UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The WebSphere Liberty Server must be configured to encrypt log information.


Overview

Finding ID Version Rule ID IA Controls Severity
V-250330 IBMW-LS-000320 SV-250330r862975_rule Medium
Description
Protection of log records is of critical importance. Encrypting log records provides a level of protection that does not rely on host-based protections that can be accidentally misconfigured, such as file system permissions. Cryptographic mechanisms are the industry-established standard used to protect the integrity of log data. An example of a cryptographic mechanism is the computation and application of a cryptographic-signed hash using asymmetric cryptography. - The security feature (appSecurity-2.0) must be defined in order to configure a user registry for the servlet to authenticate against. - The audit feature (audit-1.0) must be defined in order to generate audit records. - The servlet feature (servlet-3.1) must be defined to be able to deploy a web application. - The ejb feature (ejbLite-3.1) must be defined to be able to deploy an ejb application. - The ssl feature (ssl-1.0) must be defined to be able to generate and use certificates to sign and encrypt logs. - The ldap feature (ldapRegistry-3.0) must be defined in order to configure an enterprise-level user registry to authenticate users against. When the audit-1.0 feature is defined, all supported audit events will be captured and logged to an audit.log located under ${server.config.dir}/logs. The audit log that is currently being logged to is called audit.log. When an audit log fills to a configured maximum capacity, it is archived with a timestamp with the naming convention audit_<timestamp>.log and new records are written to audit.log. The audit logs are found under the ${server.config.dir}/logs directory and are named audit.log for the most recent, and audit_<timestamp>.log for any archived logs. One keystore needs to be created (ikeyman as part of the JDK may be used) and a personal certificate created. This certificate is used to encrypt the logs. The audit configuration needs to define the location of this keystore, its password, and the alias of the certificate used to encrypt the logs. As an example: <keyStore id="auditEncKeyStore" password="Liberty" location="${server.config.dir}/resources/security/AuditEncryptionKeyStore.jks" type="JKS" /> <keyStore id="auditSignKeyStore" password="{xor}EzY9Oi0rJg==" location="${server.config.dir}/resources/security/AuditSigningKeyStore2.jks" type="JKS" /> <auditFileHandler encrypt="true" encryptAlias="auditencryption" encryptKeyStoreRef="auditEncKeyStore" </auditFileHandler> Satisfies: SRG-APP-000126-AS-000085, SRG-APP-000118-AS-000078, SRG-APP-000267-AS-000170
STIG Date
IBM WebSphere Liberty Server Security Technical Implementation Guide 2022-09-09

Details

Check Text ( C-53765r862973_chk )
If the system is configured to send logs to a remote ELK stack log server, as per requirement IBMW-LS-000230, (or other remote logging solution) this requirement is Not Applicable.

As a user with local file access to ${server.config.dir}/server.xml:

1. Verify the following features are configured.


appSecurity-2.0
audit-1.0
ssl-1.0


2. Verify a keystore is configured. The following is an example:

id="auditEncKeyStore"
password="ENTER THE ENCRYPTION KEYSTORE PASSWORD"
location="${server.config.dir}/resources/security/AuditEncryptionKeyStore.jks"
type="JKS" />

id="auditSignKeyStore"
password="ENTER THE SIGNING KEYSTORE PASSWORD"
location="${server.config.dir}/resources/security/AuditSigningKeyStore2.jks"
type="JKS" />

3. Verify auditFileHandler encryption is enabled. Signing is optional.

encrypt="true"
encryptAlias="auditencryption"
encryptKeyStoreRef="auditEncKeyStore"
sign="true"
signingAlias="auditsigning2"
signingKeyStoreRef="auditSignKeyStore">


If the features and keystore are not configured, and encryption is not enabled, this is a finding.
Fix Text (F-53719r862974_fix)
If the system is configured to send logs to a remote ELK stack log server, (or other remote logging solution) as per requirement IBMW-LS-000230, this requirement is Not Applicable.

Signing is optional. The encrypted and/or signed audit logs are found under the ${server.config.dir}/logs directory and are named audit.log for the most recent, and audit_.log for any archived logs. Two keystores are recommended but not required when doing both encryption and signing (ikeyman as part of the JDK may be used) and a certificate imported into each. One keystore will contain the certificate used to encrypt the logs; the other keystore will contain the certificate used to sign the logs. The audit configuration must define the location of every keystore, their passwords, and the alias of each certificate used to encrypt and sign the logs.

1. Enable the following features:


appSecurity-2.0
audit-1.0
ssl-1.0



2. Verify a keystore is configured. The following is a JKS keystore example. PKCS12 is also a viable keystore:

id="auditEncKeyStore"
password="ENTER THE ENCRYPTION KEYSTORE PASSWORD"
location="${server.config.dir}/resources/security/AuditEncryptionKeyStore.jks"
type="JKS" />

id="auditSignKeyStore"
password="ENTER THE SIGNING KEYSTORE PASSWORD"
location="${server.config.dir}/resources/security/AuditSigningKeyStore2.jks"
type="JKS" />

3. Enable auditFileHandler encryption. Signing the logs is optional.

encrypt="true"
encryptAlias="auditencryption"
encryptKeyStoreRef="auditEncKeyStore"
sign="true"
signingAlias="auditsigning2"
signingKeyStoreRef="auditSignKeyStore">