V-35634": "true",
"V-35636": "true",
"V-35639": "true",
"V-35641": "true",
"V-35643": "true",
"V-35645": "true",
"V-35647": "true",
"V-35649": "true",
"V-35652": "true",
"V-35654": "true",
"V-35657": "true",
"V-35659": "true",
"V-35661": "true",
"V-35662": "true",
"V-35663": "true",
"V-35664": "true",
"V-35667": "true",
"V-35669": "true",
"V-35671": "true",
"V-35674": "true",
"V-35676": "true",
"V-35678": "true",
"V-35679": "true",
"V-35680": "true",
"V-35681": "true",
"V-35682": "true",
"V-35683": "true",
"V-35684": "true",
"V-35685": "true",
"V-35686": "true",
"V-35687": "true",
"V-35689": "true",
"V-35716": "true",
"V-35721": "true",
"V-35724": "true",
"V-35727": "true",
"V-35733": "true",
"V-35734": "true",
"V-35735": "true",
"V-35736": "true",
"V-35737": "true",
"V-35738": "true",
"V-35739": "true",
"V-35740": "true",
"V-35741": "true",
"V-35742": "true",
"V-35743": "true",
"V-35744": "true",
"V-35745": "true",
"V-35766": "true",
"V-35768": "true",
"V-35770": "true",
"V-35772": "true",
"V-35774": "true",
"V-35775": "true",
"V-35778": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-35070": "true",
"V-35073": "true",
"V-35079": "true",
"V-35080": "true",
"V-35081": "true",
"V-35082": "true",
"V-35088": "true",
"V-35089": "true",
"V-35090": "true",
"V-35091": "true",
"V-35092": "true",
"V-35094": "true",
"V-35096": "true",
"V-35098": "true",
"V-35099": "true",
"V-35101": "true",
"V-35102": "true",
"V-35103": "true",
"V-35104": "true",
"V-35105": "true",
"V-35107": "true",
"V-35108": "true",
"V-35109": "true",
"V-35112": "true",
"V-35114": "true",
"V-35116": "true",
"V-35117": "true",
"V-35118": "true",
"V-35120": "true",
"V-35121": "true",
"V-35123": "true",
"V-35125": "true",
"V-35127": "true",
"V-35128": "true",
"V-35129": "true",
"V-35131": "true",
"V-35132": "true",
"V-35133": "true",
"V-35134": "true",
"V-35135": "true",
"V-35136": "true",
"V-35138": "true",
"V-35139": "true",
"V-35140": "true",
"V-35141": "true",
"V-35142": "true",
"V-35143": "true",
"V-35148": "true",
"V-35150": "true",
"V-35157": "true",
"V-35159": "true",
"V-35161": "true",
"V-35163": "true",
"V-35165": "true",
"V-35167": "true",
"V-35170": "true",
"V-35176": "true",
"V-35182": "true",
"V-35183": "true",
"V-35184": "true",
"V-35185": "true",
"V-35186": "true",
"V-35188": "true",
"V-35190": "true",
"V-35191": "true",
"V-35192": "true",
"V-35193": "true",
"V-35195": "true",
"V-35196": "true",
"V-35199": "true",
"V-35203": "true",
"V-35204": "true",
"V-35205": "true",
"V-35212": "true",
"V-35213": "true",
"V-35214": "true",
"V-35215": "true",
"V-35216": "true",
"V-35217": "true",
"V-35218": "true",
"V-35219": "true",
"V-35220": "true",
"V-35221": "true",
"V-35222": "true",
"V-35223": "true",
"V-35224": "true",
"V-35225": "true",
"V-35226": "true",
"V-35234": "true",
"V-35236": "true",
"V-35238": "true",
"V-35241": "true",
"V-35254": "true",
"V-35257": "true",
"V-35299": "true",
"V-35300": "true",
"V-35301": "true",
"V-35302": "true",
"V-35303": "true",
"V-35304": "true",
"V-35305": "true",
"V-35306": "true",
"V-35307": "true",
"V-35308": "true",
"V-35309": "true",
"V-35310": "true",
"V-35311": "true",
