STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The designer must ensure the application does not store configuration and control files in the same directory as user data.

DISA Rule

SV-222626r508029_rule

Vulnerability Number

V-222626

Group Title

SRG-APP-000516

Rule Version

APSC-DV-002960

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Separate the application user data into a different directory than the application code and user file permissions to restrict user access to application configuration settings.

Check Contents

Review the application documentation and interview the application administrator.

Ask the application administrator or examine the application documentation to determine the file location of the application configuration settings and user data.

Identify the directory where the application code, configuration settings and other application control data are located.

Identify where user data is stored.

Examine file permissions to application folder.

If the application user data is located in the same directory as the application configuration settings or control files, or if the file permissions allow application users write access to application configuration settings, this is a finding.

Vulnerability Number

V-222626

Documentable

False

Rule Version

APSC-DV-002960

Severity Override Guidance

Review the application documentation and interview the application administrator.

Ask the application administrator or examine the application documentation to determine the file location of the application configuration settings and user data.

Identify the directory where the application code, configuration settings and other application control data are located.

Identify where user data is stored.

Examine file permissions to application folder.

If the application user data is located in the same directory as the application configuration settings or control files, or if the file permissions allow application users write access to application configuration settings, this is a finding.

Check Content Reference

M

Target Key

4093

Comments