The application server must validate the binding of the information producers identity to the information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35138	SRG-APP-000082-AS-000047	SV-46425r1_rule		Medium

Description
Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. This non-repudiation control enhancement is intended to mitigate the risk that information gets modified between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Application servers must be able to authenticate digitally signed application deployment files.

Description

Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. This non-repudiation control enhancement is intended to mitigate the risk that information gets modified between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Application servers must be able to authenticate digitally signed application deployment files.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43525r1_chk )
Review product documentation and the AS deployment configuration to determine if the AS authenticates the digital certificates used to sign the application deployment files. If the AS does not meet this requirement, this is a finding.

Fix Text (F-39689r1_fix)
Configure the AS to authenticate digitally signed application deployment files.