| DISA_STIG_IBM_WebSphere_Traditional_9_Windows_v2r1.audit from DISA IBM WebSphere Traditional V9.x v2r1 STIG | |
| WBSP-AS-000010 - The WebSphere Application Server maximum in-memory session count must be set according to application requirements. | ACCESS CONTROL |
| WBSP-AS-000020 - The WebSphere Application Server admin console session timeout must be configured. | ACCESS CONTROL |
| WBSP-AS-000070 - The WebSphere Application Server security auditing must be enabled. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| WBSP-AS-000080 - The WebSphere Application Server groups in the user registry mapped to WebSphere auditor roles must be configured in accordance with the security plan. | ACCESS CONTROL |
| WBSP-AS-000090 - The WebSphere Application Server users in the WebSphere auditor role must be configured in accordance with the System Security Plan. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000100 - The WebSphere Application Server audit event type filters must be configured. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| WBSP-AS-000110 - The WebSphere Application Server audit service provider must be enabled. | ACCESS CONTROL |
| WBSP-AS-000120 - The WebSphere Application Server automatic repository checkpoints must be enabled to track configuration changes | ACCESS CONTROL |
| WBSP-AS-000130 - The WebSphere Application Server administrative security must be enabled. | ACCESS CONTROL |
| WBSP-AS-000140 - The WebSphere Application Server bus security must be enabled. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WBSP-AS-000150 - The WebSphere Application Server users in a local user registry group must be authorized for that group. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| WBSP-AS-000160 - The WebSphere Application Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher. | ACCESS CONTROL |
| WBSP-AS-000170 - The WebSphere Application Server global application security must be enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| WBSP-AS-000180 - The WebSphere Application Server Single Sign On (SSO) must have SSL enabled for Web and SIP Security. | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| WBSP-AS-000190 - The WebSphere Application Server security cookies must be set to HTTPOnly. | ACCESS CONTROL |
| WBSP-AS-000211 - The WebSphere Application Server Java 2 security must be enabled. | ACCESS CONTROL |
| WBSP-AS-000212 - The WebSphere Application Server Java 2 security must not be bypassed. | ACCESS CONTROL |
| WBSP-AS-000220 - The WebSphere Application Server users in the admin role must be authorized. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WBSP-AS-000230 - The WebSphere Application Server LDAP groups must be authorized for the WebSphere role. | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| WBSP-AS-000240 - The WebSphere Application Server users in a LDAP user registry group must be authorized for that group. | ACCESS CONTROL |
| WBSP-AS-000310 - The WebSphere Application Server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. | ACCESS CONTROL |
| WBSP-AS-000320 - The WebSphere Application Server management interface must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. | ACCESS CONTROL |
| WBSP-AS-000380 - The WebSphere Application Server must generate log records when successful/unsuccessful attempts to access subject privileges occur. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000580 - The WebSphere Application Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000590 - The WebSphere Application Server must allocate audit log record storage capacity in accordance with organization-defined log record storage requirements | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000630 - The WebSphere Application Server must provide an immediate real-time alert to authorized users of all log failure events requiring real-time alerts - enabled | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000640 - The WebSphere Application Server must alert the SA and ISSO, at a minimum, in the event of a log processing failure | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000650 - The WebSphere Application Server audit subsystem failure action must be set to Log warning. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000660 - The WebSphere Application Server must shut down by default upon log failure (unless availability is an overriding concern). | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000670 - The WebSphere Application Server high availability applications must be configured to fail over to another system in the event of log subsystem failure. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000740 - The WebSphere Application Server must be configured to protect log information from any type of unauthorized read access. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000750 - The WebSphere Application Server must protect log information from unauthorized modification. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000760 - The WebSphere Application Server must protect log information from unauthorized deletion. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000770 - The WebSphere Application Server wsadmin file must be protected from unauthorized access. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000780 - The WebSphere Application Server wsadmin file must be protected from unauthorized modification. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000790 - The WebSphere Application Server wsadmin file must be protected from unauthorized deletion. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000810 - The WebSphere Application Server must be configured to encrypt log information. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000820 - The WebSphere Application Server must be configured to sign log information. | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000910 - The WebSphere Application Server process must not be started from the command line with the -password option. | CONFIGURATION MANAGEMENT |
| WBSP-AS-000920 - The WebSphere Application Server files must be owned by the non-root WebSphere user ID. | CONFIGURATION MANAGEMENT |
| WBSP-AS-000930 - The WebSphere Application Server sample applications must be removed. | CONFIGURATION MANAGEMENT |
| WBSP-AS-000940 - The WebSphere Application Server must remove JREs left by web server and plug-in installers for web servers and plugins running in the DMZ. | CONFIGURATION MANAGEMENT |
| WBSP-AS-000960 - The WebSphere Application Server must be run as a non-admin user. | CONFIGURATION MANAGEMENT |
| WBSP-AS-000970 - The WebSphere Application Server must disable JSP class reloading. | CONFIGURATION MANAGEMENT |
| WBSP-AS-000980 - The WebSphere Application Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments. | CONFIGURATION MANAGEMENT |
| WBSP-AS-001010 - The WebSphere Application Server LDAP user registry must be used. | IDENTIFICATION AND AUTHENTICATION |
| WBSP-AS-001020 - The WebSphere Application Server local file-based user registry must not be used. | IDENTIFICATION AND AUTHENTICATION |
| WBSP-AS-001030 - The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used. | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WBSP-AS-001080 - The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data. | IDENTIFICATION AND AUTHENTICATION |