STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must enforce access restrictions associated with changes to application configuration.

DISA Rule

SV-222511r508029_rule

Vulnerability Number

V-222511

Group Title

SRG-APP-000380

Rule Version

APSC-DV-001410

Severity

CAT II

CCI(s)

• CCI-001813 - The information system enforces access restrictions.

Weight

10

Fix Recommendation

Configure the application to limit access to configuration settings to only authorized users.

Check Contents

Review the application documentation and configuration settings.

Access the application configuration settings interface as a regular non-privileged user. Attempt to make configuration changes to the application.

If configuration changes can be made by regular non-privileged users, this is a finding.

Review the locations of all configuration files used by the application.

Examine the file permission settings and determine who has access to the configuration files.

If access permissions to configuration files are not restricted to application administrators, this is a finding.

Vulnerability Number

V-222511

Documentable

False

Rule Version

APSC-DV-001410

Severity Override Guidance

Review the application documentation and configuration settings.

Access the application configuration settings interface as a regular non-privileged user. Attempt to make configuration changes to the application.

If configuration changes can be made by regular non-privileged users, this is a finding.

Review the locations of all configuration files used by the application.

Examine the file permission settings and determine who has access to the configuration files.

If access permissions to configuration files are not restricted to application administrators, this is a finding.

Check Content Reference

M

Target Key

4093

Comments