UCF STIG Viewer Logo

IBM WebSphere Traditional V9.x Security Technical Implementation Guide


Overview

Date Finding Count (76)
2018-08-24 CAT I (High): 9 CAT II (Med): 55 CAT III (Low): 12
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-81357 High The WebSphere Application Server default keystore passwords must be changed.
V-81219 High The WebSphere Application Server Single Sign On (SSO) must have SSL enabled for Web and SIP Security.
V-81217 High The WebSphere Application Server global application security must be enabled.
V-81225 High The WebSphere Application Server Java 2 security must not be bypassed.
V-81223 High The WebSphere Application Server Java 2 security must be enabled.
V-81199 High The WebSphere Application Server administrative security must be enabled.
V-81343 High The WebSphere Application Server application security must be enabled for each security domain except for publicly available applications specified in the System Security Plan.
V-81347 High The WebSphere Application Server secure LDAP (LDAPS) must be used for authentication.
V-81201 High The WebSphere Application Server bus security must be enabled.
V-81257 Medium The WebSphere Application Server must protect log information from unauthorized deletion.
V-81389 Medium The WebSphere Application Server thread pool size must be defined according to application load requirements.
V-81385 Medium The WebSphere Application Server high availability applications must be installed on a cluster.
V-81247 Medium The WebSphere Application Server audit subsystem failure action must be set to Log warning.
V-81239 Medium The WebSphere Application Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements.
V-81373 Medium The WebSphere Application Server DoD root CAs must be in the trust store.
V-81371 Medium The WebSphere Application Servers must not be in the DMZ.
V-81235 Medium The WebSphere Application Server management interface must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-81233 Medium The WebSphere Application Server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-81375 Medium The WebSphere Application Server personal certificates in all keystores must be issued by an approved DoD CA.
V-81231 Medium The WebSphere Application Server users in a LDAP user registry group must be authorized for that group.
V-81401 Medium The WebSphere Application Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs).
V-81259 Medium The WebSphere Application Server wsadmin file must be protected from unauthorized access.
V-81271 Medium The WebSphere Application Server files must be owned by the non-root WebSphere user ID.
V-81351 Medium The WebSphere Application Server must prohibit the use of cached authenticators after an organization-defined time period.
V-81277 Medium The WebSphere Application Server must be run as a non-admin user.
V-81311 Medium The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.
V-81215 Medium The WebSphere Application Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.
V-81333 Medium The WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection.
V-81211 Medium The WebSphere Application Server audit service provider must be enabled.
V-81213 Medium The WebSphere Application Server users in a local user registry group must be authorized for that group.
V-81391 Medium The WebSphere Application Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-81393 Medium The WebSphere Application Server distribution and consistency services (DCS) transport links must be encrypted.
V-81395 Medium The WebSphere Application Server plugin must be configured to use HTTPS only.
V-81397 Medium The WebSphere Application Server must remove organization-defined software components after updated versions have been installed.
V-81399 Medium The WebSphere Application Server must apply the latest security fixes.
V-81299 Medium The WebSphere Application Server LDAP user registry must be used.
V-81221 Medium The WebSphere Application Server security cookies must be set to HTTPOnly.
V-81279 Medium The WebSphere Application Server must disable JSP class reloading.
V-81227 Medium The WebSphere Application Server users in the admin role must be authorized.
V-81255 Medium The WebSphere Application Server must protect log information from unauthorized modification.
V-81243 Medium The WebSphere Application Server must provide an immediate real-time alert to authorized users of all log failure events requiring real-time alerts.
V-81361 Medium The WebSphere Application Server must use signer for DoD-issued certificates.
V-81241 Medium The WebSphere Application Server must allocate audit log record storage capacity in accordance with organization-defined log record storage requirements.
V-81305 Medium The WebSphere Application Server local file-based user registry must not be used.
V-81269 Medium The WebSphere Application Server process must not be started from the command line with the -password option.
V-81367 Medium The WebSphere Application Server must accept Personal Identity Verification (PIV) credentials from other federal agencies to access the management interface.
V-81197 Medium The WebSphere Application Server automatic repository checkpoints must be enabled to track configuration changes.
V-81195 Medium The WebSphere Application Server admin console session timeout must be configured.
V-81341 Medium The WebSphere Application Server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
V-81261 Medium The WebSphere Application Server wsadmin file must be protected from unauthorized modification.
V-81263 Medium The WebSphere Application Server wsadmin file must be protected from unauthorized deletion.
V-81229 Medium The WebSphere Application Server LDAP groups must be authorized for the WebSphere role.
V-81265 Medium The WebSphere Application Server must be configured to encrypt log information.
V-81193 Medium The WebSphere Application Server maximum in-memory session count must be set according to application requirements.
V-81293 Medium The WebSphere Application Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
V-81329 Medium The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
V-81209 Medium The WebSphere Application Server audit event type filters must be configured.
V-81369 Medium The WebSphere Application Server must use DoD-approved Signer Certificates.
V-81207 Medium The WebSphere Application Server users in the WebSphere auditor role must be configured in accordance with the System Security Plan.
V-81325 Medium The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
V-81205 Medium The WebSphere Application Server groups in the user registry mapped to WebSphere auditor roles must be configured in accordance with the security plan.
V-81365 Medium The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
V-81203 Medium The WebSphere Application Server security auditing must be enabled.
V-81267 Medium The WebSphere Application Server must be configured to sign log information.
V-81387 Low The WebSphere Application Server memory session settings must be defined according to application load requirements.
V-81383 Low The WebSphere Application Server must periodically regenerate LTPA keys.
V-81381 Low The WebSphere Application Server must not generate LTPA keys automatically.
V-81273 Low The WebSphere Application Server sample applications must be removed.
V-81237 Low The WebSphere Application Server must generate log records when successful/unsuccessful attempts to access subject privileges occur.
V-81377 Low The WebSphere Application Server must be configured to perform complete application deployments when using A/B clusters.
V-81275 Low The WebSphere Application Server must remove JREs left by web server and plug-in installers for web servers and plugins running in the DMZ.
V-81251 Low The WebSphere Application Server high availability applications must be configured to fail over to another system in the event of log subsystem failure.
V-81249 Low The WebSphere Application Server must shut down by default upon log failure (unless availability is an overriding concern).
V-81253 Low The WebSphere Application Server must be configured to protect log information from any type of unauthorized read access.
V-81245 Low The WebSphere Application Server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.
V-81379 Low The WebSphere Application servers with an RMF categorization of high must be in a high-availability (HA) cluster.