f:["$","div",null,{"className":"mx-auto max-w-7xl p-6","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-brand text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-4 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"text-3xl font-bold","children":"Application Security and Development Security Technical Implementation Guide"}],false,["$","$L1a",null,{}]]}],["$","section",null,{"className":"mb-8 rounded-lg border border-gray-200 bg-white p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-4","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","6","R","4"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Benchmark ID"}],["$","p",null,{"className":"font-mono text-sm","children":"Application_Security_Development_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":286}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","application",{"className":"rounded-full bg-gray-100 px-2 py-0.5 text-xs text-gray-700","children":"application"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"rounded bg-red-100 px-3 py-1 text-sm font-medium text-red-800","children":["CAT I: ",34]}],["$","span",null,{"className":"rounded bg-yellow-100 px-3 py-1 text-sm font-medium text-yellow-800","children":["CAT II: ",230]}],["$","span",null,{"className":"rounded bg-blue-100 px-3 py-1 text-sm font-medium text-blue-800","children":["CAT III: ",22]}]]}],["$","p",null,{"className":"mt-4 text-sm text-gray-600","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Application%20Security%20and%20Development%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Application%20Security%20and%20Development%20Security%20Technical%20Implementation%20Guide&format=csv","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Application%20Security%20and%20Development%20Security%20Technical%20Implementation%20Guide&format=json","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export JSON"}]]}]]}],["$","$L1b",null,{"checks":[{"id":"0f37ce23-a34e-47cf-a443-0d74324dc614","vulnId":"V-222387","severity":"medium","ruleTitle":"The application must provide a capability to limit the number of logon sessions per user.","description":"Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement may be met via the application or by utilizing information system session control provided by a web server or other underlying solution that provides specialized session management capabilities.\n\nIf it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application.\n\nThis requirement addresses concurrent sessions for individual system accounts and does not address concurrent sessions by single users via multiple system accounts.\n\nThe maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.","checkContent":"For production environments; Review the system documentation, identify the number of application user logon sessions allowed per user, identify the methods utilized for user session management or have application administrator describe how the application implements user session management.\n\nUtilize the management interface that is used to set the user session values, or examine configuration files in order to review user session configuration settings.\n\nEnsure the number of sessions allowed per user is specified in accordance with the organizational requirements.\n\nFor development environments; have the developer provide design documentation or demonstrate how the application is designed to limit the number of simultaneous user logon sessions.\n\nIf the application is not configured to limit the number of logon sessions per user as defined by the organization, this is a finding.","fixText":"Design and configure the application to specify the number of logon sessions that are allowed per user."},{"id":"dababbde-1993-4bd3-9364-3e9657508a33","vulnId":"V-222388","severity":"medium","ruleTitle":"The application must clear temporary storage and cookies when the session is terminated.","description":"Persistent cookies are a primary means by which a web application will store application state and user information. Since HTTP is a stateless protocol, this persistence allows the web application developer to provide a robust and customizable user experience.\n\nHowever, if a web application stores user authentication information within a persistent cookie or other temporary storage mechanism, this information can be stolen and used to compromise the users account.\n\nLikewise, HTML 5 provides the developer with a client storage capability where application data larger than the 4K cookie size limit can be stored on the local client. While this can be beneficial to the developer, this is considered insecure storage and should not be used for storing sensitive session or security tokens. A cross site scripting attack can put this data at risk.\n\nWeb applications must clear sensitive data from files and storage areas on the client when the session is terminated.","checkContent":"$1c","fixText":"Design and configure the application to clear sensitive data from cookies and local storage when the user logs out of the application."},{"id":"d2e3fc4f-147e-4420-addb-39e9d9f8be20","vulnId":"V-222389","severity":"medium","ruleTitle":"The application must automatically terminate the non-privileged user session and log off non-privileged users after a 15 minute idle time period has elapsed.","description":"Leaving a user’s application session established for an indefinite period of time increases the risk of session hijacking.\n\nSession termination terminates an individual user's logical application session after 15 minutes of application inactivity at which time the user must re-authenticate and a new session must be established if the user desires to continue work in the application.","checkContent":"Ask the application representative to demonstrate the configuration setting where the idle time out value is defined.\n\nAlternatively, logon with a regular application user account and let the session sit idle for 15 minutes.\n\nAttempt to access the application after 15 minutes of inactivity.\n\nIf the configuration setting is not set to time out user sessions after 15 minutes of inactivity, or if the regular user session used for testing does not time out after 15 minutes of inactivity, this is a finding.","fixText":"Design and configure the application to terminate the non-privileged users session after 15 minutes of inactivity."},{"id":"7943fad8-93ee-4302-84fe-1d61b42b1a3e","vulnId":"V-222390","severity":"medium","ruleTitle":"The application must automatically terminate the admin user session and log off admin users after a 10 minute idle time period is exceeded.","description":"Leaving an admin user's application session established for an indefinite period of time increases the risk of session hijacking.\n\nSession termination terminates an individual user's logical application session after 10 minutes of application inactivity at which time the user must re-authenticate and a new session must be established if the user desires to continue work in the application.","checkContent":"Ask the application representative to demonstrate the application configuration setting where the idle time out value is defined for admin users.\n\nAlternatively, logon with an admin user account and let the session sit idle for 10 minutes.\n\nAttempt to access the application after 10 minutes of inactivity.\n\nIf the configuration setting is not set to time out admin user sessions after 10 minutes of inactivity, or if the session used for testing does not time out after 10 minutes of inactivity, this is a finding.","fixText":"Design and configure the application to terminate the admin users session after 10 minutes of inactivity."},{"id":"db37deb1-2023-4513-b162-3fc9d304a6f3","vulnId":"V-222391","severity":"medium","ruleTitle":"Applications requiring user access authentication must provide a logoff capability for user initiated communication session.","description":"If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker. Applications providing user access must provide the ability for users to manually terminate their sessions and log off.","checkContent":"If the application does not provide an interface for interactive user access, this is not applicable.\n\nLog on to the application with a valid user account. Examine the user interface. Identify the command or link that provides the logoff function.\n\nActivate the user logoff function.\n\nObserve user interface and attempt to interact with the application. Confirm user interaction with the application is no longer possible.\n\nIf the user session is not terminated or if the logoff function does not exist, this is a finding.","fixText":"Design and configure the application to provide all users with the capability to manually terminate their application session."},{"id":"caa5f2ce-921c-4662-8402-a34a91e12f45","vulnId":"V-222392","severity":"low","ruleTitle":"The application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.","description":"If a user is not explicitly notified that their application session has been terminated, they cannot be certain that their session did not remain open. Applications with a user access interface must provide an explicit logoff message to the user upon successful termination of the user session.","checkContent":"If the application does not provide an interface for interactive user access, this is not applicable.\n\nLog on to the application with a valid user account. Examine the user interface. Identify the command or link that provides the logoff function.\n\nActivate the user logoff function.\n\nIf the application does not provide an explicit logoff message indicating the user session has been terminated, this is a finding.","fixText":"Design and configure the application to provide an explicit logoff message to users indicating a successful logoff has occurred upon user session termination."},{"id":"53a60a2c-6305-46ba-b27e-56602a126de0","vulnId":"V-222393","severity":"medium","ruleTitle":"The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.","description":"$1d","checkContent":"Review the application documentation and interview the application administrator.\n\nDetermine if the application processes classified, CUI, or other data that is required to be marked and identify if the application requirements specify data markings of any other types of data.\n\nIf the application does not contain classified, CUI, or other data that is required to be marked, this requirement is not applicable.\n\nReview the database or other storage mechanism and have the application administrator identify and demonstrate how the application assigns and maintains data markings while the data is in storage.\n\nTypical methods for marking data include using a table or data base field that contains the marking information and associating the marking information with the data.\n\nIf application data required to be marked is not marked and does not retain its marking while it is being stored, this is a finding.","fixText":"Design and configure the application to assign data marking and ensure the marking is retained when the data is stored."},{"id":"ca9f01e7-bc32-4a57-9dc9-14b25e314b97","vulnId":"V-222394","severity":"medium","ruleTitle":"The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in process.","description":"Without the association of security attributes to information, there is no basis for the application to make security-related access control decisions.\n\nSecurity attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese attributes are typically associated with internal data structures (e.g., records, buffers, files) within the information system and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.\n\nOne example includes marking data as classified or CUI. These security attributes may be assigned manually or during data processing but either way, it is imperative these assignments are maintained while the data is in process. If the security attributes are lost when the data is being processed, there is the risk of a data compromise.","checkContent":"$1e","fixText":"Design and configure the application to retain the data marking when processing data."},{"id":"b3e16226-4f93-4ce5-80d0-902294781b6f","vulnId":"V-222395","severity":"medium","ruleTitle":"The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.","description":"$1f","checkContent":"$20","fixText":"Design and configure the application to retain the data marking when transmitting data."},{"id":"46f3ced1-ec54-426e-8a67-fd811a009a6a","vulnId":"V-222396","severity":"medium","ruleTitle":"The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nEncryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information.","checkContent":"Review the application documentation and interview the system administrator.\n\nIdentify the application encryption capabilities and methods for implementing encryption protection.\n\nFor web based applications; open the web browser and access the website URL. Use the browser and determine if the session is protected via TLS. A secure connection is usually indicated in the upper left hand corner of the URL by a padlock icon. Click on the padlock icon and examine the connection information. Determine if TLS encryption is used to secure the session.\n\nFor non-web based applications, determine the TCP/IP port, protocol and method used for establishing client connections to the remote server. Review application configuration settings to ensure encryption is specified and via TLS.\n\nIf the connection is not secured with TLS, this is a finding.","fixText":"Design and configure applications to use TLS encryption to protect the confidentiality of remote access sessions."},{"id":"b3ed1c4b-e03f-40cb-8e73-77311ebc8ed8","vulnId":"V-222397","severity":"medium","ruleTitle":"The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.","description":"Without integrity protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nEncryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection. Without integrity protection mechanisms, unauthorized individuals may be able to insert inauthentic content into a remote session. The encryption strength of mechanism is selected based on the security categorization of the information.","checkContent":"Review the application documentation and interview the system administrator.\n\nIdentify the application encryption capabilities and methods for implementing encryption protection.\n\nFor web based applications; open the web browser and access the website URL. Use the browser and determine if the session is protected via TLS. A secure connection is usually indicated in the upper left hand corner of the URL by a padlock icon. Click on the padlock icon and examine the connection information. Determine if TLS encryption is used to secure the session.\n\nFor non-web based applications, determine the TCP/IP port, protocol and method used for establishing client connections to the remote server. Review application configuration settings to ensure encryption is specified and via TLS.\n\nIf the connection is not secured with TLS, this is a finding.","fixText":"Design and configure applications to use TLS encryption to protect the integrity of remote access sessions."},{"id":"c9e7fce1-e1d9-46f2-93b9-433169dbc509","vulnId":"V-222398","severity":"medium","ruleTitle":"Applications with SOAP messages requiring integrity must include the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in messages) and all elements of the message must be digitally signed.","description":"Digitally signed SOAP messages provide message integrity and authenticity of the signer of the message independent of the transport layer. Service requests may be intercepted and changed in transit and the data integrity may be at risk if the SOAP message is not digitally signed.\n\nFunctional architecture aspects of the application security plan identify the application data elements that require data integrity protection.","checkContent":"Review the application documentation, system security plan, application architecture diagrams and interview the application administrator.\n\nReview the design document for web services using SOAP messages.\n\nIf the application does not utilize SOAP messages, this check is not applicable.\n\nReview the design document and SOAP messages.\nVerify the Message ID, Service Request, Timestamp, and SAML Assertion are included in the SOAP message.\nIf they are included, verify they are signed with a certificate.\n\nIf SOAP messages requiring integrity do not have the Message ID, Service Request, Timestamp, and SAML Assertion signed, or if any part of the message is not digitally signed, this is a finding.","fixText":"Design and configure the application to sign the following message elements for SOAP messages requiring integrity:\n\n- Message ID\n- Service Request\n- Timestamp\n- SAML Assertion\n- Message elements"},{"id":"c4e23f24-cc82-4939-8232-8bf1b60eda6f","vulnId":"V-222399","severity":"high","ruleTitle":"Messages protected with WS_Security must use time stamps with creation and expiration times.","description":"The lack of time stamps could lead to the eventual replay of the message, leaving the application susceptible to replay events which may result in an immediate loss of confidentiality.","checkContent":"Ask the application representative for the design document. Review the design document for web services using WS-Security tokens.\n\nIf the application does not utilize WS-Security tokens, this check is not applicable.\n\nExamine the contents of a SOAP message using WS Security; all messages should contain time stamps, sequence numbers, and expiration.\n\nIf messages using WS Security do not contain time stamps, sequence numbers, and expiration, this is a finding.","fixText":"Design and configure applications using WS-Security messages to use time stamps with creation and expiration times and sequence numbers."},{"id":"b343e96b-b4e2-444b-9525-f0ceb153f8a5","vulnId":"V-222400","severity":"high","ruleTitle":"Validity periods must be verified on all application messages using WS-Security or SAML assertions.","description":"When using WS-Security in SOAP messages, the application should check the validity of the time stamps with creation and expiration times. Time stamps that are not validated may lead to a replay event and provide immediate unauthorized access of the application. Unauthorized access results in an immediate loss of confidentiality.","checkContent":"Ask the application representative for the design document.\n\nReview the design document for web services.\n\nIf the application does not utilize WSS or SAML assertions, this requirement is not applicable.\n\nReview the design document and verify validity periods are checked on all messages using WS-Security or SAML assertions.\n\nIf the design document does not exist, or does not indicate validity periods are checked on messages using WS-Security or SAML assertions, this is a finding.","fixText":"Design and configure the application to use validity periods, ensure validity periods are verified on all WS-Security token profiles and SAML Assertions."},{"id":"c7ee07df-bbd1-4726-a8d1-8ecf462247c6","vulnId":"V-222401","severity":"medium","ruleTitle":"The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion.","description":"SAML is a standard for exchanging authentication and authorization data between security domains. SAML uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, (identity provider), and a SAML consumer, (service provider). SAML assertions are usually made about a subject, (user) represented by the element. SAML assertion identifiers should be unique across a system implementation. Duplicate SAML assertion identifiers could lead to unauthorized access to a web service.","checkContent":"Ask the application representative for the design document.\n\nReview the design document for web services using SAML assertions.\n\nIf the application does not utilize SAML assertions, this check is not applicable.\n\nReview the design document and verify SAML assertion identifiers are not reused by a single asserting party.