| Checked | Name | Title |
|---|
| ☐ | SV-99425r1_rule | tc Server UI must limit the number of maximum concurrent connections permitted. |
| ☐ | SV-99427r1_rule | tc Server CaSa must limit the number of maximum concurrent connections permitted. |
| ☐ | SV-99429r1_rule | tc Server API must limit the number of maximum concurrent connections permitted. |
| ☐ | SV-99431r1_rule | tc Server UI must limit the amount of time that each TCP connection is kept alive. |
| ☐ | SV-99433r1_rule | tc Server CaSa must limit the amount of time that each TCP connection is kept alive. |
| ☐ | SV-99435r1_rule | tc Server API must limit the amount of time that each TCP connection is kept alive. |
| ☐ | SV-99437r1_rule | tc Server UI must limit the number of times that each TCP connection is kept alive. |
| ☐ | SV-99439r1_rule | tc Server CaSa must limit the number of times that each TCP connection is kept alive. |
| ☐ | SV-99441r1_rule | tc Server API must limit the number of times that each TCP connection is kept alive. |
| ☐ | SV-99443r1_rule | tc Server UI must perform server-side session management. |
| ☐ | SV-99445r1_rule | tc Server CaSa must perform server-side session management. |
| ☐ | SV-99447r1_rule | tc Server API must perform server-side session management. |
| ☐ | SV-99449r1_rule | tc Server UI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. |
| ☐ | SV-99451r1_rule | tc Server CaSa must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. |
| ☐ | SV-99453r1_rule | tc Server API must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. |
| ☐ | SV-99455r1_rule | tc Server UI must use cryptography to protect the integrity of remote sessions. |
| ☐ | SV-99457r1_rule | tc Server CaSa must use cryptography to protect the integrity of remote sessions. |
| ☐ | SV-99459r1_rule | tc Server API must use cryptography to protect the integrity of remote sessions. |
| ☐ | SV-99461r1_rule | tc Server UI must record user access in a format that enables monitoring of remote access. |
| ☐ | SV-99463r1_rule | tc Server CaSa must record user access in a format that enables monitoring of remote access. |
| ☐ | SV-99465r1_rule | tc Server API must record user access in a format that enables monitoring of remote access. |
| ☐ | SV-99467r1_rule | tc Server ALL must generate log records for system startup and shutdown. |
| ☐ | SV-99469r1_rule | tc Server UI must generate log records for user access and authentication events. |
| ☐ | SV-99471r1_rule | tc Server CaSa must generate log records for user access and authentication events. |
| ☐ | SV-99473r1_rule | tc Server API must generate log records for user access and authentication events. |
| ☐ | SV-99475r1_rule | tc Server ALL must initiate logging during service start-up. |
| ☐ | SV-99477r1_rule | tc Server UI must capture, record, and log all content related to a user session. |
| ☐ | SV-99479r1_rule | tc Server CaSa must capture, record, and log all content related to a user session. |
| ☐ | SV-99481r1_rule | tc Server API must capture, record, and log all content related to a user session. |
| ☐ | SV-99483r1_rule | tc Server UI must produce log records containing sufficient information to establish what type of events occurred. |
| ☐ | SV-99485r1_rule | tc Server CaSa must produce log records containing sufficient information to establish what type of events occurred. |
| ☐ | SV-99487r1_rule | tc Server API must produce log records containing sufficient information to establish what type of events occurred. |
| ☐ | SV-99489r1_rule | tc Server UI must produce log records containing sufficient information to establish when (date and time) events occurred. |
| ☐ | SV-99491r1_rule | tc Server CaSa must produce log records containing sufficient information to establish when (date and time) events occurred. |
| ☐ | SV-99493r1_rule | tc Server API must produce log records containing sufficient information to establish when (date and time) events occurred. |
| ☐ | SV-99495r1_rule | tc Server UI must produce log records containing sufficient information to establish where within the web server the events occurred. |
| ☐ | SV-99497r1_rule | tc Server CaSa must produce log records containing sufficient information to establish where within the web server the events occurred. |
| ☐ | SV-99499r1_rule | tc Server API must produce log records containing sufficient information to establish where within the web server the events occurred. |
| ☐ | SV-99501r1_rule | tc Server UI must produce log records containing sufficient information to establish the source of events. |
