The application server must restrict error messages so only authorized personnel may view them.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35441 | SRG-APP-000267-AS-000170 | SV-46728r1_rule | Medium |
| Description |
|---|
| If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by the application server. All AS users' accounts are used for the management of the server and the applications residing on the AS. All accounts are assigned to a certain role with corresponding access rights. The AS must restrict access to error messages so only authorized personnel may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-43795r1_chk ) |
|---|
| Review the AS configuration and documentation to determine if the AS will restrict access to error messages so only the authorized users may view or otherwise access them. If the AS cannot be configured to restrict access to error messages to only authorized users, this is a finding. |
| Fix Text (F-39985r1_fix) |
|---|
| Configure the AS to restrict access to error messages so only the authorized users may view or otherwise access them. |