"V-35312": "true",
"V-35313": "true",
"V-35314": "true",
"V-35315": "true",
"V-35316": "true",
"V-35317": "true",
"V-35318": "true",
"V-35319": "true",
"V-35320": "true",
"V-35321": "true",
"V-35322": "true",
"V-35324": "true",
"V-35325": "true",
"V-35328": "true",
"V-35329": "true",
"V-35330": "true",
"V-35331": "true",
"V-35332": "true",
"V-35333": "true",
"V-35334": "true",
"V-35335": "true",
"V-35336": "true",
"V-35337": "true",
"V-35338": "true",
"V-35341": "true",
"V-35342": "true",
"V-35343": "true",
"V-35344": "true",
"V-35347": "true",
"V-35361": "true",
"V-35368": "true",
"V-35371": "true",
"V-35376": "true",
"V-35381": "true",
"V-35415": "true",
"V-35419": "true",
"V-35420": "true",
"V-35421": "true",
"V-35422": "true",
"V-35423": "true",
"V-35424": "true",
"V-35425": "true",
"V-35426": "true",
"V-35427": "true",
"V-35428": "true",
"V-35429": "true",
"V-35430": "true",
"V-35431": "true",
"V-35432": "true",
"V-35434": "true",
"V-35435": "true",
"V-35436": "true",
"V-35437": "true",
"V-35438": "true",
"V-35439": "true",
"V-35440": "true",
"V-35441": "true",
"V-35442": "true",
"V-35443": "true",
"V-35444": "true",
"V-35445": "true",
"V-35446": "true",
"V-35447": "true",
"V-35448": "true",
"V-35449": "true",
"V-35450": "true",
"V-35451": "true",
"V-35452": "true",
"V-35453": "true",
"V-35477": "true",
"V-35478": "true",
"V-35479": "true",
"V-35480": "true",
"V-35481": "true",
"V-35482": "true",
"V-35483": "true",
"V-35484": "true",
"V-35498": "true",
"V-35499": "true",
"V-35500": "true",
"V-35501": "true",
"V-35502": "true",
"V-35503": "true",
"V-35529": "true",
"V-35532": "true",
"V-35533": "true",
"V-35534": "true",
"V-35535": "true",
"V-35537": "true",
"V-35539": "true",
"V-35540": "true",
"V-35542": "true",
"V-35544": "true",
"V-35546": "true",
"V-35549": "true",
"V-35552": "true",
"V-35554": "true",
"V-35556": "true",
"V-35559": "true",
"V-35562": "true",
"V-35564": "true",
"V-35567": "true",
"V-35569": "true",
"V-35571": "true",
"V-35572": "true",
"V-35575": "true",
"V-35576": "true",
"V-35577": "true",
"V-35578": "true",
"V-35580": "true",
"V-35582": "true",
"V-35584": "true",
"V-35586": "true",
"V-35588": "true",
"V-35590": "true",
"V-35593": "true",
"V-35595": "true",
"V-35596": "true",
"V-35598": "true",
"V-35599": "true",
"V-35600": "true",
"V-35601": "true",
"V-35602": "true",
"V-35603": "true",
"V-35604": "true",
"V-35605": "true",
"V-35606": "true",
"V-35607": "true",
"V-35608": "true",
"V-35609": "true",
"V-35610": "true",
"V-35611": "true",
"V-35612": "true",
"V-35613": "true",
"V-35614": "true",
"V-35615": "true",
"V-35616": "true",
"V-35617": "true",
"V-35618": "true",
"V-35627": "true",
"V-35628": "true",
"V-35630": "true",
"V-35632": "true",
"V-35633": "true",
"V-35634": "true",
"V-35636": "true",
"V-35639": "true",
"V-35641": "true",
"V-35643": "true",
"V-35645": "true",
"V-35647": "true",
"V-35649": "true",
"V-35652": "true",
"V-35654": "true",
"V-35657": "true",
"V-35659": "true",
"V-35661": "true",
"V-35662": "true",
"V-35663": "true",
"V-35664": "true",
"V-35667": "true",
"V-35669": "true",
"V-35671": "true",
"V-35674": "true",
"V-35676": "true",
"V-35678": "true",