| ☐ | SV-99503r1_rule | tc Server CaSa must produce log records containing sufficient information to establish the source of events. |
| ☐ | SV-99505r1_rule | tc Server API must produce log records containing sufficient information to establish the source of events. |
| ☐ | SV-99507r1_rule | tc Server UI must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. |
| ☐ | SV-99509r1_rule | tc Server CaSa must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. |
| ☐ | SV-99511r1_rule | tc Server API must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. |
| ☐ | SV-99513r1_rule | tc Server UI must produce log records that contain sufficient information to establish the outcome (success or failure) of events. |
| ☐ | SV-99515r1_rule | tc Server CaSa must produce log records that contain sufficient information to establish the outcome (success or failure) of events. |
| ☐ | SV-99517r1_rule | tc Server API must produce log records that contain sufficient information to establish the outcome (success or failure) of events. |
| ☐ | SV-99519r1_rule | tc Server UI must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. |
| ☐ | SV-99521r1_rule | tc Server CaSa must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. |
| ☐ | SV-99523r1_rule | tc Server API must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. |
| ☐ | SV-99525r1_rule | tc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure. |
| ☐ | SV-99527r1_rule | tc Server UI log files must only be accessible by privileged users. |
| ☐ | SV-99529r1_rule | tc Server CaSa log files must only be accessible by privileged users. |
| ☐ | SV-99531r1_rule | tc Server API log files must only be accessible by privileged users. |
| ☐ | SV-99533r1_rule | tc Server UI log files must be protected from unauthorized modification. |
| ☐ | SV-99535r1_rule | tc Server CaSa log files must be protected from unauthorized modification. |
| ☐ | SV-99537r1_rule | tc Server API log files must be protected from unauthorized modification. |
| ☐ | SV-99539r1_rule | tc Server UI log files must be protected from unauthorized deletion. |
| ☐ | SV-99541r1_rule | tc Server CaSa log files must be protected from unauthorized deletion. |
| ☐ | SV-99543r1_rule | tc Server API log files must be protected from unauthorized deletion. |
| ☐ | SV-99545r1_rule | tc Server ALL log data and records must be backed up onto a different system or media. |
| ☐ | SV-99547r1_rule | tc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server. |
| ☐ | SV-99549r1_rule | tc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server. |
| ☐ | SV-99551r1_rule | tc Server UI must not use the tomcat-users XML database for user management. |
| ☐ | SV-99553r1_rule | tc Server CaSa must not use the tomcat-users XML database for user management. |
| ☐ | SV-99555r1_rule | tc Server API must not use the tomcat-users XML database for user management. |
| ☐ | SV-99557r1_rule | tc Server ALL must only contain services and functions necessary for operation. |
| ☐ | SV-99559r1_rule | tc Server ALL must exclude documentation, sample code, example applications, and tutorials. |
| ☐ | SV-99561r1_rule | tc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation. |
| ☐ | SV-99563r1_rule | tc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled. |
| ☐ | SV-99565r1_rule | tc Server ALL must have all mappings to unused and vulnerable scripts to be removed. |
| ☐ | SV-99567r1_rule | tc Server UI must have mappings set for Java Servlet Pages. |
| ☐ | SV-99569r1_rule | tc Server CaSa must have mappings set for Java Servlet Pages. |
| ☐ | SV-99571r1_rule | tc Server API must have mappings set for Java Servlet Pages. |
| ☐ | SV-99573r1_rule | tc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed. |
| ☐ | SV-99575r1_rule | tc Server UI must be configured with memory leak protection. |
| ☐ | SV-99577r1_rule | tc Server CaSa must be configured with memory leak protection. |
| ☐ | SV-99579r1_rule | tc Server API must be configured with memory leak protection. |
| ☐ | SV-99581r1_rule | tc Server UI must not have any symbolic links in the web content directory tree. |
| ☐ | SV-99583r1_rule | tc Server CaSa must not have any symbolic links in the web content directory tree. |
| ☐ | SV-99585r1_rule | tc Server API must not have any symbolic links in the web content directory tree. |
| ☐ | SV-99587r1_rule | tc Server UI must be configured to use a specified IP address and port. |
| ☐ | SV-99589r1_rule | tc Server CaSa must be configured to use a specified IP address and port. |
