| 1.7 Declare an EJB authorization policy for deployed applications | Redhat JBoss EAP 5.x | Unix | ACCESS CONTROL |
| 1.15 - Ensure IBM JRE 1.6 is configured correctly - 'policy.provider = sun.security.provider.PolicyFile' | Redhat JBoss EAP 5.x | Unix | CONFIGURATION MANAGEMENT |
| 1.17 The allRolesMode must be configured to 'strict' - 'allRolesMode = strict' | Redhat JBoss EAP 5.x | Unix | ACCESS CONTROL |
| 1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS password != empty' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS principal != sa' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS userName != sa' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jbossws-users.properties - kermit' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console password != empty' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console principal != sa' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console userName != sa' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console-users.properties - admin' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.19 - Remove, rename, or comment out the default user accounts from production servers - 'messaging-users.properties - guest' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.20 - Remove default roles from production servers - 'admin-console default role != JBossAdmin|HttpInvoker|friend|guest' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.20 - Remove default roles from production servers - 'console-mgr default role != JBossAdmin|HttpInvoker|friend|guest' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.20 - Remove default roles from production servers - 'jmx-console default role != JBossAdmin|HttpInvoker|friend|guest' | Redhat JBoss EAP 5.x | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.22 DefaultCacheTimeout must be configured properly for active security domains - 'DefaultCacheTimeout <= 1800' | Redhat JBoss EAP 5.x | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Configure Java Security Manager to use an environment specific policy - 'JAVA_OPTS -Djava.security.manager -Djava.security.policy' | Redhat JBoss EAP 5.x | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.23 Ensure Security Audit Appender is enabled - 'Audit Appender = true' | Redhat JBoss EAP 5.x | Unix | AUDIT AND ACCOUNTABILITY |
| 2.24 Ensure Security Audit Provider is enabled - 'Audit Provider = true' | Redhat JBoss EAP 5.x | Unix | AUDIT AND ACCOUNTABILITY |
| 2.25 Ensure Configure SecurityInterceptor logging level is set correctly - 'org.jboss.ejb.plugins.SecurityInterceptor = true' | Redhat JBoss EAP 5.x | Unix | AUDIT AND ACCOUNTABILITY |
| 2.26 Ensure logging is enabled for Microcontainer bootstrap operations - 'SecurityInterceptor logging level = true' | Redhat JBoss EAP 5.x | Unix | AUDIT AND ACCOUNTABILITY |
| 2.27 - Ensure logging is enabled for web-based requests if required by deployed applications - 'AccessLogValve = true' | Redhat JBoss EAP 5.x | Unix | AUDIT AND ACCOUNTABILITY |
| 2.31 - Deny the JBoss process owner console access | Redhat JBoss EAP 5.x | Unix | ACCESS CONTROL |
| 2.32/2.33 - Set JBoss file ownership/permissions | Redhat JBoss EAP 5.x | Unix | CONFIGURATION MANAGEMENT |
| NET0465 - Authorized accounts must be assigned the least privilege level necessary to perform assigned duties. | DISA STIG Cisco L2 Switch V8R27 | Cisco | |
| NET0470 - Unauthorized accounts are configured to access device. | DISA STIG Cisco L2 Switch V8R27 | Cisco | |
| NET0990 - OOBM switch not connected to the NE OOBM interface | DISA STIG Cisco L2 Switch V8R27 | Cisco | |
| NET1647 - The network element must not allow SSH Version 1. | DISA STIG Cisco L2 Switch V8R27 | Cisco | |
| NET1675 - SNMP privileged and non-privileged access. | DISA STIG Cisco L2 Switch V8R27 | Cisco | |
| WA060 A22 - A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension. | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | |
| WA00565 A22 - HTTP request methods must be limited - LimitExcept | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | |
| WA00565 A22 - HTTP request methods must be limited - Order | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | |
| WG050 A22 - The web server password(s) must be entrusted to the SA or Web Manager. | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WG050 W22 - The web server service password(s) must be entrusted to the SA or Web Manager. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
| WG080 A22 - Installation of a compiler on production web server is prohibited. | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | |
| WG080 A22 - Installation of a compiler on production web server is prohibited. | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WG145 A22 - The private web server must use an approved DoD certificate validation process. | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | |
| WG204 A22 - A web server must be segregated from other services. | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WG204 A22 - A web server must be segregated from other services. | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | |
| WG204 W22 - A web server installation must be segregated from other services. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
| WG255 A22 - Access to the web server log files must be restricted to administrators, web administrators, and auditors. | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | |
| WG260 IIS6 - Only fully reviewed and tested web sites must exist on a production web server. | DISA STIG IIS 6.0 Site Checklist v6r16 | Windows | |
| WG270 A22 - The web server's htpasswd files (if present) must reflect proper ownership and permissions | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | |
| WG275 W22 - The web server, although started by superuser or privileged account, must run using a non-privileged account. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
| WG350 W22 - A private web server must have a valid DoD server certificate. | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | |
| WG355 A22 - A private web server's list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA. | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | |
| WG355 IIS6 - A private web site must utilize certificates from a trusted DoD CA. | DISA STIG IIS 6.0 Site Checklist v6r16 | Windows | |
| WG410 IIS6 - Interactive scripts must have proper access controls. - 'Execute Permissions set 'Script only' | DISA STIG IIS 6.0 Site Checklist v6r16 | Windows | |
| WG430 A22 - Anonymous FTP user access to interactive scripts is prohibited. | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | |
| WG440 A22 - Monitoring software must include CGI or equivalent programs in its scope. | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