\n\nIf the design document does not exist, or does not indicate SAML assertion identifiers which are unique for each asserting party, this is a finding.","fixText":"Design and configure each SAML assertion authority to use unique assertion identifiers."},{"id":"6f8ac30f-8431-404e-a1de-f6eed3fa9873","vulnId":"V-222402","severity":"medium","ruleTitle":"The application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary.","description":"SAML is a standard for exchanging authentication and authorization data between security domains. SAML uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, (identity provider), and a SAML consumer, (service provider). SAML assertions are usually made about a subject, (user) represented by the element. \n\nThe confidentially of the data in a message as the message is passed through an intermediary web service may be required to be restricted by the intermediary web service. The intermediary web service may leak or distribute the data contained in a message if not encrypted or protected.","checkContent":"Ask the application representative for the design document.\n\nReview the design document for web services using WS-Security tokens. \n\nIf the application does not utilize WS-Security tokens, this check is not applicable.\n\nVerify all WS-Security tokens are transmitted via an approved encryption method.\n\nIf the design document does not exist, or does not indicate all WS-Security tokens are only transmitted via an approved encryption method, this is a finding.","fixText":"Encrypt assertions or use equivalent confidentiality when sensitive assertion data is passed through an intermediary."},{"id":"eef0423d-3479-40d4-b310-e8d317f13aac","vulnId":"V-222403","severity":"high","ruleTitle":"The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.","description":"SAML is a standard for exchanging authentication and authorization data between security domains. SAML uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, (identity provider), and a SAML consumer, (service provider). SAML assertions are usually made about a subject, (user) represented by the element.\n\nWhen a SAML assertion is used with a element, a begin and end time for the should be set to prevent reuse of the message at a later time. Not setting a specific time period for the , may grant immediate access to an attacker and result in an immediate loss of confidentiality.","checkContent":"Ask the application representative for the design document.\n\nReview the design document for web services using SAML assertions.\n\nIf the application does not utilize SAML assertions, this check is not applicable.\n\nExamine the contents of a SOAP message using the <SubjectConfirmation> element. All messages should contain the <NotOnOrAfter> element. This can be accomplished if the application allows the ability to view XML messages or via a protocol analyzer like Wireshark.\n\nIf SOAP messages do not contain <NotOnOrAfter> elements, this is a finding.","fixText":"Design and configure the application to use the <NotOnOrAfter> condition when using the <SubjectConfirmation> element in a SAML assertion."},{"id":"338680fe-4f56-49e7-b8f7-0c7d9ca2c2c2","vulnId":"V-222404","severity":"high","ruleTitle":"The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion.","description":"SAML is a standard for exchanging authentication and authorization data between security domains. SAML uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, (identity provider), and a SAML consumer, (service provider). SAML assertions are usually made about a subject, (user) represented by the element.\n\nWhen a SAML assertion is used with a element, a begin and end time for the element should be set in order to specify a timeframe in which the assertion is valid. Not setting a specific time period for the element, the possibility exists of granting immediate access or elevated privileges to an attacker which results in an immediate loss of confidentiality.","checkContent":"Ask the application representative for the design document.\n\nReview the design document for web services using SAML assertions.\n\nIf the application does not utilize SAML assertions, this check is not applicable.\n\nExamine the contents of a SOAP message using the <Conditions> element; all messages should contain the <NotBefore> and <NotOnOrAfter> or <OneTimeUse> element when in a SAML Assertion. This can be accomplished using a protocol analyzer such as Wireshark.\n\nIf SOAP using the <Conditions> element does not contain <NotBefore> and <NotOnOrAfter> or <OneTimeUse> elements, this is a finding.","fixText":"Design and configure the application to implement the use of the <NotBefore> and <NotOnOrAfter> or <OneTimeUse> when using the <Conditions> element in a SAML assertion."},{"id":"27831816-ab96-4430-a5d3-b529bdbedf01","vulnId":"V-222405","severity":"medium","ruleTitle":"The application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion.","description":"Multiple elements used in a SAML assertion can lead to elevation of privileges, if the application does not process SAML assertions correctly.","checkContent":"Ask the application representative for the design document.\n\nReview the design document for web services using SAML assertions.\n\nIf the application does not utilize SAML assertions, this check is not applicable.\n\nExamine the contents of a SOAP message using the OneTimeUse element; all messages should contain only one instance of a <OneTimeUse> element in a SAML assertion. This can be accomplished using a protocol analyzer such as Wireshark.\n\nIf SOAP message uses more than one, OneTimeUse element in a SAML assertion, this is a finding.","fixText":"When using OneTimeUse elements in a SAML assertion only allow one, OneTimeUse element to be used in the conditions element of a SAML assertion."},{"id":"40463daf-3051-4eeb-93f4-b1c01365b0c8","vulnId":"V-222406","severity":"medium","ruleTitle":"The application must ensure messages are encrypted when the SessionIndex is tied to privacy data.","description":"When the SessionIndex is tied to privacy data (e.g., attributes containing privacy data) the message should be encrypted. If the message is not encrypted there is the possibility of compromise of privacy data.","checkContent":"Ask the application representative for the design document.\n\nReview the design document for web services using SAML assertions.\n\nIf the application does not utilize SAML assertions, this check is not applicable.\n\nExamine the contents of a SOAP message using a SessionIndex in the SAML element AuthnStatement. Verify the information which is tied to the SessionIndex.\n\nIf the SessionIndex is tied to privacy information, and it is not encrypted, this is a finding.","fixText":"Encrypt messages when the SessionIndex is tied to privacy data."},{"id":"70095273-687f-4593-a193-39601b8c7f35","vulnId":"V-222407","severity":"medium","ruleTitle":"The application must provide automated mechanisms for supporting account management functions.","description":"$21","checkContent":"$22","fixText":"Use automated processes and mechanisms for account management functions."},{"id":"26539b9c-6e26-4aa2-8530-97e16d047bef","vulnId":"V-222408","severity":"medium","ruleTitle":"Shared/group account credentials must be terminated when members leave the group.","description":"If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. A shared/group account credential is a shared form of authentication that allows multiple individuals to access the application using a single account. There may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. Examples of credentials include passwords and group membership certificates.","checkContent":"Review the application documentation and determine if there is a requirement for shared or group accounts.\n\nIf there is no official requirement for shared or group application accounts, this requirement is Not Applicable.\n\nInterview the application representative and identify shared/group accounts.\n\nHave the application representative provide their procedures for account management as it pertains to group users.\n\nValidate there is a procedure for deleting either member accounts or the entire group account when member leave the group.\n\nIf there is no process for handling group account credentials, this is a finding.","fixText":"Create a procedure for deleting either member accounts or the entire group account when members leave the group."},{"id":"7d05c0dc-26b6-4b9c-aef4-212aaf6e76fa","vulnId":"V-222409","severity":"medium","ruleTitle":"The application must automatically remove or disable temporary user accounts 72 hours after account creation.","description":"If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\nTemporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n\nIf temporary accounts are used, the application must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours starting from the point of account creation.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"If official documentation exist that disallows the use of temporary user accounts within the application, this requirement is not applicable.\n\nExamine the application documentation or interview the application representative to identify how the application users are managed.\n\nNavigate to the screen where user accounts are configured.\n\nCreate a test account and determine if there is a setting to specify the user account as being temporary in nature.\n\nDetermine if there is an available setting to expire the account after a period of time.\n\nIf the application has no ability to specify a user account as being temporary in nature, or if the account has no ability to automatically disable or remove the account after 72 hours after account creation, this is a finding.","fixText":"Configure temporary accounts to be automatically removed or disabled after 72 hours after account creation."},{"id":"76cfd45b-a267-4cd7-a347-f40ea686313b","vulnId":"V-222410","severity":"low","ruleTitle":"The application must have a process, feature or function that prevents removal or disabling of emergency accounts.","description":"$23","checkContent":"Review the application documentation and interview the application administrator. Identify if emergency accounts are ever used. \n\nIf emergency accounts are not used, this requirement is not applicable.\n\nIf emergency accounts are used, validate a procedure, process, feature or function exists that will prevent the emergency account from being deleted or disabled during a crisis situation.\n\nExamples include but are not limited to adding a flag to the account to ensure it is not deleted during a specified emergency period or placing the account in a designated group that is monitored and controlled in accordance with the crisis.\n\nIf a process, procedure, function or feature designed to prevent emergency accounts from being deleted or disabled during a crisis situation is not available, this is a finding.","fixText":"Identify accounts that are created in an emergency situation and ensure procedures or processes are in place to prevent disabling or deleting the account while the emergency is underway."},{"id":"62251fb1-6f3a-4fbb-abef-0ec69f5c4be7","vulnId":"V-222411","severity":"low","ruleTitle":"The application must automatically disable accounts after a 35 day period of account inactivity.","description":"$24","checkContent":"Examine the application documentation or interview the application representative to identify how the application users are managed.\n\nInterview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory (AD) for user management or if the application manages user accounts within the application.\n\nIf the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.\n\nIf the application handles the management tasks for user accounts, access the applications user management utility.\n\nNavigate to the screen where user accounts are configured to be disabled after 35 days of inactivity.\n\nConfirm this setting is active.\n\nIf the application is not set to expire inactive accounts after 35 days, or if the application has no ability to expire accounts after 35 days of inactivity, this is a finding.","fixText":"Design and configure the application to expire user accounts after 35 days of inactivity."},{"id":"78491045-9836-4beb-a9b6-88833a5ae264","vulnId":"V-222412","severity":"medium","ruleTitle":"Unnecessary application accounts must be disabled, or deleted.","description":"Test or demonstration accounts are sometimes created during the application installation process. This creates a security risk as these accounts often remain after the initial installation process and can be used to gain unauthorized access to the application. Applications must be designed and configured to disable or delete any unnecessary accounts that may be created. \n\nCare must be taken to ensure valid accounts used for valid application operations are not disabled or deleted when this requirement is applied.","checkContent":"Review the system documentation and identify any valid application accounts that are required in order for the application to operate. Accounts the application itself uses in order to function are not in scope for this requirement.\n\nHave the application administrator generate a list of all application users. This should include relevant user metadata such as phone numbers or department identifiers.\n\nHave the application administrator identify and validate all user accounts.\n\nIf any accounts cannot be validated and are deemed to be unnecessary, this is a finding.","fixText":"Design the application so unessential user accounts are not created during installation. Disable or delete all unnecessary application user accounts."},{"id":"f2537816-be80-467a-9958-8786b54f8843","vulnId":"V-222413","severity":"medium","ruleTitle":"The application must automatically audit account creation.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Examine the application documentation to identify how the application users are managed.\n\nInterview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.\n\nIf the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.\n\nIdentify the location of the audit logs and review the end of the logs.\n\nAccess the user account management functionality and create a new user account.\n\nExamine the log file again and determine if the account creation event was logged. The information logged should, at a minimum, include enough detail to determine which account was created and when.\n\nIf the account creation event was not logged, this is a finding.","fixText":"Configure the application to write a log entry when a new user account is created.\n\nAt a minimum, ensure account name, date and time of the event are recorded."},{"id":"5cb49bf8-93ff-442b-972c-d4c405eb66ec","vulnId":"V-222414","severity":"medium","ruleTitle":"The application must automatically audit account modification.","description":"One way for an attacker to establish persistent access is for the attacker to modify or copy an existing account. Auditing of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the modification of application user accounts. Such a process greatly reduces the risk that accounts will be surreptitiously modified and provides logging that can be used for forensic purposes.\n\nTo address account requirements and to ensure application accounts follow requirements consistently, application developers are strongly encouraged to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.","checkContent":"Examine the application documentation to identify how the application users are managed.\n\nInterview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.\n\nIf the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.\n\nIdentify the location of the audit logs and review the end of the logs.\n\nAccess the user account management functionality and modify a test user account.\n\nExamine the log file again and determine if the account event was logged. The information logged should, at a minimum, include enough detail to determine which account was modified and when.\n\nIf the account modification event information was not logged, this is a finding.","fixText":"Configure the application to write a log entry when a user account is modified.\n\nAt a minimum, ensure account name, date and time of the event are recorded."},{"id":"3ecbf375-6095-4c4b-ad89-9cceec90f188","vulnId":"V-222415","severity":"medium","ruleTitle":"The application must automatically audit account disabling actions.","description":"When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. \n\nApplication developers are encouraged to integrate their applications with enterprise-level authentication/access/audit mechanisms such as Syslog, Active Directory or LDAP.","checkContent":"Examine the application documentation to identify how the application users are managed.\n\nInterview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.\n\nIf the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.\n\nIdentify the location of the audit logs and review the end of the logs.\n\nAccess the user account management functionality and disable a test user account.\n\nExamine the log file again and determine if the account disable event was logged. The information logged should, at a minimum, include enough detail to determine which account was disabled and when.\n\nIf the account disabling event information was not logged, this is a finding.","fixText":"Configure the application to write a log entry when a user account is disabled.\n\nAt a minimum, ensure account name, date and time of the event are recorded."},{"id":"17c43806-2589-478b-9724-03f1918499cb","vulnId":"V-222416","severity":"medium","ruleTitle":"The application must automatically audit account removal actions.","description":"When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account removal actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.\n\nApplication developers are encouraged to integrate their applications with enterprise-level authentication/access/audit mechanisms such as Syslog, Active Directory or LDAP.","checkContent":"Examine the application documentation to identify how the application users are managed.\n\nInterview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.\n\nIf the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.\n\nIdentify the location of the audit logs and review the end of the logs.\n\nAccess the user account management functionality and remove a test user account.\n\nExamine the log file again and determine if the account removal event was logged. The information logged should, at a minimum, include enough detail to determine which account was disabled and when.\n\nIf the account removal event information was not logged, this is a finding.","fixText":"Configure the application to write a log entry when a user account is removed.\n\nAt a minimum, ensure account name, date and time of the event are recorded."},{"id":"8a3a8ce5-1f2b-43ea-8d26-f9740f3dc9ba","vulnId":"V-222417","severity":"low","ruleTitle":"The application must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are created.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and ISSOs such accounts exist. This type of process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.","checkContent":"Review the application and system documentation.\n\nInterview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.\n\nIf the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is Not Applicable.\n\nEnsure the application is configured to notify SAs when new accounts are created by identifying SAs who will be notified, creating a test account, and checking with SAs to verify the notification was received.\n\nIf SAs and ISSOs are not notified when accounts are created, this is a finding.","fixText":"Configure the application to notify the SA and the ISSO when application accounts are created."},{"id":"5a2983d1-96fd-4ac8-9082-49db3c1b8528","vulnId":"V-222418","severity":"low","ruleTitle":"The application must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are modified.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the modification of application user accounts and notifies administrators and ISSOs such accounts were modified. This type of process greatly reduces the risk that accounts will be surreptitiously modified and provides logging that can be used for forensic purposes.