| ☐ | SV-99591r1_rule | tc Server API must be configured to use a specified IP address and port. |
| ☐ | SV-99593r1_rule | tc Server UI must encrypt passwords during transmission. |
| ☐ | SV-99595r1_rule | tc Server CaSa must encrypt passwords during transmission. |
| ☐ | SV-99597r1_rule | tc Server API must encrypt passwords during transmission. |
| ☐ | SV-99599r1_rule | tc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid. If PKI is not being used, this check is Not Applicable. |
| ☐ | SV-99601r1_rule | tc Server ALL must only allow authenticated system administrators to have access to the keystore. |
| ☐ | SV-99603r1_rule | tc Server ALL must only allow authenticated system administrators to have access to the truststore. |
| ☐ | SV-99605r1_rule | tc Server UI must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. |
| ☐ | SV-99607r1_rule | tc Server CaSa must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. |
| ☐ | SV-99609r1_rule | tc Server API must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. |
| ☐ | SV-99611r1_rule | tc Server UI accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. |
| ☐ | SV-99613r1_rule | tc Server CaSa accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. |
| ☐ | SV-99615r1_rule | tc Server API accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. |
| ☐ | SV-99617r1_rule | tc Server UI web server application directories must not be accessible to anonymous user. |
| ☐ | SV-99619r1_rule | tc Server CaSa web server application directories must not be accessible to anonymous user. |
| ☐ | SV-99621r1_rule | tc Server API web server application directories must not be accessible to anonymous user. |
| ☐ | SV-99623r1_rule | tc Server ALL baseline must be documented and maintained. |
| ☐ | SV-99625r1_rule | tc Server UI must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. |
| ☐ | SV-99627r1_rule | tc Server CaSa must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. |
| ☐ | SV-99629r1_rule | tc Server API must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. |
| ☐ | SV-99631r1_rule | tc Server UI document directory must be in a separate partition from the web servers system files. |
| ☐ | SV-99633r1_rule | tc Server CaSa document directory must be in a separate partition from the web servers system files. |
| ☐ | SV-99635r1_rule | tc Server API document directory must be in a separate partition from the web servers system files. |
| ☐ | SV-99637r1_rule | tc Server UI must be configured with a cross-site scripting (XSS) filter. |
| ☐ | SV-99639r1_rule | tc Server CaSa must be configured with a cross-site scripting (XSS) filter. |
| ☐ | SV-99641r1_rule | tc Server API must be configured with a cross-site scripting (XSS) filter. |
| ☐ | SV-99643r1_rule | tc Server UI must set URIEncoding to UTF-8. |
| ☐ | SV-99645r1_rule | tc Server CaSa must set URIEncoding to UTF-8. |
| ☐ | SV-99647r1_rule | tc Server API must set URIEncoding to UTF-8. |
| ☐ | SV-99649r1_rule | tc Server UI must use the setCharacterEncodingFilter filter. |
| ☐ | SV-99651r1_rule | tc Server CaSa must use the setCharacterEncodingFilter filter. |
| ☐ | SV-99653r1_rule | tc Server API must use the setCharacterEncodingFilter filter. |
| ☐ | SV-99655r1_rule | tc Server UI must set the welcome-file node to a default web page. |
| ☐ | SV-99657r1_rule | tc Server CaSa must set the welcome-file node to a default web page. |
| ☐ | SV-99659r1_rule | tc Server API must set the welcome-file node to a default web page. |
| ☐ | SV-99661r1_rule | tc Server UI must have the allowTrace parameter set to false. |
| ☐ | SV-99663r1_rule | tc Server CaSa must have the allowTrace parameter set to false. |
| ☐ | SV-99665r1_rule | tc Server API must have the allowTrace parameter set to false. |
| ☐ | SV-99667r1_rule | tc Server UI must have the debug option turned off. |
| ☐ | SV-99669r1_rule | tc Server CaSa must have the debug option turned off. |
| ☐ | SV-99671r1_rule | tc Server API must have the debug option turned off. |
| ☐ | SV-99673r1_rule | tc Server UI must set an inactive timeout for sessions. |
| ☐ | SV-99675r1_rule | tc Server CaSa must set an inactive timeout for sessions. |
| ☐ | SV-99677r1_rule | tc Server API must set an inactive timeout for sessions. |
| ☐ | SV-99679r1_rule | tc Server ALL must be configured to the correct user authentication source. |
| ☐ | SV-99681r1_rule | tc Server UI must be configured to use the https scheme. |
| ☐ | SV-99683r1_rule | tc Server CaSa must be configured to use the https scheme. |
