STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:SV-222534r508029_rule
V-222534
SRG-APP-000395
APSC-DV-001660
CAT II
10
Configure the application to utilize mutual authentication when the application is processing non-releasable data.
Review application documentation and interview application administrator.
Identify application data elements and determine if the application is handling/processing non-releasable data.
Review the application architecture and design documents.
Identify endpoint devices that interact with the application. These can be SOA gateways, VOIP phones, or other devices that are used to connect to and exchange data with the application.
If the design documentation specifies it, this could also include remote client workstations. However, this requirement is usually reserved for system-oriented endpoints rather than client workstations.
In order for two way SSL/TLS mutual authentication to work properly, the server must be configured to request client certificates.
Access the applications management console and navigate to the SSL/TLS management utility or web page that is used to configure two-way mutual authentication.
Verify endpoints are configured for client authentication (mutual authentication).
Some application architectures configure their settings in text/xml formatted files; in that case, have the application administrator identify the configuration files used by the application (e.g., web.xml stored in WEB-INF/ sub directory of the application root folder).
Open the web.xml file using a text editor and verify the application deployment descriptor for the application and the resource requiring protection under the "login-config" element is set to CLIENT-CERT.
If SSL/TLS mutual authentication is required due to the application processing non-releasable data and SSL/TLS mutual authentication not being utilized, this is a finding.
V-222534
False
APSC-DV-001660
Review application documentation and interview application administrator.
Identify application data elements and determine if the application is handling/processing non-releasable data.
Review the application architecture and design documents.
Identify endpoint devices that interact with the application. These can be SOA gateways, VOIP phones, or other devices that are used to connect to and exchange data with the application.
If the design documentation specifies it, this could also include remote client workstations. However, this requirement is usually reserved for system-oriented endpoints rather than client workstations.
In order for two way SSL/TLS mutual authentication to work properly, the server must be configured to request client certificates.
Access the applications management console and navigate to the SSL/TLS management utility or web page that is used to configure two-way mutual authentication.
Verify endpoints are configured for client authentication (mutual authentication).
Some application architectures configure their settings in text/xml formatted files; in that case, have the application administrator identify the configuration files used by the application (e.g., web.xml stored in WEB-INF/ sub directory of the application root folder).
Open the web.xml file using a text editor and verify the application deployment descriptor for the application and the resource requiring protection under the "login-config" element is set to CLIENT-CERT.
If SSL/TLS mutual authentication is required due to the application processing non-releasable data and SSL/TLS mutual authentication not being utilized, this is a finding.
M
4093