"V-35679": "true",
"V-35680": "true",
"V-35681": "true",
"V-35682": "true",
"V-35683": "true",
"V-35684": "true",
"V-35685": "true",
"V-35686": "true",
"V-35687": "true",
"V-35689": "true",
"V-35716": "true",
"V-35721": "true",
"V-35724": "true",
"V-35727": "true",
"V-35733": "true",
"V-35734": "true",
"V-35735": "true",
"V-35736": "true",
"V-35737": "true",
"V-35738": "true",
"V-35739": "true",
"V-35740": "true",
"V-35741": "true",
"V-35742": "true",
"V-35743": "true",
"V-35744": "true",
"V-35745": "true",
"V-35766": "true",
"V-35768": "true",
"V-35770": "true",
"V-35772": "true",
"V-35774": "true",
"V-35775": "true",
"V-35778": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-35070": "true",
"V-35073": "true",
"V-35079": "true",
"V-35080": "true",
"V-35081": "true",
"V-35082": "true",
"V-35088": "true",
"V-35089": "true",
"V-35090": "true",
"V-35091": "true",
"V-35092": "true",
"V-35094": "true",
"V-35096": "true",
"V-35098": "true",
"V-35099": "true",
"V-35101": "true",
"V-35102": "true",
"V-35103": "true",
"V-35104": "true",
"V-35105": "true",
"V-35107": "true",
"V-35108": "true",
"V-35109": "true",
"V-35112": "true",
"V-35114": "true",
"V-35116": "true",
"V-35117": "true",
"V-35118": "true",
"V-35120": "true",
"V-35121": "true",
"V-35123": "true",
"V-35125": "true",
"V-35127": "true",
"V-35128": "true",
"V-35129": "true",
"V-35131": "true",
"V-35132": "true",
"V-35133": "true",
"V-35134": "true",
"V-35135": "true",
"V-35136": "true",
"V-35138": "true",
"V-35139": "true",
"V-35140": "true",
"V-35141": "true",
"V-35142": "true",
"V-35143": "true",
"V-35148": "true",
"V-35150": "true",
"V-35157": "true",
"V-35159": "true",
"V-35161": "true",
"V-35163": "true",
"V-35165": "true",
"V-35167": "true",
"V-35170": "true",
"V-35176": "true",
"V-35182": "true",
"V-35183": "true",
"V-35184": "true",
"V-35185": "true",
"V-35186": "true",
"V-35188": "true",
"V-35190": "true",
"V-35191": "true",
"V-35192": "true",
"V-35193": "true",
"V-35195": "true",
"V-35196": "true",
"V-35199": "true",
"V-35203": "true",
"V-35204": "true",
"V-35205": "true",
"V-35212": "true",
"V-35213": "true",
"V-35214": "true",
"V-35215": "true",
"V-35216": "true",
"V-35217": "true",
"V-35218": "true",
"V-35219": "true",
"V-35220": "true",
"V-35221": "true",
"V-35222": "true",
"V-35223": "true",
"V-35224": "true",
"V-35225": "true",
"V-35226": "true",
"V-35234": "true",
"V-35236": "true",
"V-35238": "true",
"V-35241": "true",
"V-35254": "true",
"V-35257": "true",
"V-35299": "true",
"V-35300": "true",
"V-35301": "true",
"V-35302": "true",
"V-35303": "true",
"V-35304": "true",
"V-35305": "true",
"V-35306": "true",
"V-35307": "true",
"V-35308": "true",
"V-35309": "true",
"V-35310": "true",
"V-35311": "true",
"V-35312": "true",
"V-35313": "true",
"V-35314": "true",
"V-35315": "true",
"V-35316": "true",
"V-35317": "true",
"V-35318": "true",
"V-35319": "true",
"V-35320": "true",
"V-35321": "true",
"V-35322": "true",
"V-35324": "true",
"V-35325": "true",
"V-35328": "true",
"V-35329": "true",
"V-35330": "true",
"V-35331": "true",
"V-35332": "true",
"V-35333": "true",
"V-35334": "true",
"V-35335": "true",
"V-35336": "true",
