Item Search

NameAudit NamePluginCategory
1.7 Declare an EJB authorization policy for deployed applicationsRedhat JBoss EAP 5.xUnix

ACCESS CONTROL

1.15 - Ensure IBM JRE 1.6 is configured correctly - 'policy.provider = sun.security.provider.PolicyFile'Redhat JBoss EAP 5.xUnix

CONFIGURATION MANAGEMENT

1.17 The allRolesMode must be configured to 'strict' - 'allRolesMode = strict'Redhat JBoss EAP 5.xUnix

ACCESS CONTROL

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS password != empty'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS principal != sa'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS userName != sa'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jbossws-users.properties - kermit'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console password != empty'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console principal != sa'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console userName != sa'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console-users.properties - admin'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'messaging-users.properties - guest'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.20 - Remove default roles from production servers - 'admin-console default role != JBossAdmin|HttpInvoker|friend|guest'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.20 - Remove default roles from production servers - 'console-mgr default role != JBossAdmin|HttpInvoker|friend|guest'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.20 - Remove default roles from production servers - 'jmx-console default role != JBossAdmin|HttpInvoker|friend|guest'Redhat JBoss EAP 5.xUnix

IDENTIFICATION AND AUTHENTICATION

1.22 DefaultCacheTimeout must be configured properly for active security domains - 'DefaultCacheTimeout <= 1800'Redhat JBoss EAP 5.xUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.1 Configure Java Security Manager to use an environment specific policy - 'JAVA_OPTS -Djava.security.manager -Djava.security.policy'Redhat JBoss EAP 5.xUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.23 Ensure Security Audit Appender is enabled - 'Audit Appender = true'Redhat JBoss EAP 5.xUnix

AUDIT AND ACCOUNTABILITY

2.24 Ensure Security Audit Provider is enabled - 'Audit Provider = true'Redhat JBoss EAP 5.xUnix

AUDIT AND ACCOUNTABILITY

2.25 Ensure Configure SecurityInterceptor logging level is set correctly - 'org.jboss.ejb.plugins.SecurityInterceptor = true'Redhat JBoss EAP 5.xUnix

AUDIT AND ACCOUNTABILITY

2.26 Ensure logging is enabled for Microcontainer bootstrap operations - 'SecurityInterceptor logging level = true'Redhat JBoss EAP 5.xUnix

AUDIT AND ACCOUNTABILITY

2.27 - Ensure logging is enabled for web-based requests if required by deployed applications - 'AccessLogValve = true'Redhat JBoss EAP 5.xUnix

AUDIT AND ACCOUNTABILITY

2.31 - Deny the JBoss process owner console accessRedhat JBoss EAP 5.xUnix

ACCESS CONTROL

2.32/2.33 - Set JBoss file ownership/permissionsRedhat JBoss EAP 5.xUnix

CONFIGURATION MANAGEMENT

NET0990 - OOBM switch not connected to the NE OOBM interfaceDISA STIG Cisco L2 Switch V8R27Cisco
NET1647 - The network element must not allow SSH Version 1.DISA STIG Cisco L2 Switch V8R27Cisco
WA060 A22 - A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.DISA STIG Apache Server 2.2 Unix v1r11 MiddlewareUnix
WA060 W22 - A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.DISA STIG Apache Server 2.2 Windows v1r13Windows
WA070 A22 - A private web server must be located on a separate controlled access subnet.DISA STIG Apache Server 2.2 Unix v1r11Unix
WA070 A22 - A private web server must be located on a separate controlled access subnet.DISA STIG Apache Server 2.2 Unix v1r11 MiddlewareUnix
WA070 W22 - A private web server must be located on a separate controlled access subnet.DISA STIG Apache Server 2.2 Windows v1r13Windows
WA230 W22 - The site software used with the web server must have all applicable security patches applied and documented.DISA STIG Apache Server 2.2 Windows v1r13Windows
WG040 W22 - Public web server resources must not be shared with private assets.DISA STIG Apache Server 2.2 Windows v1r13Windows
WG050 A22 - The web server password(s) must be entrusted to the SA or Web Manager.DISA STIG Apache Server 2.2 Unix v1r11Unix
WG060 W22 - The service account used to run the web service must have its password changed at least annually.DISA STIG Apache Server 2.2 Windows v1r13Windows
WG080 A22 - Installation of a compiler on production web server is prohibited.DISA STIG Apache Server 2.2 Unix v1r11 MiddlewareUnix
WG080 W22 - Installation of a compiler on production web server must be prohibited.DISA STIG Apache Server 2.2 Windows v1r13Windows
WG145 A22 - The private web server must use an approved DoD certificate validation process.DISA STIG Apache Server 2.2 Unix v1r11 MiddlewareUnix
WG145 IIS6 - The private web server must use an approved DoD certificate validation process. - 'Check W3SVC/WEBSITES CertCheckMode'DISA STIG IIS 6.0 Site Checklist v6r16Windows
WG240 IIS6 - Logs of web server access and errors must be established and maintained.DISA STIG IIS 6.0 Site Checklist v6r16Windows
WG260 A22 - Only web sites that have been fully reviewed and tested must exist on a production web server.DISA STIG Apache Site 2.2 Unix v1r11Unix
WG260 A22 - Only web sites that have been fully reviewed and tested must exist on a production web server.DISA STIG Apache Site 2.2 Unix v1r11 MiddlewareUnix
WG260 W22 - Only web sites that have been fully reviewed and tested must exist on a production web server.DISA STIG Apache Site 2.2 Windows v1r13Windows
WG350 A22 - A private web server will have a valid DoD server certificate.DISA STIG Apache Site 2.2 Unix v1r11Unix
WG350 IIS6 - A private web server must have a valid server certificate.DISA STIG IIS 6.0 Site Checklist v6r16Windows
WG355 A22 - A private web server's list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.DISA STIG Apache Server 2.2 Unix v1r11 MiddlewareUnix
WG355 W22 - A private web server's list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.DISA STIG Apache Server 2.2 Windows v1r13Windows
WG430 W22 - Anonymous FTP user access to interactive scripts must be prohibited.DISA STIG Apache Site 2.2 Windows v1r13Windows
WG440 A22 - Monitoring software must include CGI or equivalent programs in its scope.DISA STIG Apache Server 2.2 Unix v1r11Unix
WG460 W22 - PERL scripts must use the TAINT option.DISA STIG Apache Site 2.2 Windows v1r13Windows