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.","checkContent":"Review the application and system documentation.\n\nInterview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.\n\nIf the application is configured to use an enterprise-based application user management capability that is STIG compliant, this requirement is Not Applicable.\n\nEnsure the application is configured to notify SAs when accounts are modified by identifying the SAs who will be notified when accounts are modified.\n\nModify a test account and check with a SA to verify the notification was received.\n\nIf SAs and ISSOs are not notified when accounts are modified, this is a finding.","fixText":"Configure the application to notify the SA and the ISSO when application accounts are modified."},{"id":"3f5cfaab-67b8-40cc-a362-7fad37c37d1b","vulnId":"V-222419","severity":"low","ruleTitle":"The application must notify system administrators (SAs) and information system security officers (ISSOs) of account disabling actions.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and ISSOs such accounts exist. This type of process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.","checkContent":"Review the application and system documentation.\n\nInterview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.\n\nIf the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is Not Applicable.\n\nEnsure the application is configured to notify SAs when accounts are disabled by identifying the SAs who will be notified when accounts are disabled.\n\nDisable a test account and check with a SA to verify the notification was received.\n\nIf SAs and ISSOs are not notified when accounts are disabled, this is a finding.","fixText":"Configure the application to notify the SA and the ISSO when application accounts are disabled."},{"id":"d9b74a68-1a80-4366-a0ce-5cfc38eba198","vulnId":"V-222420","severity":"low","ruleTitle":"The application must notify system administrators (SAs) and information system security officers (ISSOs) of account removal actions.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to remove an account. Notification of account removal is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the removal of application user accounts and notifies administrators and ISSOs such accounts no longer exist. This type of process greatly reduces the risk that accounts will be surreptitiously removed and provides logging that can be used for forensic purposes.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.","checkContent":"Review the application and system documentation.\n\nInterview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.\n\nIf the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is Not Applicable.\n\nEnsure the application is configured to notify SAs when accounts are removed by identifying the SAs who will be notified when accounts are removed.\n\nRemove a test account and check with a SA to verify the notification was received.\n\nIf SAs and ISSOs are not notified when accounts are removed, this is a finding.","fixText":"Configure the application to notify the SA and the ISSO when application accounts are removed."},{"id":"fe98e60e-17c6-4543-a2a8-06f48c6be28a","vulnId":"V-222421","severity":"medium","ruleTitle":"The application must automatically audit account enabling actions.","description":"When application accounts are enabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account removal actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.\n\nApplication developers are encouraged to integrate their applications with enterprise-level authentication/access/audit mechanisms such as Syslog, Active Directory or LDAP.","checkContent":"Examine the application documentation or interview the application representative to identify how the application users are managed.\n\nInterview the application administrator and determine if the application is configured to utilize a centralized user management system such as Active Directory for user management or if the application manages user accounts within the application.\n\nIf the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.\n\nIdentify the location of the audit logs and review the end of the logs.\n\nAccess the user account management functionality and enable a test user account.\n\nExamine the log file again and determine if the account enable event was logged. The information logged should, at a minimum, include enough detail to determine which account was enabled and when.\n\nIf the account enabling event information was not logged, this is a finding.","fixText":"Configure the application to write a log entry when a user account is enabled. \n\nAt a minimum, ensure account name, date and time of the event are recorded."},{"id":"ae1f5562-4194-4d6d-835d-52527c9d0b44","vulnId":"V-222422","severity":"low","ruleTitle":"The application must notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to enable an account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the enabling of application user accounts and notifies administrators and ISSOs such accounts exist. This type of process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.","checkContent":"Review the application and system documentation.\n\nInterview application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.\n\nIf the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is Not Applicable.\n\nEnsure the application is configured to notify SAs when accounts are enabled by identifying the SAs who will be notified when accounts are enabled.\n\nDisable and then enable a test account and check with the SA to verify the notification was received to indicate the account was enabled.\n\nIf SAs and ISSOs are not notified when accounts are enabled, this is a finding.","fixText":"Configure the application to notify the SA and the ISSO when application accounts are enabled."},{"id":"72c8001a-7324-43e9-b117-144fda2bbe62","vulnId":"V-222423","severity":"medium","ruleTitle":"Application data protection requirements must be identified and documented.","description":"$25","checkContent":"Ask the application representative for the documentation that identifies the application data elements, the protection requirements, and any associated steps that are being taken to protect the data.\n\nIf the application data protection requirements are not documented, this is a finding.","fixText":"Identify and document the application data elements and the data protection requirements."},{"id":"2334bd28-e208-48f2-abb9-fe76695d68a7","vulnId":"V-222424","severity":"medium","ruleTitle":"The application must utilize organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts.","description":"$26","checkContent":"Review the security plan, application and system documentation and interview the application administrator to identify data mining protections that are required of the application.\n\nIf there are no data mining protections required, this requirement is not applicable.\n\nReview the application authentication requirements and permissions.\n\nReview documented protections that have been established to protect from data mining.\n\nThis can include limiting the number of queries allowed.\n\nAutomated alarming on atypical query events.\n\nLimiting the number of records allowed to be returned in a query.\n\nNot allowing data dumps.\n\nIf the application requirements specify protections for data mining and the application administrator is unable to identify or demonstrate that the protections are in place, this is a finding.","fixText":"Utilize and implement data mining protections when requirements specify it."},{"id":"45ad1ba3-b4b6-46c5-96bf-5dd2aee80af6","vulnId":"V-222425","severity":"high","ruleTitle":"The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","description":"$27","checkContent":"Review the application documentation and interview the application administrator.\n\nReview application data protection requirements.\n\nIdentify application resources that require protection and authentication over and above the authentication required to access the application itself.\n\nThis can be access to a URL, a folder, a file, a process or a database record that should only be available to certain individuals.\n\nIdentify the access control methods utilized by the application in order to control access to the resource.\n\nExamples include Role-Based Access Control policies (RBAC).\n\nUsing RBAC as an example, utilize a test account placed into a test role.\n\nSet a protection control on a resource and explicitly deny access to the role assigned to the test user account.\n\nTry to access an application resource that is not configured to allow access. Access should be denied.\n\nIf the enforcement of configured access restrictions is not performed, this is a finding.","fixText":"Design or configure the application to enforce access to application resources."},{"id":"e74e98d2-300f-4be0-bec9-8a959e9816ca","vulnId":"V-222426","severity":"medium","ruleTitle":"The application must enforce organization-defined discretionary access control policies over defined subjects and objects.","description":"$28","checkContent":"$29","fixText":"Design and configure the application to enforce discretionary access control policies."},{"id":"e332e6e8-d654-4214-8898-87866e9bae51","vulnId":"V-222427","severity":"medium","ruleTitle":"The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.","description":"$2a","checkContent":"$2b","fixText":"Configure the application to enforce data flow control in accordance with data flow control policies."},{"id":"7983be8e-f6a0-4088-9038-ae3a8f7e9d35","vulnId":"V-222428","severity":"medium","ruleTitle":"The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.","description":"$2c","checkContent":"$2d","fixText":"Configure the application to enforce data flow control in accordance with data flow control policies."},{"id":"a6261166-5729-4bfd-890a-369580aca680","vulnId":"V-222429","severity":"medium","ruleTitle":"The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","description":"Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.","checkContent":"$2e","fixText":"Modify the application to limit access and prevent the disabling or circumvention of security safeguards."},{"id":"5cfec170-2a76-4650-a50e-09379f6bcb12","vulnId":"V-222430","severity":"high","ruleTitle":"The application must execute without excessive account permissions.","description":"Applications are often designed to utilize a user account. The account represents a means to control application permissions and access to OS resources, application resources or both. \n\nWhen the application is designed and installed, care must be taken not to assign excessive permissions to the user account that is used by the application. \n\nAn application operating with unnecessary privileges can potentially give an attacker access to the underlying operating system or if the privileges required for application execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.\n\nApplications must be designed and configured to operate with only those permissions that are required for proper operation.","checkContent":"Review the system documentation or interview the application representative and identify if the application utilizes an account in order to operate.\n\nDetermine the OS user groups in which each application account is a member. List the user rights assigned to these users and groups using relevant OS commands and evaluate whether any of them provide admin rights or if they are unnecessary or excessive. \n\nIf the application connects to a database, open an admin console to the database and view the database users, their roles and group rights.\n\nLocate the application user account used to access the database and examine the accounts privileges. This includes group privileges.\n\nIf the application user account has excessive OS privileges such as being in the admin group, database privileges such as being in the DBA role, has the ability to create, drop, alter the database (not application database tables), or if the application user account has other excessive or undefined system privileges, this is a finding.","fixText":"Configure the application accounts with minimalist privileges. Do not allow the application to operate with admin credentials."},{"id":"bdaf61e6-5ba5-4668-aed9-3e1a87e99754","vulnId":"V-222431","severity":"medium","ruleTitle":"The application must audit the execution of privileged functions.","description":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and identify the risk from insider threats and the advanced persistent threat.","checkContent":"Log on to the application as an administrative user.\n\nIdentify functionality within the application that requires utilizing the admin role.\n\nMonitor application logs while performing privileged functions within the application.\n\nPerform administrative types of tasks such as adding or modifying user accounts, modifying application configuration, or managing encryption keys.\n\nReview logs for entries that indicate the administrative actions performed were logged.\n\nEnsure the specific action taken, date and time or event is recorded.\n\nIf the execution of privileged functionality is not logged, this is a finding.","fixText":"Configure the application to write log entries when privileged functions are executed. At a minimum, ensure the specific action taken, date and time of event are recorded."},{"id":"594b1260-9724-45f1-8390-0863c2f44810","vulnId":"V-222432","severity":"high","ruleTitle":"The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced.\n\nLimits are imposed by locking the account.\n\nUser notification when three failed logon attempts are exceeded is an operational consideration determined by the application owner. In some instances the operational situation may dictate that no notice is to be provided to the user when their account is locked. In other situations, the user may be notified their account is now locked. This decision is left to the application owner based upon their operational scenarios.","checkContent":"All testing must be performed within a 15-minute window.\n\nLog on to the application with a test user account.\n\nIntentionally enter an incorrect user password or pin.\n\nRepeat 2 times within 15 minutes for a total of three failed attempts.\n\nNotification of a locked account may or may not be provided.\n\nUsing the correct user password or pin, attempt to logon a 4th time.\n\nIf the logon is successful upon the 4th attempt the account was not locked after the third failed attempt and this is a finding.","fixText":"Configure the application to enforce an account lock after 3 failed logon attempts occurring within a 15-minute window."},{"id":"4274485d-e45c-42e8-b36c-4876de766d75","vulnId":"V-222433","severity":"medium","ruleTitle":"The application administrator must follow an approved process to unlock locked user accounts.","description":"$2f","checkContent":"Interview the application administrator and identify the approved process for unlocking user accounts.\n\nThe process may involve a manual or automated reset after the locked out user has identified themselves using standard user identification processes outlined in the vulnerability discussion.\n\nIf the admin does not unlock the account following the approved process, and if the process does not have documented ISSO and ISSM approvals, this is a finding.","fixText":"Create a standard approved process for unlocking locked application accounts which includes validating user identity prior to unlocking the account.\n\nUse that process when unlocking application user accounts."},{"id":"b982aa1d-e7cc-42d2-8c18-bbda175e86f0","vulnId":"V-222434","severity":"low","ruleTitle":"The application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.","description":"$30","checkContent":"If the application has no interactive user interface, this requirement is not applicable.\n\nLog on to the application as a user.\n\nObserve the screen and ensure the DoD-approved banner is displayed prior to obtaining access to the application. Refer to the vulnerability discussion for the approved text.\n\nIf the only way to access the application is through the OS console, e.g., a fat client application installed on a GFE desktop or laptop, and that GFE is configured to display the DoD banner, an additional banner is not required at the application level.\n\nIf the standard DoD-approved banner is not displayed prior to obtaining access, this is a finding.","fixText":"Configure the application to present the standard DoD-approved banner prior to granting access to the application."},{"id":"067137a5-054a-4227-a706-0141524bee3a","vulnId":"V-222435","severity":"low","ruleTitle":"The application must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.","description":"The banner must be acknowledged by the user prior to allowing the user access to the application. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.\n\nTo establish acceptance of the application usage policy, a click-through banner at application logon is required. The application must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\".","checkContent":"If the application has no interactive user interface, this requirement is not applicable.\n\nIf the user interface is only available via the OS console, e.g., a fat client application installed on a GFE desktop or laptop, and that GFE is configured to display the DoD banner, this requirement is not applicable.\n\nAccess the application and authenticate if necessary. Verify the banner is displayed and action must be taken to accept terms of use.\n\nIf the banner is not displayed or no action must be taken to accept terms of use, this is a finding.","fixText":"Configure the application to retain the standard DoD-approved banner until the user accepts the usage conditions prior to granting access to the application."},{"id":"2122f9a7-9ade-410d-8ea5-3e14cf8e2a11","vulnId":"V-222436","severity":"low","ruleTitle":"The publicly accessible application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.","description":"$31","checkContent":"This requirement only applies to publicly accessible applications. If the application is not publicly accessible, this requirement is not applicable.\n\nAccess the application and observe the screen to ensure the DoD-approved banner is displayed prior to obtaining full access to the application. Refer to the vulnerability discussion for the approved banner text.\n\nIf the standard DoD-approved banner is not displayed prior to obtaining access, this is a finding.","fixText":"Configure the application to present the standard DoD-approved banner prior to granting access to the application."},{"id":"3a4a2b51-d4d9-4a76-8dba-e0b0a49abb93","vulnId":"V-222437","severity":"low","ruleTitle":"The application must display the time and date of the users last successful logon.","description":"Providing a last successful logon date and time stamp notification to the user when they authenticate and access the application allows the user to determine if their application account has been used without their knowledge. \n\nArmed with that information, the user can notify the application administrator and initiate a forensics investigation to identify root cause. Without providing this information to the user, a potential compromise of user accounts could go unnoticed.","checkContent":"Review the application documentation and interview the application administrator.\n\nIf the application does not provide a user interface, this requirement is not applicable.\n\nLogon to the application as a test user and verify successful authentication by creating test data, navigating the application functionality or otherwise utilizing the application.\n\nNote the date and time access was granted.\n\nLog out of the application.\n\nRe-authenticate to the application as the same user.\n\nValidate the last logon date and time is displayed in the user interface. \n\nIf the date and time the user account was last granted access to the application is not displayed in the user interface, this is a finding.","fixText":"Design and configure the application to display the date and time when the user was last successfully granted access to the application."},{"id":"a3a383b1-3fc8-44aa-a7de-0762dbf61df6","vulnId":"V-222438","severity":"medium","ruleTitle":"The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.","description":"$32","checkContent":"$33","fixText":"Configure the application to provide users with a non-repudiation function in the form of digital signatures when it is required by the organization or by the application design and architecture."},{"id":"f68a49bf-c94d-46d3-ace6-45d706afd512","vulnId":"V-222439","severity":"medium","ruleTitle":"For applications providing audit record aggregation, the application must compile audit records from organization-defined information system components into a system-wide audit trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail.","description":"Without the ability to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded.\n\nAudit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organization-defined level of tolerance.\n\nThis requirement applies to applications which provide the capability to compile system-wide audit records for multiple systems or system components. However, all applications must provide the relevant log details that are used to aggregate the information.","checkContent":"Review the application documentation and interview the application administrator.\n\nDetermine if the application has the ability to compile audit records from multiple systems or system components.\n\nIf the application does not provide log aggregation services, this requirement is not applicable.\n\nIdentify the systems that comprise the application.\n\nAccess each system comprising the application or a random sample of several application systems. Review the application logs and obtain date and time stamps for several random audit events. Record the information.\n\nAccess the server providing the log aggregation. Access the application logs that have been written to the server and compare the samples obtained from the application systems to the aggregated logs. Ensure the dates and time stamps correlate with one another.\n\nIf the log dates and times do not correlate when the logs are aggregated, this is a finding.","fixText":"Configure the application to correlate time stamps when aggregating audit records."},{"id":"1f4ef479-7efd-4411-bd80-f369534d3a31","vulnId":"V-222441","severity":"medium","ruleTitle":"The application must provide audit record generation capability for the creation of session IDs.","description":"Applications create session IDs at the onset of a user session in order to manage user access to the application and differentiate between different user sessions. It is important to log the creation of these session ID creation events for forensic purposes.\n\nIt is equally important to not log the session ID itself. Logging the session ID puts active sessions at risk if log data is compromised. Specific session ID information should be removed, masked, sanitized, or encrypted.\n\nA hash value of the session ID that can be mapped to the session ID is an acceptable method for assuring active session protection when logging session ID information. Alternatively, logging protections that protect the logs and defend from unauthorized access are means to assure log confidentiality and protect session integrity.\n\nWeb based applications will often utilize an application server that creates, manages and logs user session IDs. It is acceptable for the application to delegate this requirement to the application server.","checkContent":"Access the management interface for the application or configuration file and evaluate the log/audit management settings.\n\nDetermine if the setting that enables session ID creation event auditing is activated.\n\nCreate a new user session by logging in to the application.\n\nReview the logs to ensure the session creation event was recorded.\n\nIf the application is not configured to log session ID creation events, or if no creation event was recorded, this is a finding.\n\nIf a web-based application delegates session ID creation to an application server, this is not a finding. \n\nIf the application generates session ID creation event logs by default, and that behavior cannot be disabled, this is not a finding.","fixText":"Enable session ID creation event auditing."},{"id":"2d547778-e4c6-473f-ab7f-0e0ee01c6476","vulnId":"V-222442","severity":"medium","ruleTitle":"The application must provide audit record generation capability for the destruction of session IDs.","description":"Applications should destroy session IDs at the end of a user session in order to terminate user access to the application session and to reduce the possibility of an unauthorized attacker high jacking the session and impersonating the user. It is important to log when session IDs are destroyed for forensic purposes.\n\nWeb based applications will often utilize an application server that creates, manages and logs session IDs. It is acceptable for the application to delegate this requirement to the application server.","checkContent":"Access the management interface for the application or configuration file and evaluate the log/audit management settings.\n\nDetermine if the setting that enables session ID destruction event auditing is activated.\n\nTerminate a user session within the application and review the logs to ensure the session destruction event was recorded.\n\nIf the application is not configured to log session ID destruction events, or if the application has no means to enable auditing of session ID destruction events, this is a finding.\n\nIf a web-based application delegates session ID destruction to an application server, this is not a finding. \n\nIf the application generates audit logs by default when session IDs are destroyed, and that behavior cannot be disabled, this is not a finding.","fixText":"Enable session ID destruction event auditing."},{"id":"ea7dd5db-5b11-45cd-af59-3d336b05dbd4","vulnId":"V-222443","severity":"medium","ruleTitle":"The application must provide audit record generation capability for the renewal of session IDs.","description":"Application design sometimes requires the renewal of session IDs in order to continue approved user access to the application.\n\nSession renewal is done on a case by case basis under circumstances defined by the application architecture. The following are some examples of when session renewal must be done; whenever there is a change in user privilege such as transitioning from a user to an admin role or when a user changes from an anonymous user to an authenticated user or when a user's permissions have changed.\n\nFor these types of critical application functionalities, the previous session ID needs to be destroyed or otherwise invalidated and a new session ID must be created.\n\nIt is important to log when session IDs are renewed for forensic purposes.\n\nWeb based applications will often utilize an application server that creates, manages and logs session IDs. It is acceptable for the application to delegate this requirement to the application server.","checkContent":"Interview the system admin and review the application documentation.\n\nIdentify any web pages or application functionality where a user's privileges or permissions will change. This is most likely to occur during the authentication stages.\n\nEvaluate the log/audit output by opening the log files and observing changes to the logs.\n\nCreate a new user session by accessing the application.\n\nReview the logs and save the relevant session creation event recorded.\n\nUtilize the application pages that provide privilege escalation.\n\nEscalate privileges by authenticating as a privileged user.\n\nReview the logs and determine if new session information is created and being used.\n\nIf a web-based application delegates session ID renewals to an application server, this is not a finding. \n\nIf the application is not configured to log session ID renewal events this is a finding.","fixText":"Design or reconfigure the application to log session renewal events on those application events that provide changes in the users privileges or permissions to the application."},{"id":"59d24253-761e-4299-8f61-ef6f1f4cad9b","vulnId":"V-222444","severity":"medium","ruleTitle":"The application must not write sensitive data into the application logs.","description":"It is important to identify and exclude certain types of data that is written into the logs. If the logs are compromised and sensitive data is included in the logs, this could assist an attacker in furthering their attack or it could completely compromise the system.\n\nExamples of such data include but are not limited to; Passwords, Session IDs, Application source code, encryption keys, and sensitive data such as personal health information (PHI), Personally Identifiable Information (PII), or government identifiers (e.g., SSN).","checkContent":"$34","fixText":"Design or reconfigure the application to not write sensitive data to the logs."},{"id":"2b445422-6ceb-44bc-b226-4e92764730cd","vulnId":"V-222445","severity":"medium","ruleTitle":"The application must provide audit record generation capability for session timeouts.","description":"$35","checkContent":"Review the application documentation and interview the application administrator to identify log locations for application session activity.\n\nOpen the log file that tracks user session activity.\n\nAccess the application as a regular user and identify the user session within the log files.\n\nIdentify the session timeout threshold defined by the application.\n\nPerform no action within the application in order to allow the session to timeout.\n\nOnce the session timeout threshold has been exceeded, verify the session has been terminated due to the timeout event and review the logs again to ensure the session timeout event was recorded in the logs.\n\nIf a web-based application delegates session timeout auditing to an application server, this is not a finding. \n\nIf the session timeout event is not recorded in the logs, this is a finding.","fixText":"Configure the application to record session timeout events in the logs."},{"id":"3a185fd7-db0e-4040-8fb6-f85855efcb79","vulnId":"V-222446","severity":"medium","ruleTitle":"The application must record a time stamp indicating when the event occurred.","description":"It is important to include the time stamps for when an event occurred. Failure to include time stamps in the event logs is detrimental to forensic analysis.","checkContent":"Review the application logs.\n\nIf the time the event occurred is not included as part of the event, this is a finding.","fixText":"Configure the application to record the time the event occurred when recording the event."},{"id":"a7f9c009-655c-4e74-a832-a73be41b8160","vulnId":"V-222447","severity":"medium","ruleTitle":"The application must provide audit record generation capability for HTTP headers including User-Agent, Referer, GET, and POST.","description":"$36","checkContent":"Review the application documentation and interview the application administrator to identify log locations for application session activity.\n\nOpen the log file that tracks user session activity.\n\nAccess the application as a regular user and identify the user session within the log files.\n\nPerform several actions within the application in order to generate HTTP header traffic.\n\nReview the logs to ensure the HTTP header information is recorded in the logs. Header information logged will vary based upon the application and environment. Examples of headers include but are not limited to:\n\nUser-Agent:\nReferer:\nX-Forwarded-For:\nDate:\nExpires:\n\nIf HTTP headers are not logged, this is a finding.","fixText":"Configure the web application and/or the web server to log HTTP headers."},{"id":"e0b3bc9c-170c-4014-9dc6-764080c3342e","vulnId":"V-222448","severity":"medium","ruleTitle":"The application must provide audit record generation capability for connecting system IP addresses.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nThe IP addresses of remote systems that connect to the application are an important aspect of identifying the sources of application activity. Recording these IP addresses in the application logs provides forensic evidence and aids in investigating and identifying sources of malicious behavior related to security events.","checkContent":"Review the application documentation and interview the application administrator to identify where audit logs are stored.\n\nReview audit logs and determine if the IP address information of systems that connect to the application is kept in the logs.\n\nIf connecting IP addresses are not seen in the logs, connect to the application remotely and review the logs to determine if the connection was logged.\n\nIf the IP addresses of the systems that connect to the application are not recorded in the logs, this is a finding.","fixText":"Configure the application or application server to log all connecting IP address information"},{"id":"50509642-9f58-41a0-8bfa-ce58bcb91547","vulnId":"V-222449","severity":"medium","ruleTitle":"The application must record the username or user ID of the user associated with the event.","description":"When users conduct activity within an application, that user’s identity must be recorded in the audit log. Failing to record the identity of the user responsible for the activity within the application is detrimental to forensic analysis.","checkContent":"Review and monitor the application logs.\n\nConnect to the application and perform application activity that is allowed by the user such as accessing data or running reports.\n\nObserve if the log includes an entry to indicate the user ID of the user that conducted the activity.\n\nIf the user ID is not recorded along with the event in the event log, this is a finding.","fixText":"Configure the application to record the user ID of the user responsible for the log event entry."},{"id":"074afad3-a87f-4823-b422-e6c956a7a096","vulnId":"V-222450","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to grant privileges occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user is granted access or rights to application features and function not afforded to an ordinary user, they have been granted access to privilege and that action must be logged.","checkContent":"Review the application documentation and interview the application admin to identify application management interfaces and features.\n\nAccess the application management utility and create a test user account or use the account of a regular unprivileged user who is cooperating with the testing.\n\nAccess and open the auditing logs.\n\nUsing an account with the appropriate privileges, grant the user a privilege they previously did not have.\n\nAttempt to grant privileges in a manner that will cause a failure event such as granting privileges to a non-existent user or attempting to grant privileges with an account that doesn't have the rights to do so.\n\nReview the application logs and ensure both events were captured in the logs. The event data should include the user’s identity and the privilege that was granted and the privilege that failed to be granted.\n\nIf the application does not log when successful and unsuccessful attempts to grant privilege occur, this is a finding.","fixText":"Configure the application to audit successful and unsuccessful attempts to grant privileges."},{"id":"983a571d-0eed-4ae3-8667-042cd04e16f0","vulnId":"V-222451","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to access security objects occur.","description":"Security objects represent application objects that provide or require security protections or have a security role within the application. Examples include but are not limited to, files, application modules, folders, and database records. Essentially, if permissions are assigned to protect it, it can be considered a security object. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify where the application logs are stored.\n\nIdentify application functionality that provides privilege or permission settings to security objects within the application.\nThis can be an application function that assigns privileges to an application object or data element.\n\nAuthenticate to the application as a regular user. Using application functionality, attempt to access the security object within the application.\n\nPerform two attempts, one successfully and one unsuccessfully.\n\nReview the log data and ensure both the successful and unsuccessful access attempts are logged.\n\nIf the application does not generate an audit record when successful and unsuccessful attempts to access security objects occur, this is a finding.","fixText":"Configure the application to create an audit record for both successful and unsuccessful attempts to access security objects."},{"id":"783cca0f-5dcd-4aca-bb2b-88fd2e4ef033","vulnId":"V-222452","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to access security levels occur.","description":"A security level denotes a permissions or authorization capability within the application. This is most often associated with a user role. Attempts to access a security level can occur when a user attempts an action such as escalating their privilege from within the application itself. Attempts to access a security level can be construed as an attempt to change your user role from within the application. \n\nWithout generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application administrator. Identify where the application logs are stored.\n\nIdentify application functionality that provides privilege escalation or access to additional security levels within the application.\n\nThis can be performing a function that escalates the privileges of the user, or accessing a protected area of the application that requires additional authentication in order to access.\n\nAuthenticate to the application as a regular user. Using application functionality, attempt to access a different security level or domain within the application.\n\nPerform two attempts, one successfully and one unsuccessfully.\n\nReview the log data and ensure both the successful and unsuccessful access attempts are logged.\n\nIf the application does not generate an audit record when successful and unsuccessful attempts to access security levels occur, this is a finding.","fixText":"Configure the application to create an audit record for both successful and unsuccessful attempts to access security levels."},{"id":"b983672b-3240-4ccb-9c50-046e76cddc21","vulnId":"V-222453","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nCategories of information is information that is identified as being sensitive or requiring additional protection from regular user access. The data is accessed on a need to know basis and has been assigned a category or a classification in order to assign protections and track access.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application administrator. Identify where the application logs are stored.\n\nIdentify any data protections that are required.\n\nIdentify any categories of data or classification of data.\n\nIf the application requirements do not call for compartmentalized data and data protection, this requirement is not applicable.\n\nAuthenticate to the application as a regular user. Using application functionality, attempt to access data that has been assigned to a protected category.\n\nPerform two access attempts, one successful and one unsuccessful.\n\nTesting this will require obtaining access to test data that has been assigned to a protected category, or having an authorized user access the data for you.\n\nReview the log data and ensure both the successful and unsuccessful access attempts are logged.\n\nIf the application does not generate an audit record when successful and unsuccessful attempts to access categories of information occur, this is a finding.","fixText":"Configure the application to create an audit record for both successful and unsuccessful attempts to access protected categories of information."