"V-35337": "true",
"V-35338": "true",
"V-35341": "true",
"V-35342": "true",
"V-35343": "true",
"V-35344": "true",
"V-35347": "true",
"V-35361": "true",
"V-35368": "true",
"V-35371": "true",
"V-35376": "true",
"V-35381": "true",
"V-35415": "true",
"V-35419": "true",
"V-35420": "true",
"V-35421": "true",
"V-35422": "true",
"V-35423": "true",
"V-35424": "true",
"V-35425": "true",
"V-35426": "true",
"V-35427": "true",
"V-35428": "true",
"V-35429": "true",
"V-35430": "true",
"V-35431": "true",
"V-35432": "true",
"V-35434": "true",
"V-35435": "true",
"V-35436": "true",
"V-35437": "true",
"V-35438": "true",
"V-35439": "true",
"V-35440": "true",
"V-35441": "true",
"V-35442": "true",
"V-35443": "true",
"V-35444": "true",
"V-35445": "true",
"V-35446": "true",
"V-35447": "true",
"V-35448": "true",
"V-35449": "true",
"V-35450": "true",
"V-35451": "true",
"V-35452": "true",
"V-35453": "true",
"V-35477": "true",
"V-35478": "true",
"V-35479": "true",
"V-35480": "true",
"V-35481": "true",
"V-35482": "true",
"V-35483": "true",
"V-35484": "true",
"V-35498": "true",
"V-35499": "true",
"V-35500": "true",
"V-35501": "true",
"V-35502": "true",
"V-35503": "true",
"V-35529": "true",
"V-35532": "true",
"V-35533": "true",
"V-35534": "true",
"V-35535": "true",
"V-35537": "true",
"V-35539": "true",
"V-35540": "true",
"V-35542": "true",
"V-35544": "true",
"V-35546": "true",
"V-35549": "true",
"V-35552": "true",
"V-35554": "true",
"V-35556": "true",
"V-35559": "true",
"V-35562": "true",
"V-35564": "true",
"V-35567": "true",
"V-35569": "true",
"V-35571": "true",
"V-35572": "true",
"V-35575": "true",
"V-35576": "true",
"V-35577": "true",
"V-35578": "true",
"V-35580": "true",
"V-35582": "true",
"V-35584": "true",
"V-35586": "true",
"V-35588": "true",
"V-35590": "true",
"V-35593": "true",
"V-35595": "true",
"V-35596": "true",
"V-35598": "true",
"V-35599": "true",
"V-35600": "true",
"V-35601": "true",
"V-35602": "true",
"V-35603": "true",
"V-35604": "true",
"V-35605": "true",
"V-35606": "true",
"V-35607": "true",
"V-35608": "true",
"V-35609": "true",
"V-35610": "true",
"V-35611": "true",
"V-35612": "true",
"V-35613": "true",
"V-35614": "true",
"V-35615": "true",
"V-35616": "true",
"V-35617": "true",
"V-35618": "true",
"V-35627": "true",
"V-35628": "true",
"V-35630": "true",
"V-35632": "true",
"V-35633": "true",
"V-35634": "true",
"V-35636": "true",
"V-35639": "true",
"V-35641": "true",
"V-35643": "true",
"V-35645": "true",
"V-35647": "true",
"V-35649": "true",
"V-35652": "true",
"V-35654": "true",
"V-35657": "true",
"V-35659": "true",
"V-35661": "true",
"V-35662": "true",
"V-35663": "true",
"V-35664": "true",
"V-35667": "true",
"V-35669": "true",
"V-35671": "true",
"V-35674": "true",
"V-35676": "true",
"V-35678": "true",
"V-35679": "true",
"V-35680": "true",
"V-35681": "true",
"V-35682": "true",
"V-35683": "true",
"V-35684": "true",
"V-35685": "true",
"V-35686": "true",
"V-35687": "true",
"V-35689": "true",
"V-35716": "true",
"V-35721": "true",
"V-35724": "true",
"V-35727": "true",
"V-35733": "true",
"V-35734": "true",
"V-35735": "true",
"V-35736": "true",
"V-35737": "true",
"V-35738": "true",
"V-35739": "true",