| ☐ | SV-99685r1_rule | tc Server API must be configured to use the https scheme. |
| ☐ | SV-99687r1_rule | tc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server. |
| ☐ | SV-99689r1_rule | tc Server ALL log files must be moved to a permanent repository in accordance with site policy. |
| ☐ | SV-99691r1_rule | tc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity. |
| ☐ | SV-99693r1_rule | tc Server UI must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
| ☐ | SV-99695r1_rule | tc Server CaSa must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
| ☐ | SV-99697r1_rule | tc Server API must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
| ☐ | SV-99699r1_rule | tc Server UI must record time stamps for log records to a minimum granularity of one second. |
| ☐ | SV-99701r1_rule | tc Server CaSa must record time stamps for log records to a minimum granularity of one second. |
| ☐ | SV-99703r1_rule | tc Server API must record time stamps for log records to a minimum granularity of one second. |
| ☐ | SV-99705r1_rule | tc Server UI application, libraries, and configuration files must only be accessible to privileged users. |
| ☐ | SV-99707r1_rule | tc Server CaSa application, libraries, and configuration files must only be accessible to privileged users. |
| ☐ | SV-99709r1_rule | tc Server API application, libraries, and configuration files must only be accessible to privileged users. |
| ☐ | SV-99711r1_rule | tc Server UI must be configured with the appropriate ports. |
| ☐ | SV-99713r1_rule | tc Server CaSa must be configured with the appropriate ports. |
| ☐ | SV-99715r1_rule | tc Server API must be configured with the appropriate ports. |
| ☐ | SV-99717r1_rule | tc Server UI must use NSA Suite A cryptography when encrypting data that must be compartmentalized. |
| ☐ | SV-99719r1_rule | tc Server CaSa must use NSA Suite A cryptography when encrypting data that must be compartmentalized. |
| ☐ | SV-99721r1_rule | tc Server API must use NSA Suite A cryptography when encrypting data that must be compartmentalized. |
| ☐ | SV-99723r1_rule | tc Server UI must disable the shutdown port. |
| ☐ | SV-99725r1_rule | tc Server CaSa must disable the shutdown port. |
| ☐ | SV-99727r1_rule | tc Server API must disable the shutdown port. |
| ☐ | SV-99729r1_rule | tc Server UI must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. |
| ☐ | SV-99731r1_rule | tc Server CaSa must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. |
| ☐ | SV-99733r1_rule | tc Server API must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. |
| ☐ | SV-99735r1_rule | tc Server UI session IDs must be sent to the client using SSL/TLS. |
| ☐ | SV-99737r1_rule | tc Server CaSa session IDs must be sent to the client using SSL/TLS. |
| ☐ | SV-99739r1_rule | tc Server API session IDs must be sent to the client using SSL/TLS. |
| ☐ | SV-99741r1_rule | tc Server UI must set the useHttpOnly parameter. |
| ☐ | SV-99743r1_rule | tc Server CaSa must set the useHttpOnly parameter. |
| ☐ | SV-99745r1_rule | tc Server API must set the useHttpOnly parameter. |
| ☐ | SV-99747r1_rule | tc Server UI must set the secure flag for cookies. |
| ☐ | SV-99749r1_rule | tc Server CaSa must set the secure flag for cookies. |
| ☐ | SV-99751r1_rule | tc Server API must set the secure flag for cookies. |
| ☐ | SV-99753r1_rule | tc Server UI must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. |
| ☐ | SV-99755r1_rule | tc Server CaSa must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. |
| ☐ | SV-99757r1_rule | tc Server API must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. |
| ☐ | SV-99759r1_rule | tc Server UI must remove all export ciphers to protect the confidentiality and integrity of transmitted information. |
| ☐ | SV-99761r1_rule | tc Server CaSa must remove all export ciphers to protect the confidentiality and integrity of transmitted information. |
| ☐ | SV-99763r1_rule | tc Server API must remove all export ciphers to protect the confidentiality and integrity of transmitted information. |
| ☐ | SV-99765r1_rule | tc Server UI must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. |
| ☐ | SV-99767r1_rule | tc Server CaSa must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. |
| ☐ | SV-99769r1_rule | tc Server API must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. |
| ☐ | SV-99771r1_rule | tc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source. |
| ☐ | SV-99773r1_rule | tc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. |
STIGQter: STIG Summary: