DISA IBM WebSphere Traditional 9 STIG v2r1 Middleware

Audit Details

Name: DISA IBM WebSphere Traditional 9 STIG v2r1 Middleware

Updated: 6/9/2026

Authority: DISA STIG

Plugin: Unix

Revision: 1.0

Estimated Item Count: 78

File Details

Filename: DISA_STIG_IBM_WebSphere_Traditional_9_v2r1_Middleware.audit

Size: 208 kB

MD5: c24233b6ddc3069ecccf644989b96484
SHA256: 5a83762cbb37cfc870303742fd48420b77137ee065e047d1d88da6a648b4d5c0

Audit Items

DescriptionCategories
DISA_STIG_IBM_WebSphere_Traditional_9_v2r1_Middleware.audit from DISA IBM WebSphere Traditional V9.x v2r1 STIG
WBSP-AS-000010 - The WebSphere Application Server maximum in-memory session count must be set according to application requirements.

ACCESS CONTROL

WBSP-AS-000020 - The WebSphere Application Server admin console session timeout must be configured.

ACCESS CONTROL

WBSP-AS-000070 - The WebSphere Application Server security auditing must be enabled.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

WBSP-AS-000080 - The WebSphere Application Server groups in the user registry mapped to WebSphere auditor roles must be configured in accordance with the security plan.

ACCESS CONTROL

WBSP-AS-000090 - The WebSphere Application Server users in the WebSphere auditor role must be configured in accordance with the System Security Plan.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

WBSP-AS-000100 - The WebSphere Application Server audit event type filters must be configured.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

WBSP-AS-000110 - The WebSphere Application Server audit service provider must be enabled.

ACCESS CONTROL

WBSP-AS-000120 - The WebSphere Application Server automatic repository checkpoints must be enabled to track configuration changes

ACCESS CONTROL

WBSP-AS-000130 - The WebSphere Application Server administrative security must be enabled.

ACCESS CONTROL

WBSP-AS-000140 - The WebSphere Application Server bus security must be enabled.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

WBSP-AS-000150 - The WebSphere Application Server users in a local user registry group must be authorized for that group.

ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

WBSP-AS-000160 - The WebSphere Application Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.

ACCESS CONTROL

WBSP-AS-000170 - The WebSphere Application Server global application security must be enabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

WBSP-AS-000180 - The WebSphere Application Server Single Sign On (SSO) must have SSL enabled for Web and SIP Security.

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

WBSP-AS-000190 - The WebSphere Application Server security cookies must be set to HTTPOnly.

ACCESS CONTROL

WBSP-AS-000211 - The WebSphere Application Server Java 2 security must be enabled.

ACCESS CONTROL

WBSP-AS-000212 - The WebSphere Application Server Java 2 security must not be bypassed.

ACCESS CONTROL

WBSP-AS-000220 - The WebSphere Application Server users in the admin role must be authorized.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

WBSP-AS-000230 - The WebSphere Application Server LDAP groups must be authorized for the WebSphere role.

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

WBSP-AS-000240 - The WebSphere Application Server users in a LDAP user registry group must be authorized for that group.

ACCESS CONTROL

WBSP-AS-000310 - The WebSphere Application Server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

ACCESS CONTROL

WBSP-AS-000320 - The WebSphere Application Server management interface must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.

ACCESS CONTROL

WBSP-AS-000380 - The WebSphere Application Server must generate log records when successful/unsuccessful attempts to access subject privileges occur.

AUDIT AND ACCOUNTABILITY

WBSP-AS-000580 - The WebSphere Application Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements

AUDIT AND ACCOUNTABILITY

WBSP-AS-000590 - The WebSphere Application Server must allocate audit log record storage capacity in accordance with organization-defined log record storage requirements

AUDIT AND ACCOUNTABILITY

WBSP-AS-000630 - The WebSphere Application Server must provide an immediate real-time alert to authorized users of all log failure events requiring real-time alerts

AUDIT AND ACCOUNTABILITY

WBSP-AS-000640 - The WebSphere Application Server must alert the SA and ISSO, at a minimum, in the event of a log processing failure

AUDIT AND ACCOUNTABILITY

WBSP-AS-000650 - The WebSphere Application Server audit subsystem failure action must be set to Log warning.

AUDIT AND ACCOUNTABILITY

WBSP-AS-000660 - The WebSphere Application Server must shut down by default upon log failure (unless availability is an overriding concern).

AUDIT AND ACCOUNTABILITY

WBSP-AS-000670 - The WebSphere Application Server high availability applications must be configured to fail over to another system in the event of log subsystem failure.

AUDIT AND ACCOUNTABILITY

WBSP-AS-000740 - The WebSphere Application Server must be configured to protect log information from any type of unauthorized read access.

AUDIT AND ACCOUNTABILITY

WBSP-AS-000750 - The WebSphere Application Server must protect log information from unauthorized modification.

AUDIT AND ACCOUNTABILITY

WBSP-AS-000760 - The WebSphere Application Server must protect log information from unauthorized deletion.

AUDIT AND ACCOUNTABILITY

WBSP-AS-000770 - The WebSphere Application Server wsadmin file must be protected from unauthorized access.

AUDIT AND ACCOUNTABILITY

WBSP-AS-000780 - The WebSphere Application Server wsadmin file must be protected from unauthorized modification.

AUDIT AND ACCOUNTABILITY

WBSP-AS-000790 - The WebSphere Application Server wsadmin file must be protected from unauthorized deletion.

AUDIT AND ACCOUNTABILITY

WBSP-AS-000810 - The WebSphere Application Server must be configured to encrypt log information.

AUDIT AND ACCOUNTABILITY

WBSP-AS-000820 - The WebSphere Application Server must be configured to sign log information.

AUDIT AND ACCOUNTABILITY

WBSP-AS-000910 - The WebSphere Application Server process must not be started from the command line with the -password option.

CONFIGURATION MANAGEMENT

WBSP-AS-000920 - The WebSphere Application Server files must be owned by the non-root WebSphere user ID.

CONFIGURATION MANAGEMENT

WBSP-AS-000930 - The WebSphere Application Server sample applications must be removed.

CONFIGURATION MANAGEMENT

WBSP-AS-000940 - The WebSphere Application Server must remove JREs left by web server and plug-in installers for web servers and plugins running in the DMZ.

CONFIGURATION MANAGEMENT

WBSP-AS-000960 - The WebSphere Application Server must be run as a non-admin user.

CONFIGURATION MANAGEMENT

WBSP-AS-000970 - The WebSphere Application Server must disable JSP class reloading.

CONFIGURATION MANAGEMENT

WBSP-AS-000980 - The WebSphere Application Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.

CONFIGURATION MANAGEMENT

WBSP-AS-001010 - The WebSphere Application Server LDAP user registry must be used.

IDENTIFICATION AND AUTHENTICATION

WBSP-AS-001020 - The WebSphere Application Server local file-based user registry must not be used.

IDENTIFICATION AND AUTHENTICATION

WBSP-AS-001030 - The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

WBSP-AS-001080 - The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.

IDENTIFICATION AND AUTHENTICATION