STIGQter STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018: The WebSphere Application Server must be configured to sign log information.

DISA Rule

SV-95981r1_rule

Vulnerability Number

V-81267

Group Title

SRG-APP-000126-AS-000085

Rule Version

WBSP-AS-000820

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the administrative console, click Security >> Security Auditing >> Audit record signing configuration.

Select the "Enable signing" checkbox.

Select the keystore that contains the encrypting certificate from the drop-down menu.

If you are using an existing certificate to sign your audit records, ensure the Certificate in keystore is selected and specify the intended certificate in the "Certificate alias" drop-down menu.

If you are generating a new certificate to sign your audit records, do NOT use the "Create a new certificate in the selected keystore" option, this will generate a SHA-1 signed certificate, which is not allowed.

Instead, select Security >> SSL Certificate and key management >> KeyStores and Certificates.

Select the keystore that is associated with the server hosting the audit logs.

Select "Personal Certificates".

Select "Create".

Select either a CA-Signed or Chained Certificate based on your requirements.

Fill in the information required to generate the certificate.

Restart the DMGR and all the JVMs.

Check Contents

From the administrative console, click Security >> Security Auditing >> Audit record signing configuration.

If the "Enable signing" checkbox is not selected, this is a finding.

Vulnerability Number

V-81267

Documentable

False

Rule Version

WBSP-AS-000820

Severity Override Guidance

From the administrative console, click Security >> Security Auditing >> Audit record signing configuration.

If the "Enable signing" checkbox is not selected, this is a finding.

Check Content Reference

M

Target Key

3399

Comments