CAT|II

Title

DISA Severity Level 2

Description

Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity.

Reference Item Details

Category: Severity Level

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.001 - Physical security of the Automated Information System (AIS) does not meet DISA requirements.WindowsDISA Windows Vista STIG v6r41
1.007 - Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.WindowsDISA Windows Vista STIG v6r41
1.7 Declare an EJB authorization policy for deployed applicationsUnixRedhat JBoss EAP 5.x
1.008 - Shared user accounts are permitted on the system.WindowsDISA Windows Vista STIG v6r41
1.15 - Ensure IBM JRE 1.6 is configured correctly - 'policy.provider = sun.security.provider.PolicyFile'UnixRedhat JBoss EAP 5.x
1.17 The allRolesMode must be configured to 'strict' - 'allRolesMode = strict'UnixRedhat JBoss EAP 5.x
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS password != empty'UnixRedhat JBoss EAP 5.x
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS principal != sa'UnixRedhat JBoss EAP 5.x
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS userName != sa'UnixRedhat JBoss EAP 5.x
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jbossws-users.properties - kermit'UnixRedhat JBoss EAP 5.x
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console password != empty'UnixRedhat JBoss EAP 5.x
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console principal != sa'UnixRedhat JBoss EAP 5.x
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console userName != sa'UnixRedhat JBoss EAP 5.x
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console-users.properties - admin'UnixRedhat JBoss EAP 5.x
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'messaging-users.properties - guest'UnixRedhat JBoss EAP 5.x
1.20 - Remove default roles from production servers - 'admin-console default role != JBossAdmin|HttpInvoker|friend|guest'UnixRedhat JBoss EAP 5.x
1.20 - Remove default roles from production servers - 'console-mgr default role != JBossAdmin|HttpInvoker|friend|guest'UnixRedhat JBoss EAP 5.x
1.20 - Remove default roles from production servers - 'jmx-console default role != JBossAdmin|HttpInvoker|friend|guest'UnixRedhat JBoss EAP 5.x
1.22 DefaultCacheTimeout must be configured properly for active security domains - 'DefaultCacheTimeout <= 1800'UnixRedhat JBoss EAP 5.x
2.001 - Permissions for event logs must conform to minimum requirements - application.evtxWindowsDISA Windows Vista STIG v6r41
2.001 - Permissions for event logs must conform to minimum requirements - security.evtxWindowsDISA Windows Vista STIG v6r41
2.001 - Permissions for event logs must conform to minimum requirements - system.evtxWindowsDISA Windows Vista STIG v6r41
2.1 Configure Java Security Manager to use an environment specific policy - 'JAVA_OPTS -Djava.security.manager -Djava.security.policy'UnixRedhat JBoss EAP 5.x
2.006 - ACLs for system files and directories do not conform to minimum requirements. - 'C:'WindowsDISA Windows Vista STIG v6r41
2.006 - ACLS FOR SYSTEM FILES AND DIRECTORIES DO NOT CONFORM TO MINIMUM REQUIREMENTS. - 'C:\Program Files'WindowsDISA Windows Vista STIG v6r41
2.006 - ACLS FOR SYSTEM FILES AND DIRECTORIES DO NOT CONFORM TO MINIMUM REQUIREMENTS. - 'C:\Windows'WindowsDISA Windows Vista STIG v6r41
2.014 - ACLs for disabled services do not conform to minimum standards.WindowsDISA Windows Vista STIG v6r41
2.015 - File share ACLs have not been reconfigured to remove the Everyone group.WindowsDISA Windows Vista STIG v6r41
2.019 - Security-related Software Patches are not applied.WindowsDISA Windows Vista STIG v6r41
2.021 - Remove Software Certificate Installation FilesWindowsDISA Windows Vista STIG v6r41
2.23 Ensure Security Audit Appender is enabled - 'Audit Appender = true'UnixRedhat JBoss EAP 5.x
2.24 Ensure Security Audit Provider is enabled - 'Audit Provider = true'UnixRedhat JBoss EAP 5.x
2.25 Ensure Configure SecurityInterceptor logging level is set correctly - 'org.jboss.ejb.plugins.SecurityInterceptor = true'UnixRedhat JBoss EAP 5.x
2.26 Ensure logging is enabled for Microcontainer bootstrap operations - 'SecurityInterceptor logging level = true'UnixRedhat JBoss EAP 5.x
2.27 - Ensure logging is enabled for web-based requests if required by deployed applications - 'AccessLogValve = true'UnixRedhat JBoss EAP 5.x
2.31 - Deny the JBoss process owner console accessUnixRedhat JBoss EAP 5.x
2.32/2.33 - Set JBoss file ownership/permissionsUnixRedhat JBoss EAP 5.x
3.011 - The required legal notice must be configured to display before console logon.WindowsDISA Windows Vista STIG v6r41
3.028 - The built-in Windows password complexity policy must be enabled.WindowsDISA Windows Vista STIG v6r41
3.032 - Ctrl+Alt+Del security attention sequence is Disabled.WindowsDISA Windows Vista STIG v6r41
3.034 - Unencrypted passwords must not be sent to third-party SMB Servers.WindowsDISA Windows Vista STIG v6r41
3.040 - Automatic logons must be disabled.WindowsDISA Windows Vista STIG v6r41
3.042 - Outgoing secure channel traffic is not signed when possible.WindowsDISA Windows Vista STIG v6r41
3.043 - Outgoing secure channel traffic is not encrypted when possible.WindowsDISA Windows Vista STIG v6r41
3.045 - The Windows SMB client is not enabled to perform SMB packet signing when possible.WindowsDISA Windows Vista STIG v6r41
3.046 - The Windows SMB server is not enabled to perform SMB packet signing when possible.WindowsDISA Windows Vista STIG v6r41
3.047 - The Smart Card removal option is set to take no action.WindowsDISA Windows Vista STIG v6r41
3.052 - Ejection of removable NTFS media is not restricted to Administrators.WindowsDISA Windows Vista STIG v6r41
3.057 - Reversible password encryption is not disabled.WindowsDISA Windows Vista STIG v6r41
3.070 - The system is configured to permit storage of credentials or .NET Passports.WindowsDISA Windows Vista STIG v6r41