STIGQter: STIG Summary: Application Server Security Requirements Guide Version: 3 Release: 1 Benchmark Date: 23 Oct 2020:

The application server must generate a unique session identifier using a FIPS 140-2 approved random number generator.

DISA Rule

SV-204766r508029_rule

Vulnerability Number

V-204766

Group Title

SRG-APP-000224

Rule Version

SRG-APP-000224-AS-000152

Severity

CAT II

CCI(s)

• CCI-001188 - The information system generates unique session identifiers for each session with organization-defined randomness requirements.

Weight

10

Fix Recommendation

Configure the application server to generate unique session identifiers and to use a FIPS 140-2 random number generator to generate the randomness of the session identifiers.

Check Contents

Review the application server configuration and documentation to determine if the application server uses a FIPS 140-2 approved random number generator to create unique session identifiers.

Have a user log onto the application server to determine if the session IDs generated are random and unique.

If the application server does not generate unique session identifiers and does not use a FIPS 140-2 random number generator to create the randomness of the session ID, this is a finding.

Vulnerability Number

V-204766

Documentable

False

Rule Version

SRG-APP-000224-AS-000152

Severity Override Guidance

Review the application server configuration and documentation to determine if the application server uses a FIPS 140-2 approved random number generator to create unique session identifiers.

Have a user log onto the application server to determine if the session IDs generated are random and unique.

If the application server does not generate unique session identifiers and does not use a FIPS 140-2 random number generator to create the randomness of the session ID, this is a finding.

Check Content Reference

M

Target Key

2900

Comments