UCF STIG Viewer Logo

IBM WebSphere Liberty Server Security Technical Implementation Guide


Overview

Date Finding Count (29)
2021-08-30 CAT I (High): 6 CAT II (Med): 23 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-250339 High The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.
V-250336 High The WebSphere Liberty Server must store only encrypted representations of user passwords.
V-250337 High The WebSphere Liberty Server must use TLS-enabled LDAP.
V-250335 High Multifactor authentication for network access to privileged accounts must be used.
V-250326 High Users in the REST API admin role must be authorized.
V-250341 High Application security must be enabled on the WebSphere Liberty Server.
V-250350 Medium The WebSphere Liberty Server must generate log records for authentication and authorization events.
V-250338 Medium The WebSphere Liberty Server must use DoD-issued/signed certificates.
V-250334 Medium Basic Authentication must be disabled.
V-250332 Medium The WebSphere Liberty Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
V-250333 Medium The WebSphere Liberty Server must use an LDAP user registry.
V-250330 Medium The WebSphere Liberty Server must be configured to encrypt log information.
V-250331 Medium The WebSphere Liberty Server must protect software libraries from unauthorized access.
V-250322 Medium Maximum in-memory session count must be set according to application requirements.
V-250343 Medium The WebSphere Liberty Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements.
V-250324 Medium Security cookies must be set to HTTPOnly.
V-250327 Medium The WebSphere Liberty Server must be configured to offload logs to a centralized system.
V-250347 Medium The WebSphere Liberty Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-250346 Medium The WebSphere Liberty Server LTPA keys password must be changed.
V-250323 Medium The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.
V-250344 Medium The server.xml file must be protected from unauthorized modification.
V-250325 Medium The WebSphere Liberty Server must log remote session and security activity.
V-250342 Medium Users in a reader-role must be authorized.
V-250340 Medium HTTP session timeout must be configured.
V-250329 Medium The WebSphere Liberty Server must protect log tools from unauthorized access.
V-250328 Medium The WebSphere Liberty Server must protect log information from unauthorized access or changes.
V-250349 Medium The WebSphere Liberty Server must install security-relevant software updates within the time period directed by an authoritative source.
V-250348 Medium The WebSphere Liberty Server must be configured to use HTTPS only.
V-250345 Medium The WebSphere Liberty Server must prohibit the use of cached authenticators after an organization-defined time period.