The application server must fail securely in the event of an operational failure.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35437	SRG-APP-000254-AS-000166	SV-46724r1_rule		Medium

Description
Fail secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold. An example of secure failure is when an application server is configured for secure LDAP (LDAPS) authentication. If the AS fails to make a successful LDAPS connection it does not try to use unencrypted LDAP instead.

Description

Fail secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold. An example of secure failure is when an application server is configured for secure LDAP (LDAPS) authentication. If the AS fails to make a successful LDAPS connection it does not try to use unencrypted LDAP instead.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43791r1_chk )
Review AS documentation and configuration to determine if the AS fails securely in the event of an operational failure. If the AS cannot be configured to fail securely, this is a finding.

Fix Text (F-39981r1_fix)
Configure the AS to fail securely in the event of operational failure.