"V-35740": "true",
"V-35741": "true",
"V-35742": "true",
"V-35743": "true",
"V-35744": "true",
"V-35745": "true",
"V-35766": "true",
"V-35768": "true",
"V-35770": "true",
"V-35772": "true",
"V-35774": "true",
"V-35775": "true",
"V-35778": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-35070": "true",
"V-35073": "true",
"V-35079": "true",
"V-35080": "true",
"V-35081": "true",
"V-35082": "true",
"V-35088": "true",
"V-35089": "true",
"V-35090": "true",
"V-35091": "true",
"V-35092": "true",
"V-35094": "true",
"V-35096": "true",
"V-35098": "true",
"V-35099": "true",
"V-35101": "true",
"V-35102": "true",
"V-35103": "true",
"V-35104": "true",
"V-35105": "true",
"V-35107": "true",
"V-35108": "true",
"V-35109": "true",
"V-35112": "true",
"V-35114": "true",
"V-35116": "true",
"V-35117": "true",
"V-35118": "true",
"V-35120": "true",
"V-35121": "true",
"V-35123": "true",
"V-35125": "true",
"V-35127": "true",
"V-35128": "true",
"V-35129": "true",
"V-35131": "true",
"V-35132": "true",
"V-35133": "true",
"V-35134": "true",
"V-35135": "true",
"V-35136": "true",
"V-35138": "true",
"V-35139": "true",
"V-35140": "true",
"V-35141": "true",
"V-35142": "true",
"V-35143": "true",
"V-35148": "true",
"V-35150": "true",
"V-35157": "true",
"V-35159": "true",
"V-35161": "true",
"V-35163": "true",
"V-35165": "true",
"V-35167": "true",
"V-35170": "true",
"V-35176": "true",
"V-35182": "true",
"V-35183": "true",
"V-35184": "true",
"V-35185": "true",
"V-35186": "true",
"V-35188": "true",
"V-35190": "true",
"V-35191": "true",
"V-35192": "true",
"V-35193": "true",
"V-35195": "true",
"V-35196": "true",
"V-35199": "true",
"V-35203": "true",
"V-35204": "true",
"V-35205": "true",
"V-35212": "true",
"V-35213": "true",
"V-35214": "true",
"V-35215": "true",
"V-35216": "true",
"V-35217": "true",
"V-35218": "true",
"V-35219": "true",
"V-35220": "true",
"V-35221": "true",
"V-35222": "true",
"V-35223": "true",
"V-35224": "true",
"V-35225": "true",
"V-35226": "true",
"V-35234": "true",
"V-35236": "true",
"V-35238": "true",
"V-35241": "true",
"V-35254": "true",
"V-35257": "true",
"V-35299": "true",
"V-35300": "true",
"V-35301": "true",
"V-35302": "true",
"V-35303": "true",
"V-35304": "true",
"V-35305": "true",
"V-35306": "true",
"V-35307": "true",
"V-35308": "true",
"V-35309": "true",
"V-35310": "true",
"V-35311": "true",
"V-35312": "true",
"V-35313": "true",
"V-35314": "true",
"V-35315": "true",
"V-35316": "true",
"V-35317": "true",
"V-35318": "true",
"V-35319": "true",
"V-35320": "true",
"V-35321": "true",
"V-35322": "true",
"V-35324": "true",
"V-35325": "true",
"V-35328": "true",
"V-35329": "true",
"V-35330": "true",
"V-35331": "true",
"V-35332": "true",
"V-35333": "true",
"V-35334": "true",
"V-35335": "true",
"V-35336": "true",
"V-35337": "true",
"V-35338": "true",
"V-35341": "true",
"V-35342": "true",
"V-35343": "true",
"V-35344": "true",
"V-35347": "true",
"V-35361": "true",
"V-35368": "true",
"V-35371": "true",
"V-35376": "true",
"V-35381": "true",
"V-35415": "true",
"V-35419": "true",
"V-35420": "true",
"V-35421": "true",
"V-35422": "true",
"V-35423": "true",
"V-35424": "true",
"V-35425": "true",
"V-35426": "true",
"V-35427": "true",