},{"id":"9ac08a57-4fd5-44b7-9985-e1b60b19e233","vulnId":"V-222454","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to modify privileges occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application admin to identify application management interfaces and features.\n\nAccess the application management utility and create a test user account or use the account of a regular privileged user who is cooperating with the testing.\n\nAccess and open the auditing logs.\n\nUsing an admin account, modify the privileges of a privileged user.\n\nAttempt to modify privileges in a manner that will cause a failure event such as attempting to modify a user’s privileges with an account that doesn't have the rights to do so.\n\nReview the application logs and ensure both events were captured in the logs. The event data should include the user’s identity and the privilege that was granted and the privilege that failed to be granted.\n\nIf the application does not log when successful and unsuccessful attempts to modify privileges occur, this is a finding.","fixText":"Configure the application to audit successful and unsuccessful attempts to modify privileges."},{"id":"0b882524-1fd9-40d0-98df-19c59e10c34f","vulnId":"V-222455","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to modify security objects occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify where the application logs are stored.\n\nIdentify application functionality that provides privilege or permission settings to security objects within the application.\nThis can be an application function that assigns privileges to an application object or data element.\n\nAuthenticate to the application as a regular user. Using application functionality, attempt to modify the security object within the application.\n\nPerform two attempts, one successfully and one unsuccessfully.\n\nReview the log data and ensure the modification events both successful and unsuccessful are logged.\n\nIf the application does not generate an audit record when successful and unsuccessful attempts to modify security objects occur, this is a finding.","fixText":"Configure the application to create an audit record for both successful and unsuccessful attempts to modify security objects."},{"id":"2ce9ab54-386a-49c3-9efc-4a982f88fa14","vulnId":"V-222456","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to modify security levels occur.","description":"A security level denotes a permissions or authorization capability within the application. This is most often associated with a user role. Attempts to modify a security level can be construed as an attempt to change the configuration of the application so as to create a new security role or modify an existing security role. Some applications may or may not provide this capability.\n\nWithout generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify where the application logs are stored.\n\nIdentify application functionality that provides privilege escalation or access to additional security levels within the application.\n\nThis can be performing a function that escalates the privileges of the user, or accessing a protected area of the application that requires additional authentication in order to access.\n\nAuthenticate to the application as a regular user. Using application functionality, attempt to modify the permissions of a different security level or domain within the application.\n\nPerform two attempts, one successfully and one unsuccessfully.\n\nReview the log data and ensure the modify events, both successful and unsuccessful, are logged.\n\nIf the application does not generate an audit record when successful and unsuccessful attempts to modify the permissions regarding the security levels occur, this is a finding.","fixText":"Configure the application to create an audit record for both successful and unsuccessful attempts to modify security levels."},{"id":"7bcb13c9-432a-4e5a-b20e-d7a18439a7b6","vulnId":"V-222457","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify where the application logs are stored.\n\nIdentify any data protections that are required.\n\nIdentify any categories of data or classification of data.\n\nIf the application requirements do not call for compartmentalized data and data protection, this requirement is not applicable.\n\nAuthenticate to the application as a regular user. Using application functionality, attempt to modify data that has been assigned to a protected category.\n\nPerform two modification attempts, one successful and one unsuccessful.\n\nTesting this will require obtaining access to test data that has been assigned to a protected category, or having an authorized user access the data for you.\n\nReview the log data and ensure both the successful and unsuccessful modification attempts are logged.\n\nIf the application does not generate an audit record when successful and unsuccessful attempts to modify categories of information occur, this is a finding.","fixText":"Configure the application to create an audit record for both successful and unsuccessful attempts to modify protected categories of information."},{"id":"be89ce71-be12-43a3-948d-193a6d8f95a5","vulnId":"V-222458","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to delete privileges occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application admin to identify application management interfaces and features.\n\nAccess the application management utility and create a test user account or use the account of a regular privileged user who is cooperating with the testing.\n\nAccess and open the auditing logs.\n\nUsing an admin account, delete some or all of the privileges of a privileged user.\n\nAttempt to delete privileges in a manner that will cause a failure event such as attempting to delete a user’s privileges with an account that doesn't have the rights to do so.\n\nReview the application logs and ensure both events were captured in the logs. The event data should include the user’s identity and the privilege that was granted and the privilege that failed to be granted.\n\nIf the application does not log when successful and unsuccessful attempts to delete privileges occur, this is a finding.","fixText":"Configure the application to audit successful and unsuccessful attempts to delete privileges."},{"id":"b3f3a801-bb00-4841-8d39-cd33a8207306","vulnId":"V-222459","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to delete security levels occur.","description":"A security level denotes a permissions or authorization capability within the application. This is most often associated with a user role. Attempts to delete a security level can be construed as an attempt to change the configuration of the application so as to delete an existing security role. Some applications may or may not provide this capability.\n\nWithout generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify where the application logs are stored.\n\nIdentify application functionality that provides privilege escalation or access to additional security levels within the application.\n\nThis can be performing a function that escalates the privileges of the user, or accessing a protected area of the application that requires additional authentication in order to access.\n\nAuthenticate to the application as a regular user. Using application functionality, attempt to delete permissions of a different security level or domain within the application.\n\nPerform two attempts, one successfully and one unsuccessfully.\n\nReview the log data and ensure the deletion events, both successful and unsuccessful are logged.\n\nIf the application does not generate an audit record when successful and unsuccessful attempts to delete permissions regarding the security levels occur, this is a finding.","fixText":"Configure the application to create an audit record for both successful and unsuccessful attempts to delete security levels."},{"id":"0173d329-53c8-465d-a2a6-3cdafde07b32","vulnId":"V-222460","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to delete application database security objects occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify where the application logs are stored.\n\nIdentify application functionality that provides privilege or permission settings to database security objects within the application. This can be an application function that assigns privileges to an application object or data element.\n\nAuthenticate to the application as a regular user. Using application functionality, attempt to delete the database security object within the application.\n\nPerform two attempts, one successfully and one unsuccessfully.\n\nReview the log data and ensure the deletion events, both successful and unsuccessful, are logged.\n\nIf the application does not generate an audit record when successful and unsuccessful attempts to delete database security objects occur, this is a finding.","fixText":"Configure the application to create an audit record for both successful and unsuccessful attempts to delete database security objects."},{"id":"fea27176-6134-4301-8f6c-1ea93ef8e14d","vulnId":"V-222461","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify where the application logs are stored.\n\nIdentify any data protections that are required.\n\nIdentify any categories of data or classification of data.\n\nIf the application requirements do not call for compartmentalized data and data protection, this requirement is not applicable.\n\nAuthenticate to the application as a regular user. Using application functionality, attempt to delete data that has been assigned to a protected category.\n\nPerform two modification attempts, one successful and one unsuccessful.\n\nTesting this will require obtaining access to test data that has been assigned to a protected category, or having an authorized user access the data for you.\n\nReview the log data and ensure both the successful and unsuccessful deletion attempts are logged.\n\nIf the application does not generate an audit record when successful and unsuccessful attempts to delete categories of information occur, this is a finding.","fixText":"Configure the application to create an audit record for both successful and unsuccessful attempts to delete protected categories of information."},{"id":"2de70449-0b51-4f80-b84d-10cd64134a80","vulnId":"V-222462","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful logon attempts occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nKnowing when a user successfully or unsuccessfully logged on to the application is critical information that aids in forensic analysis.","checkContent":"Review and monitor the application logs.\n\nAuthenticate to the application and observe if the log includes an entry to indicate the user’s authentication was successful.\n\nTerminate the user session by logging out.\n\nReauthenticate using invalid user credentials and observe if the log includes an entry to indicate the authentication was unsuccessful.\n\nIf successful and unsuccessful logon events are not recorded in the logs, this is a finding.","fixText":"Configure the application or application server to write a log entry when successful and unsuccessful logon events occur."},{"id":"e10ca7eb-4034-4d79-8733-6a9e408959ed","vulnId":"V-222463","severity":"medium","ruleTitle":"The application must generate audit records for privileged activities or other system-level access.","description":"Privileged activities include the tasks or actions taken by users in an administrative role (admin, backup operator, manager, etc.) which are used to manage or reconfigure application function. Examples include but are not limited to:\n\nModifying application logging verbosity, starting or stopping of application services, application user account management, managing application functionality, or otherwise changing the underlying application capabilities such as adding a new application module or plugin.\n\nPrivileged access does not include an application design which does not modify the application but does provide users with the functionality or the ability to manage their own user specific preferences or otherwise tailor the application to suit individual user needs based upon choices or selections built into the application.","checkContent":"Review and monitor the application logs.\n\nAuthenticate to the application as a privileged user and observe if the log includes an entry to indicate the user’s authentication was successful.\n\nPerform actions as an admin or other privileged user such as modifying the logging verbosity, or starting or stopping an application service, or terminating a test user session.\n\nIf log events that correspond with the actions performed are not recorded in the logs, this is a finding.","fixText":"Configure the application to write a log entry when privileged activities or other system-level events occur."},{"id":"9de9883d-5223-48dd-91e0-621e2c1daeea","vulnId":"V-222464","severity":"medium","ruleTitle":"The application must generate audit records showing starting and ending time for user access to the system.","description":"Knowing when a user’s application session began and when it ended is critical information that aids in forensic analysis.","checkContent":"Review and monitor the application logs.\n\nInitiate a user session and observe if the log includes a time stamp showing the start of the session.\n\nTerminate the user session and observe if the log includes a time stamp showing the end of the session.\n\nIf the start and the end time of the session are not recorded in the logs, this is a finding.","fixText":"Configure the application or application server to record the start and end time of user session activity."},{"id":"40950602-ffb9-41e5-b6b5-f7cebc22b3c2","vulnId":"V-222465","severity":"medium","ruleTitle":"The application must generate audit records when successful/unsuccessful accesses to objects occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nApplication objects are system or application components that comprise the application. This includes but is not limited to; application files, folders, processes and modules.\n\nThis requirement is not intended to force the use of debug logging which would be used for troubleshooting or forensic actions; rather it is intended to assure the application strikes a balance when auditing access to application objects and logs normal and potentially abnormal application activity.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Review the application documentation and interview the application administrator to identify log locations.\n\nAccess the application logs.\n\nReview the logs and identify if the application is logging both successful and unsuccessful access to application objects such as files, folders, processes, or application modules and sub components, or systems.\n\nIf the application does not log application object access, this is a finding.","fixText":"Configure the application to log successful and unsuccessful access to application objects."},{"id":"b1590710-89bd-4db7-b3d9-51997d935a80","vulnId":"V-222466","severity":"medium","ruleTitle":"The application must generate audit records for all direct access to the information system.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nWhen an application provides direct access to underlying OS features and functions, that access must be audited.\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"$37","fixText":"Configure the application to log all direct access to the system."},{"id":"48613b71-3baf-4fd5-bd4b-80a8cfee26c9","vulnId":"V-222467","severity":"medium","ruleTitle":"The application must generate audit records for all account creations, modifications, disabling, and termination events.","description":"When application user accounts are created, modified, disabled or terminated the event must be logged.\n\nCentralized management of user accounts allows for rapid response to user related security events and also provides ease of management.\n\nAllowing the centralized user management solution to log these events is acceptable practice; however, if the application provides a user management interface to manage these tasks, the application must also log these events.\n\nApplication developers are encouraged to integrate their applications with enterprise-level authentication/access/audit mechanisms such as Syslog, Active Directory or LDAP.","checkContent":"$38","fixText":"Configure the application to log user account creation, modification, disabling, and termination events."},{"id":"7f71ee63-8966-403d-86c8-09a04ad53711","vulnId":"V-222468","severity":"medium","ruleTitle":"The application must initiate session auditing upon startup.","description":"If the application does not begin logging upon startup, important log events could be missed.","checkContent":"Examine the application design documentation and interview the application administrator to identify application logging behavior.\n\nIf the application is writing to an existing log or log file:\n\nOpen and monitor the application log.\n\nStart the application service and view the log entries. \n\nLog entries indicating the application is starting should commence as soon as the application starts. Determine if the log events correlate with the time the application was started and if event log entries include an application start up sequence of events.\n\nIf the application writes events to a new log on startup: \n\nIdentify location logs are written to, start the application and then identify and access the new log.\n\nDetermine if the log events correlate with the time the application was started and if event log entries include an application start up sequence of events.\n\nIf the application does not begin logging events upon start up, this is a finding.","fixText":"Configure the application to begin logging application events as soon as the application starts up."},{"id":"ad2ef19f-daef-4875-b33f-b4ffd9b0b2f3","vulnId":"V-222469","severity":"medium","ruleTitle":"The application must log application shutdown events.","description":"Forensics is a large part of security incident response. Applications must provide a record of their actions so application events can be investigated post-event. \n\nAttackers may attempt to shut off the application logging capability to cover their activity while on the system. Recording the shutdown event and the time it occurred in the application or system logs helps to provide forensic evidence that aids in investigating the events.","checkContent":"Review and monitor the application and system logs.\n\nIf an application shutdown event is not recorded in the logs, either initiate a shutdown event and review the logs after reestablishing access or request backup copies of the application or system logs that indicate shutdown events are being recorded.\n\nAlternatively, check for a setting within the application that controls application logging events and determine if application shutdown logging is configured.\n\nIf the application is not recording application shutdown events in either the application or system log, or if the application is not configured to record shutdown events, this is a finding.","fixText":"Configure the application or application server to record application shutdown events in the event logs."},{"id":"d05401c2-5f3e-49b1-ad03-b24c23bb74f8","vulnId":"V-222470","severity":"medium","ruleTitle":"The application must log destination IP addresses.","description":"The IP addresses of the systems that the application connects to are an important aspect of identifying application network related activity. Recording the IP addresses of the system the application connects to in the application logs provides forensic evidence and aids in investigating and correlating the sources of malicious behavior related to security events. Logging this information can be particularly useful for Service-Oriented Applications where there is application to application connectivity.","checkContent":"If the application design documentation indicates the application does not initiate connections to remote systems this requirement is not applicable.\n\nNetwork connections to systems used for support services such as DNS, AD, or LDAP may be stored in the system logs. These connections are applicable.