STIGQter STIGQter: STIG Summary:

Oracle WebLogic Server 12c Security Technical Implementation Guide

Version: 2

Release: 1 Benchmark Date: 23 Apr 2021

SV-235928r628562_ruleOracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions.
SV-235929r628565_ruleOracle WebLogic must use cryptography to protect the integrity of the remote access session.
SV-235930r628568_ruleOracle WebLogic must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
SV-235931r628571_ruleOracle WebLogic must ensure remote sessions for accessing security functions and security-relevant information are audited.
SV-235932r672375_ruleOracle WebLogic must support the capability to disable network protocols deemed by the organization to be non-secure except for explicitly identified components in support of specific operational requirements.
SV-235933r628577_ruleOracle WebLogic must automatically audit account creation.
SV-235934r628580_ruleOracle WebLogic must automatically audit account modification.
SV-235935r628583_ruleOracle WebLogic must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.
SV-235936r628586_ruleOracle WebLogic must limit the number of failed login attempts to an organization-defined number of consecutive invalid attempts that occur within an organization-defined time period.
SV-235937r628589_ruleOracle WebLogic must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
SV-235938r628592_ruleOracle WebLogic must automatically lock accounts when the maximum number of unsuccessful login attempts is exceeded for an organization-defined time period or until the account is unlocked by an administrator.
SV-235939r628595_ruleOracle WebLogic must protect against an individual falsely denying having performed a particular action.
SV-235940r628598_ruleOracle WebLogic must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance.
SV-235941r628601_ruleOracle WebLogic must generate audit records for the DoD-selected list of auditable events.
SV-235942r628604_ruleOracle WebLogic must produce process events and severity levels to establish what type of HTTPD-related events and severity levels occurred.
SV-235943r628607_ruleOracle WebLogic must produce audit records containing sufficient information to establish what type of JVM-related events and severity levels occurred.
SV-235944r628610_ruleOracle WebLogic must produce process events and security levels to establish what type of Oracle WebLogic process events and severity levels occurred.
SV-235945r628613_ruleOracle WebLogic must produce audit records containing sufficient information to establish when (date and time) the events occurred.
SV-235946r628616_ruleOracle WebLogic must produce audit records containing sufficient information to establish where the events occurred.
SV-235947r628619_ruleOracle WebLogic must produce audit records containing sufficient information to establish the sources of the events.
SV-235948r628622_ruleOracle WebLogic must produce audit records that contain sufficient information to establish the outcome (success or failure) of application server and application events.
SV-235949r628625_ruleOracle WebLogic must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
SV-235950r628628_ruleOracle WebLogic must provide the ability to write specified audit record content to an audit log server.
SV-235951r628631_ruleOracle WebLogic must provide a real-time alert when organization-defined audit failure events occur.
SV-235952r628634_ruleOracle WebLogic must alert designated individual organizational officials in the event of an audit processing failure.
SV-235953r628637_ruleOracle WebLogic must notify administrative personnel as a group in the event of audit processing failure.
SV-235954r628640_ruleOracle WebLogic must use internal system clocks to generate time stamps for audit records.
SV-235955r628643_ruleOracle WebLogic must synchronize with internal information system clocks which, in turn, are synchronized on an organization-defined frequency with an organization-defined authoritative time source.
SV-235956r628646_ruleOracle WebLogic must protect audit information from any type of unauthorized read access.
SV-235957r628649_ruleOracle WebLogic must protect audit tools from unauthorized access.
SV-235958r628652_ruleOracle WebLogic must protect audit tools from unauthorized modification.
SV-235959r628655_ruleOracle WebLogic must protect audit tools from unauthorized deletion.
SV-235960r628658_ruleOracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).
SV-235961r628661_ruleOracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.
SV-235962r672376_ruleOracle WebLogic must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
SV-235963r628667_ruleOracle WebLogic must utilize automated mechanisms to prevent program execution on the information system.
SV-235964r628670_ruleOracle WebLogic must uniquely identify and authenticate users (or processes acting on behalf of users).
SV-235965r628673_ruleOracle WebLogic must authenticate users individually prior to using a group authenticator.
SV-235966r628676_ruleOracle WebLogic must enforce minimum password length.
SV-235967r628679_ruleOracle WebLogic must enforce password complexity by the number of upper-case characters used.
SV-235968r628682_ruleOracle WebLogic must enforce password complexity by the number of lower-case characters used.
SV-235969r628685_ruleOracle WebLogic must enforce password complexity by the number of numeric characters used.
SV-235970r628688_ruleOracle WebLogic must enforce password complexity by the number of special characters used.
SV-235971r628691_ruleOracle WebLogic must encrypt passwords during transmission.
SV-235972r628694_ruleOracle WebLogic must utilize encryption when using LDAP for authentication.
SV-235973r628697_ruleOracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
SV-235974r628700_ruleOracle WebLogic must map the PKI-based authentication identity to the user account.
SV-235975r628703_ruleOracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
SV-235976r628706_ruleOracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
SV-235977r628709_ruleOracle WebLogic must employ cryptographic encryption to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
SV-235978r628712_ruleOracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.
SV-235979r628715_ruleOracle WebLogic must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity.
SV-235980r628718_ruleOracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system.
SV-235981r628721_ruleOracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data.
SV-235982r628724_ruleOracle WebLogic must protect the integrity and availability of publicly available information and applications.
SV-235983r628727_ruleOracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality.
SV-235984r628730_ruleOracle WebLogic must ensure authentication of both client and server during the entire session.
SV-235985r628733_ruleOracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.
SV-235986r628736_ruleOracle WebLogic must be configured to perform complete application deployments.
SV-235987r628739_ruleOracle WebLogic must protect the confidentiality of applications and leverage transmission protection mechanisms, such as TLS and SSL VPN, when deploying applications.
SV-235988r628742_ruleOracle WebLogic must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment.
SV-235989r628745_ruleOracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
SV-235990r628748_ruleOracle WebLogic must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
SV-235991r628751_ruleOracle WebLogic must fail securely in the event of an operational failure.
SV-235992r628754_ruleOracle WebLogic must employ approved cryptographic mechanisms when transmitting sensitive data.
SV-235993r628757_ruleOracle WebLogic must identify potentially security-relevant error conditions.
SV-235994r628760_ruleOracle WebLogic must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.
SV-235995r628763_ruleOracle WebLogic must restrict error messages so only authorized personnel may view them.
SV-235996r628766_ruleOracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role.
SV-235997r628769_ruleOracle WebLogic must be integrated with a tool to monitor audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).
SV-235998r628772_ruleOracle WebLogic must be managed through a centralized enterprise tool.
SV-235999r628775_ruleOracle WebLogic must be integrated with a tool to implement multi-factor user authentication.