"V-35428": "true",
"V-35429": "true",
"V-35430": "true",
"V-35431": "true",
"V-35432": "true",
"V-35434": "true",
"V-35435": "true",
"V-35436": "true",
"V-35437": "true",
"V-35438": "true",
"V-35439": "true",
"V-35440": "true",
"V-35441": "true",
"V-35442": "true",
"V-35443": "true",
"V-35444": "true",
"V-35445": "true",
"V-35446": "true",
"V-35447": "true",
"V-35448": "true",
"V-35449": "true",
"V-35450": "true",
"V-35451": "true",
"V-35452": "true",
"V-35453": "true",
"V-35477": "true",
"V-35478": "true",
"V-35479": "true",
"V-35480": "true",
"V-35481": "true",
"V-35482": "true",
"V-35483": "true",
"V-35484": "true",
"V-35498": "true",
"V-35499": "true",
"V-35500": "true",
"V-35501": "true",
"V-35502": "true",
"V-35503": "true",
"V-35529": "true",
"V-35532": "true",
"V-35533": "true",
"V-35534": "true",
"V-35535": "true",
"V-35537": "true",
"V-35539": "true",
"V-35540": "true",
"V-35542": "true",
"V-35544": "true",
"V-35546": "true",
"V-35549": "true",
"V-35552": "true",
"V-35554": "true",
"V-35556": "true",
"V-35559": "true",
"V-35562": "true",
"V-35564": "true",
"V-35567": "true",
"V-35569": "true",
"V-35571": "true",
"V-35572": "true",
"V-35575": "true",
"V-35576": "true",
"V-35577": "true",
"V-35578": "true",
"V-35580": "true",
"V-35582": "true",
"V-35584": "true",
"V-35586": "true",
"V-35588": "true",
"V-35590": "true",
"V-35593": "true",
"V-35595": "true",
"V-35596": "true",
"V-35598": "true",
"V-35599": "true",
"V-35600": "true",
"V-35601": "true",
"V-35602": "true",
"V-35603": "true",
"V-35604": "true",
"V-35605": "true",
"V-35606": "true",
"V-35607": "true",
"V-35608": "true",
"V-35609": "true",
"V-35610": "true",
"V-35611": "true",
"V-35612": "true",
"V-35613": "true",
"V-35614": "true",
"V-35615": "true",
"V-35616": "true",
"V-35617": "true",
"V-35618": "true",
"V-35627": "true",
"V-35628": "true",
"V-35630": "true",
"V-35632": "true",
"V-35633": "true",
"V-35634": "true",
"V-35636": "true",
"V-35639": "true",
"V-35641": "true",
"V-35643": "true",
"V-35645": "true",
"V-35647": "true",
"V-35649": "true",
"V-35652": "true",
"V-35654": "true",
"V-35657": "true",
"V-35659": "true",
"V-35661": "true",
"V-35662": "true",
"V-35663": "true",
"V-35664": "true",
"V-35667": "true",
"V-35669": "true",
"V-35671": "true",
"V-35674": "true",
"V-35676": "true",
"V-35678": "true",
"V-35679": "true",
"V-35680": "true",
"V-35681": "true",
"V-35682": "true",
"V-35683": "true",
"V-35684": "true",
"V-35685": "true",
"V-35686": "true",
"V-35687": "true",
"V-35689": "true",
"V-35716": "true",
"V-35721": "true",
"V-35724": "true",
"V-35727": "true",
"V-35733": "true",
"V-35734": "true",
"V-35735": "true",
"V-35736": "true",
"V-35737": "true",
"V-35738": "true",
"V-35739": "true",
"V-35740": "true",
"V-35741": "true",
"V-35742": "true",
"V-35743": "true",
"V-35744": "true",
"V-35745": "true",
"V-35766": "true",
"V-35768": "true",
"V-35770": "true",
"V-35772": "true",
"V-35774": "true",
"V-35775": "true",
"V-35778": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "application_server_security_requirements_guide",
"title": "Application Server Security Requirements Guide",
"version": "1"
}
}