\n\nIdentify log source based upon application architecture, design documents and input from application admin.\n\nReview and monitor the application or system logs.\n\nConnect to the application and utilize the application functionality that initiates connections to a destination system.\n\nIf the application routinely connects to remote system on a regular basis you may simply allow the application to operate in the background while the logs are observed.\n\nObserve the log activity and determine if the log includes an entry to indicate the IP address of the destination system.\n\nIf the IP address of the remote system is not recorded along with the event in the event log, this is a finding.","fixText":"Configure the application to record the destination IP address of the remote system."},{"id":"29f39433-611e-4fae-8848-77a7402f9e0e","vulnId":"V-222471","severity":"medium","ruleTitle":"The application must log user actions involving access to data.","description":"When users access application data, there is risk of data compromise or seepage if the account used to access is compromised or access is granted improperly. To be able to investigate which account accessed data, the account access must be logged. Without establishing when the access event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAssociating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"Review and monitor the application logs. When accessing data, the logs are most likely database logs.\n\nIf the application design documents include specific data elements that require protection, ensure user access to those data elements are logged.\n\nUtilize the application as a regular user and operate the application so as to access data elements contained within the application. This includes using the application user interface to browse through data elements, query/search data elements and using report generation capability if it exists.\n\nObserve and determine if the application log includes an entry to indicate the user’s access to the data was recorded.\n\nIf successful access to application data elements is not recorded in the logs, this is a finding.","fixText":"Identify the specific data elements requiring protection and audit access to the data."},{"id":"026df54f-0d13-4c76-a642-675623a137e8","vulnId":"V-222472","severity":"medium","ruleTitle":"The application must log user actions involving changes to data.","description":"When users change/modify application data, there is risk of data compromise if the account used to access is compromised or access is granted improperly. To be able to investigate which account accessed data, the account making the data changes must be logged. Without establishing when the data change event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAssociating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"$39","fixText":"Configure the application to log all changes to application data."},{"id":"e1abbc67-7e8b-4968-8ee0-b5ee70df535f","vulnId":"V-222473","severity":"medium","ruleTitle":"The application must produce audit records containing information to establish when (date and time) the events occurred.","description":"Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know when events occurred (date and time).","checkContent":"Access the application logs and review the log entries for date and time. Each event written into the log must have a corresponding date and time stamp associated with it.\n\nIf the audit logs do not have a corresponding date and time associated with each event, this is a finding.","fixText":"Configure the application or application server to include the date and the time of the event in the audit logs."},{"id":"2505e0e4-f3e9-4c9a-98b7-5659eac8a02d","vulnId":"V-222474","severity":"medium","ruleTitle":"The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event.","description":"It is impossible to establish, correlate, and investigate the events relating to an incident if the details regarding the source of the event it not available.\n\nIn order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know where within the application the events occurred, such as which application component, application modules, filenames, and functionality.\n\nAssociating information about where the event occurred within the application provides a means of quickly investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"$3a","fixText":"Configure the application to log which component, feature or functionality of the application triggered the event."},{"id":"ece2defc-d4da-411b-8a19-7ed3a18c4103","vulnId":"V-222475","severity":"medium","ruleTitle":"When using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs.","description":"Without establishing the source, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nIn the case of centralized logging, or other instances where log files are consolidated, there is risk that the application's log data could be co-mingled with other log data. To address this issue, the application itself must be identified as well as the application host or client name. \n\nIn order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know the source of the event, particularly in the case of centralized logging.\n\nAssociating information about the source of the event within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"If the application is logging locally and does not utilize a centralized logging solution, this requirement is not applicable.\n\nReview system documentation and identify log location. Access the application logs.\n\nReview the application logs.\n\nEnsure the application is uniquely identified either within the logs themselves or via log storage mechanisms.\n\nEnsure the hosts or client names hosting the application are also identified. Either hostname or IP address is acceptable.\n\nIf the application name and the hosts or client names are not identified, this is a finding.","fixText":"Configure the application logs or the centralized log storage facility so the application name and the hosts hosting the application are uniquely identified in the logs."},{"id":"a475dcfb-12b0-47bf-b5c3-d86d1e84dcb3","vulnId":"V-222476","severity":"medium","ruleTitle":"The application must produce audit records that contain information to establish the outcome of the events.","description":"Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system.\n\nEvent outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.\n\nSuccessful application events are expected to far outnumber errors. Therefore, success events may be implied by default and not specified in the logs if this behavior is documented.","checkContent":"Review system and application documentation to identify application operation and function.\n\nAccess the application logs and review the logs to determine if the results of application operations are logged.\n\nSuccessful application events are expected to far outnumber errors. Therefore, success events may be implied by default and not specified in the logs if this behavior is documented.\n\nThe outcome will be a log record that displays the application event/operation that occurred followed by the result of the operation such as \"ERROR\", \"FAILURE\", \"SUCCESS\" or \"PASS\".\n\nOperation outcomes may also be indicated by numeric code where a \"1\" might indicate success and a \"0\" may indicate operation failure.\n\nIf the application does not produce audit records that contain information regarding the results of application operations, this is a finding.","fixText":"Configure the application to include the outcome of application functions or events."},{"id":"e0d6598b-7ca0-46eb-85d7-2f6b4ace7ea1","vulnId":"V-222477","severity":"medium","ruleTitle":"The application must generate audit records containing information that establishes the identity of any individual or process associated with the event.","description":"Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.\n\nEvent identifiers (if authenticated or otherwise known) include, but are not limited to, user database tables, primary key values, user names, or process identifiers.","checkContent":"Review system documentation and discuss application operation with application administrator.\n\nIdentify application processes and application users.\nIdentify application components, e.g., application features framework and function. Identify server components, such as web server, database server.\n\nReview application logs. Ensure the application event logs include an identifier or identifiers that will allow an investigator to determine the user or the application process responsible for the application event.\n\nIf the event logs do not include the appropriate identifier or identifiers, this is a finding.","fixText":"Configure the application to log the identity of the user and/or the process associated with the event."},{"id":"ae78be40-2330-45a4-9656-1ab385d4eaca","vulnId":"V-222478","severity":"medium","ruleTitle":"The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nOrganizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit either full-text recording of privileged commands or the individual identities of group users, or both. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. \n\nIn addition, the application must have the capability to include organization-defined additional, more detailed information in the audit records for audit events.","checkContent":"Review application documentation and interview application administrator. Identify audit log locations and review audit logs.\n\nAccess the system as a privileged user and execute privileged commands.\n\nReview the application logs and ensure that the logs contain all details of the actions performed. \n\nIf a privileged command was typed within the application that command text must be included in the logs. Authentication information provided as part of the text must NOT be logged, just the commands.\n\nIf an action was performed, such as activating a check box, that action must be logged.\n\nReview group account users, review logs to determine if the individual users of group accounts are identified in the logs.\n\nIf the application does not log the full text recording of privileged commands or if the application does not identify and log the individuals associated with group accounts, this is a finding.","fixText":"Configure the application to log the full text recording of privileged commands or the individual identities of group users."},{"id":"e90a8a15-cf66-42bd-bc01-c48fdbfa7105","vulnId":"V-222479","severity":"medium","ruleTitle":"The application must implement transaction recovery logs when transaction based.","description":"Without required logging and access control, security issues related to data changes will not be identified. This could lead to security compromises such as data misuse, unauthorized changes, or unauthorized access.\n\nTransaction logs contain a sequential record of all changes to the database. Using a transaction log helps with maintaining application availability and aids in speedy recovery. Transactional logging should be enabled whenever the application database offers the transactional logging capability.","checkContent":"Review the application documentation and interview the application administrator. Have the application administrator provide configuration settings that demonstrate transaction logging is enabled.\n\nReview configuration settings for the location of transaction specific logs and verify transaction logs exist and the log records access and changes to the data.\n\nIf the application is not configured to utilize transaction logging, this is a finding.","fixText":"Configure the application database to utilize transactional logging."},{"id":"69a396e4-b0fe-4909-9a29-31437975964f","vulnId":"V-222480","severity":"medium","ruleTitle":"The application must provide centralized management and configuration of the content to be captured in audit records generated by all application components.","description":"Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.\n\nThis requirement requires that the content captured in audit records be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application components requiring centralized audit log management must have the capability to support centralized management.\n\nThis requirement applies to centralized management applications or similar types of applications designed to manage and configure audit record capture.","checkContent":"Review the application documentation and interview the application administrator to determine the logging architecture of the application.\n\nIf the application is configured to log application event entries to a centralized, enterprise based logging solution that meets this requirement, this requirement is Not Applicable.\n\nReview the application components and the log management capabilities of the application.\n\nVerify the application log management interface includes the ability to centrally manage the configuration of what is captured in the logs of all application components. \n\nIf the application does not provide the ability to centrally manage the content captured in the audit logs, this is a finding.","fixText":"Configure the application to utilize a centralized log management system that provides the capability to configure the content of audit records."},{"id":"718e4fed-d948-42d0-9d68-c5ef27d76fbf","vulnId":"V-222481","severity":"medium","ruleTitle":"The application must off-load audit records onto a different system or media than the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration. In addition, attackers often manipulate logs to hide or obfuscate their activity.\n\nThe goal is to off-load application logs to a separate server as quickly and efficiently as possible so as to mitigate these risks. \n\nA centralized logging solution offering applications an enterprise designed and managed logging capability which is the desired solution.\n\nHowever, when a centralized logging solution is not an option due to the operational environment or other situations where the risk has been officially recognized and accepted, off-loading is a common process utilized to address this type of scenario.","checkContent":"Review application documentation and interview application administrator. Identify log functionality and locations of log files. Obtain risk acceptance documentation and task scheduling information.\n\nIf the application is configured to utilize a centralized logging solution, this requirement is not applicable.\n\nEvaluate log management processes and determine if there are automated tasks that move the logs off of the system hosting the application. \n\nVerify automated tasks are performed on an ISSO approved schedule (hourly, daily etc.). Automation can be via scripting, log management oriented tools or other automated means.\n\nReview risk acceptance documentation for not utilizing a centralized logging solution.\n\nIf the logs are not automatically moved off the system as per approved schedule, or if there is no formal risk acceptance documentation, this is a finding.","fixText":"Configure the application to off-load audit records onto a different system as per approved schedule."},{"id":"f3f1e0fc-a1d6-4bf1-8c7e-7dabb8a4f516","vulnId":"V-222482","severity":"medium","ruleTitle":"The application must be configured to write application logs to a centralized log repository.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration. In addition, attackers often manipulate logs to hide or obfuscate their activity.\n\nOff-loading is a common process in information systems with limited audit storage capacity or when trying to assure log availability and integrity.\n\nThis requirement is meant to address space limitations and integrity issues that can be encountered when storing logs on the local server.\n\nThe goal of the requirement being to offload application logs to a separate server as quickly and efficiently as possible so as to mitigate these risks.","checkContent":"Review application documentation and interview application administrator.\n\nEvaluate application log management processes and determine if the system is configured to utilize a centralized log management system for the hosting and management of application audit logs.\n\nIf the system is not configured to write the application logs to the centralized log management repository in an expeditious manner, this is a finding.","fixText":"Configure the application to utilize a centralized log repository and ensure the logs are off-loaded from the application system as quickly as possible."},{"id":"9926f799-901c-4570-8d04-c6563283bec0","vulnId":"V-222483","severity":"medium","ruleTitle":"The application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.","description":"If security personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion.\n\nDue to variances in application usage and audit records storage usage, the SA and the ISSO may evaluate usage patterns and determine if a higher percentage of usage is warranted before an alarm is sent. The intent of the requirement is to provide a warning that will allow the SA and ISSO ample time to plan and implement an audit storage capacity expansion that will provide for the increased audit log storage requirements without forcing an emergency or otherwise negatively impacting the recording of audit events.\n\nThe requirement will take into account a reasonable amount of processing time such as 1 or 2 minutes that may be required of the system in order to satisfy the requirement.","checkContent":"$3b","fixText":"Configure the application to send an immediate alarm to the application admin/SA and the ISSO when the allocated log storage capacity exceeds 75% of usage or exceeds the capacity value the SA and ISSO have determined will provide adequate time to plan for capacity expansion."},{"id":"cc43895c-01b6-4ca8-a13f-3d02470def54","vulnId":"V-222484","severity":"medium","ruleTitle":"Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events.","description":"$3c","checkContent":"Review system documentation and interview application administrator for details regarding application security categorization and logging configuration.\n\nIf the application utilizes a centralized logging system that provides the real-time alarms, this requirement is not applicable.\n\nReview application log alert configuration.\n\nIdentify audit failure events and associated alarming configuration.\n\nIf the application is categorized as having a moderate or high impact and is not configured to provide a real-time alert that indicates the audit system has failed or is failing, this is a finding.","fixText":"Configure the log alerts to send an alarm when the audit system is in danger of failing or has failed. \n\nConfigure the log alerts to be immediately sent to the application admin/SA and ISSO."},{"id":"64eeb9b1-836e-4642-ad56-b6ec78322808","vulnId":"V-222485","severity":"medium","ruleTitle":"The application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. \n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","checkContent":"Review system documentation and interview application administrator for details regarding logging configuration.\n\nIf the application utilizes a centralized logging system that provides the audit processing failure alarms, this requirement is not applicable.\n\nIdentify application alarming capability regarding audit processing failure events.\n\nVerify the application is configured to alarm when the auditing system fails.\n\nExample alarm events include but are not limited to: \n\nhardware failure events\nfailures to capture audit record events\naudit storage errors\n\nIf the application is not configured to alarm on alerts that indicate the audit system has failed or is failing, this is a finding.","fixText":"Configure the application to send an alarm in the event the audit system has failed or is failing."},{"id":"162baba7-026a-4702-8eb2-c4c436a6b883","vulnId":"V-222486","severity":"medium","ruleTitle":"The application must shut down by default upon audit failure (unless availability is an overriding concern).","description":"$3d","checkContent":"$3e","fixText":"Configure the application to cease processing if the audit system fails or configure the application to continue logging in a manner that compensates for the audit failure."},{"id":"3811dce5-b05b-4d38-8faf-1e92b0a189b8","vulnId":"V-222487","severity":"medium","ruleTitle":"The application must provide the capability to centrally review and analyze audit records from multiple components within the system.","description":"Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the application does not provide the ability to centrally review the application logs, forensic analysis is negatively impacted.\n\nSegregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system or application has multiple logging components written to different locations or systems.\n\nAutomated mechanisms for centralized reviews and analyses include, for example, Security Information Management products.","checkContent":"Review system documentation and interview application administrator for details regarding application architecture and logging configuration. Identify the application components, the logs that are associated with the components and the locations of the logs.\n\nIf the application utilizes a centralized logging system that provides the capability to review the log files from one central location, this requirement is not applicable.\n\nAccess the application's log management utility and review the log files. Ensure all of the applications logs are reviewable from within the centralized log management function and access to other systems in order to review application logs are not required.\n\nIf all of the application logs are not reviewable from a central location, this is a finding.","fixText":"Configure the application so all of the applications logs are available for review from one centralized location."},{"id":"ebb7f562-03f9-4bf4-945f-3d888f8a01ec","vulnId":"V-222488","severity":"medium","ruleTitle":"The application must provide the capability to filter audit records for events of interest based upon organization-defined criteria.","description":"The ability to specify the event criteria that are of interest provides the persons reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded.\n\nEvents of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. This requires applications to provide the capability to customize audit record reports based on organization-defined criteria.","checkContent":"$3f","fixText":"Configure the application filters to search event logs based on defined criteria."},{"id":"9e00146b-036e-4f94-a517-45dc8e06563d","vulnId":"V-222489","severity":"medium","ruleTitle":"The application must provide an audit reduction capability that supports on-demand reporting requirements.","description":"The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents.\n\nAudit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. The report generation capability provided by the application must support on-demand (i.e., customizable, ad-hoc, and as-needed) reports.\n\nThis requirement is specific to applications with audit reduction capabilities; however, applications need to support on-demand audit review and analysis.","checkContent":"$40","fixText":"Configure the application to generate soft copy, hard copy and/or screen-based reports based on the selected filtered event data."},{"id":"9cbede53-85b8-4f60-918d-588484a8ff9d","vulnId":"V-222490","severity":"medium","ruleTitle":"The application must provide an audit reduction capability that supports on-demand audit review and analysis.","description":"The ability to perform on-demand audit review and analysis, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents.\n\nAudit reduction is a technique used to reduce the volume of audit records in order to facilitate a manual review. Audit reduction does not alter original audit records. The report generation capability provided by the application must support on-demand (i.e., customizable, ad-hoc, and as-needed) reports.\n\nThis requirement is specific to applications with audit reduction capabilities; however, applications need to support on-demand audit review and analysis.","checkContent":"$41","fixText":"Configure the application to log to a centralized auditing capability that provides on-demand reports based on the filtered audit event data or design or configure the application to meet the requirement."},{"id":"c6c2f7d8-d5e2-45b3-80d4-8f7fa5c70a7b","vulnId":"V-222491","severity":"medium","ruleTitle":"The application must provide an audit reduction capability that supports after-the-fact investigations of security incidents.","description":"If the audit reduction capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies.\n\nAudit reduction capability must support after-the-fact investigations of security incidents either natively or through the use of third-party tools.\n\nThis requirement is specific to applications with audit reduction capabilities.","checkContent":"$42","fixText":"Configure the application to provide an audit reduction capability that supports forensic investigations."},{"id":"6a354e65-a84c-46f3-a3d6-f02af5579167","vulnId":"V-222492","severity":"medium","ruleTitle":"The application must provide a report generation capability that supports on-demand audit review and analysis.","description":"$43","checkContent":"Review the application documentation and interview the application administrator for details regarding audit reduction (log record event filtering).\n\nAccess the application with user rights sufficient to read and filter audit records.\n\nNavigate the application user interface and select the application functionality that provides access and interface to audit records and audit reporting.\n\nIf the application uses a centralized logging solution that provides immediate, customizable audit review and analysis functions, the requirement is not applicable.\n\nCreate an event report. Report data can be based on date ranges, times or events, or other criteria that could be used in an investigation. Use of data from previous checks for audit reduction is encouraged.\n\nReview the report and ensure the data in the report coincides with event filters used to create the report.\n\nIf the application does not provide an immediate, ad-hoc audit review and analysis capability, this is a finding.","fixText":"Design or configure the application to provide an immediate audit review capability or utilize a centralized utility designed for the purpose of on-demand log management and reporting."},{"id":"683b4a4c-fc16-4cea-bdc9-3c8451cafe37","vulnId":"V-222493","severity":"medium","ruleTitle":"The application must provide a report generation capability that supports on-demand reporting requirements.","description":"The report generation capability must support on-demand reporting in order to facilitate the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents.\n\nThe report generation capability provided by the application must be capable of generating on-demand (i.e., customizable, ad-hoc, and as-needed) reports. On-demand reporting allows personnel to report issues more rapidly to more effectively meet reporting requirements. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective.\n\nThis requirement is specific to applications with report generation capabilities; however, applications need to support on-demand reporting requirements.","checkContent":"Review the application documentation and interview the application administrator for details regarding audit reduction (log record event filtering).\n\nAccess the application with user rights sufficient to read and filter audit records.\n\nNavigate the application user interface and select the application functionality that provides access and interface to audit records and audit reduction (event filtering).\n\nIf the application uses a centralized logging solution that provides immediate, customizable, ad-hoc report generation functions, the requirement is not applicable.\n\nCreate an event report. Report data can be based on date ranges, times or events, or other criteria that could be used in an investigation. Use of data from previous checks for audit reduction is encouraged.\n\nReview the report and ensure the data in the report coincides with event filters used to create the report.\n\nIf the application does not provide customizable, immediate, ad-hoc audit log reporting, this is a finding.","fixText":"Design or configure the application to provide an on-demand report generation capability or utilize a centralized utility designed for the purpose of on-demand log management and reporting."},{"id":"7159d3d1-5103-460f-8893-bbc62f9966bf","vulnId":"V-222494","severity":"medium","ruleTitle":"The application must provide a report generation capability that supports after-the-fact investigations of security incidents.","description":"If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies.\n\nThe report generation capability must support after-the-fact investigations of security incidents either natively or through the use of third-party tools.\n\nThis requirement is specific to applications with report generation capabilities; however, applications need to support on-demand reporting requirements.","checkContent":"Review the application documentation and interview the application administrator for details regarding audit reduction (log record event filtering).\n\nAccess the application with user rights sufficient to read and filter audit records.\n\nNavigate the application user interface and select the application functionality that provides access and interface to audit records and audit reduction (event filtering).\n\nIf the application uses a centralized logging solution that performs the report generation functions, the requirement is not applicable.\n\nCreate an event report. Report data can be based on date ranges, times or events, or other criteria that could be used in an investigation. Use of data from previous checks for audit reduction is encouraged.\n\nReview the report and ensure the data in the report coincides with event filters used to create the report.\n\nIf the application does not have a report generation capability that supports after the fact security investigations, this is a finding.","fixText":"Design or configure the application to provide after-the-fact report generation capability or utilize a centralized utility designed for the purpose of log management and reporting."},{"id":"7f5553fd-f3e6-4493-bee4-7b54c3c62e39","vulnId":"V-222495","severity":"medium","ruleTitle":"The application must provide an audit reduction capability that does not alter original content or time ordering of audit records.","description":"If the audit reduction capability alters the content or time ordering of audit records, the integrity of the audit records is compromised, and the records are no longer usable for forensic analysis. Time ordering refers to the chronological organization of records based on time stamps. The degree of time stamp precision can affect this.\n\nAudit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts.\n\nThis requirement is specific to applications with audit reduction capabilities; however, applications need to support on-demand audit review and analysis.","checkContent":"$44","fixText":"Configure the application to not alter original log content or time ordering of audit records."},{"id":"d2b97abe-0080-42c3-8ade-00e90851d5ce","vulnId":"V-222496","severity":"medium","ruleTitle":"The application must provide a report generation capability that does not alter original content or time ordering of audit records.","description":"If the audit report generation capability alters the original content or time ordering of audit records, the integrity of the audit records is compromised, and the records are no longer usable for forensic analysis. Time ordering refers to the chronological organization of records based on time stamps. The degree of time stamp precision can affect this.\n\nThe report generation capability provided by the application can generate customizable reports.\n\nThis requirement is specific to applications with audit reduction capabilities; however, applications need to support on-demand audit review and analysis.","checkContent":"$45","fixText":"Configure and design the application to not modify source logs when filtering events."},{"id":"0d051198-a1c9-4ecb-add5-6330900236bd","vulnId":"V-222497","severity":"medium","ruleTitle":"The applications must use internal system clocks to generate time stamps for audit records.","description":"Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.\n\nIf the internal clock is not used, the system may not be able to provide time stamps for log messages. Additionally, externally generated time stamps may not be accurate. Applications can use the capability of an operating system or purpose-built module for this purpose.","checkContent":"Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration.\n\nIdentify the application components and the logs associated with the components.\n\nEnsure the time written into the logs coincides with the OS timeclock.\n\nAccess random audit records and review the most recent logs.\n \nAccess the system OS hosting the application and use the related OS commands to determine the time of the system.\n\nPerform an action in the application that causes a log event to be written and review the log to ensure the system times and the application log times correlate; compensating for any time delays that may have occurred between running the OS time command and running the application action.\n\nIf the application doesn't use the internal system clocks to generate time stamps for the audit event logs, this is a finding.","fixText":"Configure the application to use the hosting systems internal clock for audit record generation."},{"id":"e2993787-f1c6-41ae-9052-d1a5a6473449","vulnId":"V-222498","severity":"medium","ruleTitle":"The application must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).","description":"If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.\n\nTime stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","checkContent":"Review the system documentation and interview the application administrator for details regarding application architecture and logging configuration.\n\nIdentify the application components and the logs associated with the components. \n\nIf the application utilizes the underlying OS system clock, and the system clock is mapped to UTC or GMT, this is not a finding.\n\nIdentify where clock settings are configured within the application.\n\nAccess the configuration settings and determine if the application is configured to set the time stamps for audit records according to UTC or GMT (e.g., East coast standard time is represented as GMT -5, east coast daylight savings time is represented as GMT-4).\n\nIf the application is not configured to map to UTC or GMT, this is a finding.","fixText":"Configure the application to use the underlying system clock that maps to relevant UTC or GMT timezone."},{"id":"888939e1-fd07-4a79-9341-9c35030997a3","vulnId":"V-222499","severity":"medium","ruleTitle":"The application must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.","description":"Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.\n\nTime stamps generated by the application include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.","checkContent":"Review the system documentation and interview the application administrator to determine where application audit logs are written and how time stamps are recorded.\n\nIf the application utilizes the underlying OS for time stamping and time synchronization when writing the audit logs, this requirement is not applicable.\n\nAccess and review log files over a period of at least 10 minutes; compare time stamps written in the application log to the system clock to ensure time is synchronized to within 1 second of precision.\n\nIf the application audit log time stamps differ from the OS time source by more than one second, this is a finding.","fixText":"Configure the application to leverage the underlying operating system as the time source when recording time stamps or design the application to ensure granularity of 1 second as the minimum degree of precision."},{"id":"73d5c5cb-ccd4-4c0c-87e0-7edc52629e6a","vulnId":"V-222500","severity":"medium","ruleTitle":"The application must protect audit information from any type of unauthorized read access.","description":"$46","checkContent":"$47","fixText":"Configure the application to protect audit data from unauthorized access. Limit users to roles that are assigned the rights to view, edit or copy audit data, and establish permissions that control access to the audit logs and audit configuration settings."},{"id":"679b4c34-9d60-4b3d-a065-02556f022e4d","vulnId":"V-222501","severity":"medium","ruleTitle":"The application must protect audit information from unauthorized modification.","description":"If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification.\n\nThis requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations.\n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.","checkContent":"$48","fixText":"Configure the application to protect audit data from unauthorized modification and changes. Limit users to roles that are assigned the rights to edit audit data and establish permissions that control access to the audit logs and audit configuration settings."},{"id":"7858417e-d341-4226-a7f6-64f01167e42a","vulnId":"V-222502","severity":"medium","ruleTitle":"The application must protect audit information from unauthorized deletion.","description":"$49","checkContent":"$4a","fixText":"Configure the application to protect audit data from unauthorized deletion. Limit users to roles that are assigned the rights to delete audit data and establish permissions that control access to the audit logs and audit configuration settings."},{"id":"236c0b97-e73d-4b61-a9be-404ed5deca85","vulnId":"V-222503","severity":"medium","ruleTitle":"The application must protect audit tools from unauthorized access.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"$4b","fixText":"Configure the application to protect audit data from unauthorized access. Limit users to roles that are assigned the rights to view, edit or copy audit data, and establish file permissions that control access to the audit tools and audit tool capabilities and configuration settings."},{"id":"9702fa00-6362-45a5-ac1c-8663e2a88553","vulnId":"V-222504","severity":"medium","ruleTitle":"The application must protect audit tools from unauthorized modification.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the modification of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"$4c","fixText":"Configure the application to protect audit tools from unauthorized modifications. Limit users to roles that are assigned the rights to edit or update audit tools and establish file permissions that control access to the audit tools and audit tool capabilities and configuration settings."},{"id":"7b94dcc9-3a0e-475e-821d-96e6f78ea16b","vulnId":"V-222505","severity":"medium","ruleTitle":"The application must protect audit tools from unauthorized deletion.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"$4d","fixText":"Configure the application to protect audit tools from unauthorized deletions. Limit users to roles that are assigned the rights to edit or delete audit tools and establish file permissions that control access to the audit tools and audit tool capabilities and configuration settings."},{"id":"f86af9ca-f3c9-4416-8445-8d7b16eefc85","vulnId":"V-222506","severity":"medium","ruleTitle":"The application must back up audit records at least every seven days onto a different system or system component than the system or component being audited.","description":"Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained.\n\nThis helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.\n\nThis requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions.","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify log functionality and locations of log files.\n\nIf the application does not include a built-in backup capability for backing up its own audit records, this requirement is not applicable.