STIGQter STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 23 Aug 2018

CheckedNameTitle
SV-95907r1_ruleThe WebSphere Application Server maximum in-memory session count must be set according to application requirements.
SV-95909r1_ruleThe WebSphere Application Server admin console session timeout must be configured.
SV-95911r1_ruleThe WebSphere Application Server automatic repository checkpoints must be enabled to track configuration changes.
SV-95913r1_ruleThe WebSphere Application Server administrative security must be enabled.
SV-95915r1_ruleThe WebSphere Application Server bus security must be enabled.
SV-95917r1_ruleThe WebSphere Application Server security auditing must be enabled.
SV-95919r1_ruleThe WebSphere Application Server groups in the user registry mapped to WebSphere auditor roles must be configured in accordance with the security plan.
SV-95921r1_ruleThe WebSphere Application Server users in the WebSphere auditor role must be configured in accordance with the System Security Plan.
SV-95923r1_ruleThe WebSphere Application Server audit event type filters must be configured.
SV-95925r1_ruleThe WebSphere Application Server audit service provider must be enabled.
SV-95927r1_ruleThe WebSphere Application Server users in a local user registry group must be authorized for that group.
SV-95929r1_ruleThe WebSphere Application Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.
SV-95931r1_ruleThe WebSphere Application Server global application security must be enabled.
SV-95933r1_ruleThe WebSphere Application Server Single Sign On (SSO) must have SSL enabled for Web and SIP Security.
SV-95935r1_ruleThe WebSphere Application Server security cookies must be set to HTTPOnly.
SV-95937r1_ruleThe WebSphere Application Server Java 2 security must be enabled.
SV-95939r1_ruleThe WebSphere Application Server Java 2 security must not be bypassed.
SV-95941r1_ruleThe WebSphere Application Server users in the admin role must be authorized.
SV-95943r1_ruleThe WebSphere Application Server LDAP groups must be authorized for the WebSphere role.
SV-95945r1_ruleThe WebSphere Application Server users in a LDAP user registry group must be authorized for that group.
SV-95947r1_ruleThe WebSphere Application Server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
SV-95949r1_ruleThe WebSphere Application Server management interface must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
SV-95951r1_ruleThe WebSphere Application Server must generate log records when successful/unsuccessful attempts to access subject privileges occur.
SV-95953r1_ruleThe WebSphere Application Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements.
SV-95955r1_ruleThe WebSphere Application Server must allocate audit log record storage capacity in accordance with organization-defined log record storage requirements.
SV-95957r1_ruleThe WebSphere Application Server must provide an immediate real-time alert to authorized users of all log failure events requiring real-time alerts.
SV-95959r1_ruleThe WebSphere Application Server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.
SV-95961r1_ruleThe WebSphere Application Server audit subsystem failure action must be set to Log warning.
SV-95963r1_ruleThe WebSphere Application Server must shut down by default upon log failure (unless availability is an overriding concern).
SV-95965r1_ruleThe WebSphere Application Server high availability applications must be configured to fail over to another system in the event of log subsystem failure.
SV-95967r1_ruleThe WebSphere Application Server must be configured to protect log information from any type of unauthorized read access.
SV-95969r1_ruleThe WebSphere Application Server must protect log information from unauthorized modification.
SV-95971r1_ruleThe WebSphere Application Server must protect log information from unauthorized deletion.
SV-95973r1_ruleThe WebSphere Application Server wsadmin file must be protected from unauthorized access.
SV-95975r1_ruleThe WebSphere Application Server wsadmin file must be protected from unauthorized modification.
SV-95977r1_ruleThe WebSphere Application Server wsadmin file must be protected from unauthorized deletion.
SV-95979r1_ruleThe WebSphere Application Server must be configured to encrypt log information.
SV-95981r1_ruleThe WebSphere Application Server must be configured to sign log information.
SV-95983r1_ruleThe WebSphere Application Server process must not be started from the command line with the -password option.
SV-95985r1_ruleThe WebSphere Application Server files must be owned by the non-root WebSphere user ID.
SV-95987r1_ruleThe WebSphere Application Server sample applications must be removed.
SV-95989r1_ruleThe WebSphere Application Server must remove JREs left by web server and plug-in installers for web servers and plugins running in the DMZ.
SV-95991r1_ruleThe WebSphere Application Server must be run as a non-admin user.
SV-95993r1_ruleThe WebSphere Application Server must disable JSP class reloading.
SV-96007r1_ruleThe WebSphere Application Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
SV-96013r1_ruleThe WebSphere Application Server LDAP user registry must be used.
SV-96019r1_ruleThe WebSphere Application Server local file-based user registry must not be used.
SV-96025r1_ruleThe WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.
SV-96039r1_ruleThe WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
SV-96043r1_ruleThe WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
SV-96047r1_ruleThe WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection.
SV-96055r1_ruleThe WebSphere Application Server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
SV-96057r1_ruleThe WebSphere Application Server application security must be enabled for each security domain except for publicly available applications specified in the System Security Plan.
SV-96061r1_ruleThe WebSphere Application Server secure LDAP (LDAPS) must be used for authentication.
SV-96065r1_ruleThe WebSphere Application Server must prohibit the use of cached authenticators after an organization-defined time period.
SV-96071r1_ruleThe WebSphere Application Server default keystore passwords must be changed.
SV-96075r1_ruleThe WebSphere Application Server must use signer for DoD-issued certificates.
SV-96079r1_ruleThe WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
SV-96081r1_ruleThe WebSphere Application Server must accept Personal Identity Verification (PIV) credentials from other federal agencies to access the management interface.
SV-96083r1_ruleThe WebSphere Application Server must use DoD-approved Signer Certificates.
SV-96085r1_ruleThe WebSphere Application Servers must not be in the DMZ.
SV-96087r1_ruleThe WebSphere Application Server DoD root CAs must be in the trust store.
SV-96089r1_ruleThe WebSphere Application Server personal certificates in all keystores must be issued by an approved DoD CA.
SV-96091r1_ruleThe WebSphere Application Server must be configured to perform complete application deployments when using A/B clusters.
SV-96093r1_ruleThe WebSphere Application servers with an RMF categorization of high must be in a high-availability (HA) cluster.
SV-96095r1_ruleThe WebSphere Application Server must not generate LTPA keys automatically.
SV-96097r1_ruleThe WebSphere Application Server must periodically regenerate LTPA keys.
SV-96099r1_ruleThe WebSphere Application Server high availability applications must be installed on a cluster.
SV-96101r1_ruleThe WebSphere Application Server memory session settings must be defined according to application load requirements.
SV-96103r1_ruleThe WebSphere Application Server thread pool size must be defined according to application load requirements.
SV-96105r1_ruleThe WebSphere Application Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
SV-96107r1_ruleThe WebSphere Application Server distribution and consistency services (DCS) transport links must be encrypted.
SV-96109r1_ruleThe WebSphere Application Server plugin must be configured to use HTTPS only.
SV-96111r1_ruleThe WebSphere Application Server must remove organization-defined software components after updated versions have been installed.
SV-96113r1_ruleThe WebSphere Application Server must apply the latest security fixes.
SV-96115r1_ruleThe WebSphere Application Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs).