The application server must identify potentially security-relevant error conditions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35439 | SRG-APP-000265-AS-000168 | SV-46726r1_rule | Low |
| Description |
|---|
| The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application server is able to identify and handle error conditions is guided by organizational policy and operational requirements. Adequate logging levels and system performance capabilities need to be balanced with data protection requirements. Application servers must have the capability to log at various levels which can provide log entries for potential security related error events. An example is the capability for the application server to assign a criticality level to a failed login attempt error message, a security-related error message being of a higher criticality. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-43793r1_chk ) |
|---|
| Review the AS configuration to determine if the system identifies potentially security-relevant error conditions on the server. If this function is not performed, this is a finding. |
| Fix Text (F-39983r1_fix) |
|---|
| Configure the AS to identify potentially security-relevant error conditions on the server. |