\n\nAccess the management interface for configuring application audit logs and review the backup settings.\n\nIf the application backup settings are not configured to backup application audit records every 7 days, this is a finding.","fixText":"Configure application backup settings to backup application audit logs every 7 days."},{"id":"a7e97709-065c-485c-a181-040a136d77a2","vulnId":"V-222507","severity":"medium","ruleTitle":"The application must use cryptographic mechanisms to protect the integrity of audit information.","description":"Audit records may be tampered with; if the integrity of audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nProtection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry established standard used to protect the integrity of audit data. An example of a cryptographic mechanism is the computation and application of a cryptographic-signed hash using asymmetric cryptography.\n\nThis requirement applies to applications that generate, process or manage audit records and is applied once audit processing has completed and the audit record is being stored.","checkContent":"$4e","fixText":"Configure the application to create an integrity check consisting of a cryptographic hash or one-way digest that can be used to establish the integrity when storing log files."},{"id":"49d01650-5567-48bf-a771-fb0712952d95","vulnId":"V-222508","severity":"medium","ruleTitle":"Application audit tools must be cryptographically hashed.","description":"$4f","checkContent":"$50","fixText":"Cryptographically hash the audit tool files used by the application. Store and protect the generated hash values for future reference."},{"id":"416fe6ce-9ed2-420a-aba3-04c20585b840","vulnId":"V-222509","severity":"medium","ruleTitle":"The integrity of the audit tools must be validated by checking the files for changes in the cryptographic hash value.","description":"Protecting the integrity of the tools used for auditing purposes is a critical step to ensuring the integrity of audit data. Audit data includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nAudit tools include, but are not limited to, vendor provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. \n\nTo address this risk, audit tools must be cryptographically signed/hashed in order to provide the capability to identify when the audit tools have been modified, manipulated or replaced. An example is a checksum hash of the file or files.","checkContent":"$51","fixText":"Establish a process to periodically check the audit tool cryptographic hashes to ensure the audit tools have not been tampered with."},{"id":"8572a1de-a7d5-4482-bc7a-f37b72cadaaa","vulnId":"V-222510","severity":"medium","ruleTitle":"The application must prohibit user installation of software without explicit privileged status.","description":"$52","checkContent":"$53","fixText":"Configure the application to prohibit user installation of software without explicit permission."},{"id":"507829ed-bba2-4419-8328-71eca6d73a82","vulnId":"V-222511","severity":"medium","ruleTitle":"The application must enforce access restrictions associated with changes to application configuration.","description":"Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications.\n\nLogical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).","checkContent":"Review the application documentation and configuration settings.\n\nAccess the application configuration settings interface as a regular non-privileged user. Attempt to make configuration changes to the application.\n\nIf configuration changes can be made by regular non-privileged users, this is a finding.\n\nReview the locations of all configuration files used by the application.\n\nExamine the file permission settings and determine who has access to the configuration files.\n\nIf access permissions to configuration files are not restricted to application administrators, this is a finding.","fixText":"Configure the application to limit access to configuration settings to only authorized users."},{"id":"94e03877-cf8a-4f0a-8951-dbab7ba2ce4c","vulnId":"V-222512","severity":"medium","ruleTitle":"The application must audit who makes configuration changes to the application.","description":"Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions.\n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.\n\nIf application configuration is maintained by using a text editor to modify a configuration file, this function may be delegated to an operating system file monitoring/auditing capability.","checkContent":"Review the application documentation and configuration settings.\n\nAccess the application configuration settings interface as a privileged user.\n\nMake configuration changes to the application.\n\nReview the application audit logs and ensure a log entry is made identifying the privileged user account that was used to make the changes.\n\nIf application configuration is maintained by using a text editor to modify a configuration file, modify the configuration file with a text editor. Review the system logs and ensure a log entry is made for the file modification that identifies the user that was used to make the changes.\n\nIf the user account is not logged, or is a group account such as \"root\", this is a finding.\n\nIf the user account used to make the changes is not logged in the audit records, this is a finding.","fixText":"Configure the application to create log entries that can be used to identify the user accounts that make application configuration changes."},{"id":"ecc4ec26-44b6-4f73-8c4c-b86c6904c191","vulnId":"V-222513","severity":"medium","ruleTitle":"The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.","description":"$54","checkContent":"Review the application documentation and interview the application administrator to determine the process and commands used for patching the application.\n\nAccess application configuration settings.\n\nReview commands and procedures used to patch the application and ensure a capability exists to prevent unsigned patches from being applied.\n\nIf the application is not capable of preventing installation of patches and packages that are not signed, or if the vendor does not provide a cryptographic hash value that can be manually checked prior to installation, this is a finding.","fixText":"Design and configure the application to have the capability to prevent unsigned patches and packages from being installed.\n\nProvide a cryptographic hash value that can be verified by a system administrator prior to installation."},{"id":"ee966238-31d6-4199-848b-926499a0d888","vulnId":"V-222514","severity":"medium","ruleTitle":"The applications must limit privileges to change the software resident within software libraries.","description":"If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to applications with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Review the application documentation and interview the application administrator to identify the application architecture.\n\nIdentify application folders where application libraries are stored.\n\nReview permissions of application folders and library files contained with the folders to ensure file permissions restrict access to authorized users or processes.\n\nAccess application configuration settings.\n\nExamine settings for capability to update software libraries or extend application functionality via the application.\n\nReview user roles and access rights within the application to determine if access to this capability is restricted to authorized users.\n\nIf file restrictions do not limit write access to library files and if the application does not restrict access to library update functionality, this is a finding.","fixText":"Configure the application OS file permissions to restrict access to software libraries and configure the application to restrict user access regarding software library update functionality to only authorized users or processes."},{"id":"abe20b4b-d79d-4af5-9076-4fe2945c0752","vulnId":"V-222515","severity":"medium","ruleTitle":"An application vulnerability assessment must be conducted.","description":"$55","checkContent":"$56","fixText":"Configure the application vulnerability scanners to test all components of the application, conduct vulnerability scans on a regular basis and remediate identified issues. Retain scan results for compliance verification."},{"id":"86b70e62-6aca-4d69-82a0-4d10c1f48005","vulnId":"V-222516","severity":"medium","ruleTitle":"The application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.","description":"Control of application execution is a mechanism used to prevent execution of unauthorized applications in order to follow the rules of least privilege. Some applications may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements.\n\nSome of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.\n\nSoftware program restrictions include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain application functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, security managers, roles).","checkContent":"$57","fixText":"Restrict application execution in accordance with the policy, terms, and conditions specified."},{"id":"37fee718-4932-46ab-b999-4ce78e1d6d36","vulnId":"V-222517","severity":"medium","ruleTitle":"The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.","description":"Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.\n\nThe organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.\n\nVerification of whitelisted software can occur either prior to execution or at system startup.\n\nThis requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers).","checkContent":"$58","fixText":"Configure the application to utilize a deny-all, permit-by-exception policy when allowing the execution of authorized software."},{"id":"9bfdcd04-5214-4475-863d-1902a5c19485","vulnId":"V-222518","severity":"medium","ruleTitle":"The application must be configured to disable non-essential capabilities.","description":"It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nApplications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but cannot be disabled.","checkContent":"Review the application guidance, application requirements documentation, and interview the application administrator.\n\nIdentify the application's operational requirements and what services the application is intended to provide users.\n\nReview the overall application features and functionality via the user interface.\n\nReview and identify installed application software modules via configuration settings.\n\nUsing the relevant OS commands, identify services running on the system and have the application administrator identify the services related to the application.\n\nIf the application is operating with extraneous capabilities that have not been defined as required in order to meet mission objectives, this is a finding.","fixText":"Disable application extraneous application functionality that is not required in order to fulfill the application's mission."},{"id":"966b94c4-3220-454b-82f0-29c5f5fc413a","vulnId":"V-222519","severity":"medium","ruleTitle":"The application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL.","description":"$59","checkContent":"Review the application documentation and configuration.\n\nInterview the application administrator.\n\nIdentify the network ports and protocols that are utilized by the application.\n\nUsing a combination of relevant OS commands and application configuration utilities, identify the TCP/IP port numbers the application is configured to utilize and is utilizing.\n\nReview the PPSM Category Assurance List (CAL) at: \n\nhttps://cyber.mil/ppsm/cal/\n\nVerify the ports used by the application are approved by the PPSM CAL.\n\nIf the ports are not approved by the PPSM CAL, this is a finding.","fixText":"Configure the application to utilize application ports approved by the PPSM CAL."},{"id":"878f2f79-c445-4176-bea0-40ea9dc3cd76","vulnId":"V-222520","severity":"medium","ruleTitle":"The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate.\n\nIn addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances:\n\n(i) When authenticators change;\n(ii) When roles change;\n(iii) When security categories of information systems change;\n(iv) When the execution of privileged functions occurs;\n(v) After a fixed period of time;\nor\n(vi) Periodically.\n\nWithin the DOD, the minimum circumstances requiring reauthentication are privilege escalation and role changes.","checkContent":"$5a","fixText":"Configure the application to require reauthentication before user privilege is escalated and user roles are changed."},{"id":"46a16392-6cd5-4951-b199-c939d4a1141a","vulnId":"V-222521","severity":"medium","ruleTitle":"The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.","description":"Without reauthenticating devices, unidentified or unknown devices may be introduced; thereby facilitating malicious activity.\n\nIn addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of devices, including (but not limited to), the following other situations:\n\n(i) When authenticators change;\n(ii) When roles change;\n(iii) When security categories of information systems change;\n(iv) After a fixed period of time;\nor\n(v) Periodically.\n\nFor distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification decisions (as opposed to the actual identifiers) to the services that need to act on those decisions.\n\nGateways and SOA applications are examples of where this requirement would apply.","checkContent":"Review the application guidance and interview the application administrator.\n\nIdentify the methods and manner in which application devices such as an XML gateway, SOA application gateway, or application firewall is allowed to access the application. Most devices themselves will not change role or authenticators once they are established but will need to periodically reauthenticate.\n\nReview the configuration setting in the application where the time period is set to force the device to reauthenticate.\n\nReview local policy requirements to determine if reauthentication intervals are specified.\n\nIf the device is not forced to reauthenticate periodically, this is a finding.","fixText":"Configure the application to require reauthentication periodically."},{"id":"e44e2c66-7435-4472-9ce9-8faa0223501d","vulnId":"V-222522","severity":"high","ruleTitle":"The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). \n\nOrganizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and \n(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"Review the application documentation and interview the application administrator to determine how organizational users access the application.\n\nIf the application is publicly available, providing access to publicly releasable data and the users are non-organizational users such as individuals who no longer have a CAC (e.g., retirees) or members of the public with no requirement for DoD credentials, this requirement is not applicable.\n\nThe requirement still applies to DoD organizational users and admins when accessing the non-public data areas or system resources of the system.\n\nAttempt to access the application and confirm that a unique user account and password or CAC token and pin are required in order to access the application.\n\nIf the application does not uniquely identify and authenticate users, this is a finding.","fixText":"Configure the application to uniquely identify and authenticate users and user processes."},{"id":"d592bc76-82e9-443a-9966-35e419fc642f","vulnId":"V-222523","severity":"medium","ruleTitle":"The application must use multifactor (Alt. Token) authentication for network access to privileged accounts.","description":"$5b","checkContent":"Review the application documentation and interview the application administrator to identify application access methods.\n\nAsk the application administrator to present both their primary CAC and their Alt. Token. Ask the application administrator to log on to the application using application relevant network based access methods. Attempt to use both CAC and Alt. Tokens to authenticate to the application. \n\nValidate the application requests the user to input their CAC PIN and that they cannot perform administrative functions.\n\nHave user logoff and reauthenticate with their Alt. Token and that they can perform administrative functions.\n\nIf the application allows administrative access to the application without requiring an Alt. Token, this is a finding.","fixText":"Configure the application to use an Alt. Token when providing network access to privileged application accounts."},{"id":"9a074a2e-48b1-4b82-9d8c-5f74305628ab","vulnId":"V-222524","severity":"medium","ruleTitle":"The application must accept Personal Identity Verification (PIV) credentials.","description":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.\n\nDoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.","checkContent":"Review the application documentation and interview the application administrator to identify application access methods.\n\nIf the application is not PK-enabled due to the hosted data being publicly releasable, this check is not applicable.\n\nAsk the application administrator to log on to the application. Have the application admin use their non-privileged credentials.\n\nValidate the application prompts the user to provide a certificate from the CAC.\n\nIf the application allows access without requiring a CAC, this is a finding.","fixText":"Configure the application to require CAC authentication."},{"id":"06f0363b-b444-471d-9487-1e76c969a129","vulnId":"V-222525","severity":"medium","ruleTitle":"The application must electronically verify Personal Identity Verification (PIV) credentials.","description":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.\n\nDoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.\n\nIf the application does not verify the credentials provided, user authentication cannot be established which places the integrity and confidentiality of the application at risk.","checkContent":"Review the application documentation and interview the application administrator to identify application access methods.\n\nIf the application is not PK-enabled due to the hosted data being publicly releasable, this check is not applicable.\n\nAsk the application administrator to log on to the application.\n\nValidate the application prompts the user to provide a certificate from the CAC.\n\nValidate the application requests the user to input their CAC PIN.\n\nIf the application allows access without requiring a CAC, this is a finding.","fixText":"Configure the application to require CAC authentication."},{"id":"2bacf546-fdfe-4f48-88f0-801f25dbb253","vulnId":"V-222526","severity":"medium","ruleTitle":"The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts.","description":"To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.\n\nMultifactor authentication uses two or more factors to achieve authentication.\n\nFactors include:\n\n(i) Something you know (e.g., password/PIN);\n(ii) Something you have (e.g., cryptographic identification device, CAC/SIPRNet token); or\n(iii) Something you are (e.g., biometric).\n\nA non-privileged account is any information system account with authorizations of a non-privileged user.\n\nNetwork access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.\n\nApplications integrating with the DoD Active Directory and utilize the DoD CAC are an example of compliant multifactor authentication solutions.","checkContent":"Review the application documentation and interview the application administrator to identify application access methods.\n\nIf the application is not PK-enabled due to the hosted data being publicly releasable, this check is not applicable.\n\nAsk the application administrator to log on to the application. Have the application admin use their non-privileged credentials.\n\nValidate the application prompts the user to provide a certificate from the CAC.\n\nValidate the application requests the user to input their CAC PIN. \n\nIf the application allows access without requiring a CAC or Alt. Token, this is a finding.","fixText":"Configure the application to require CAC or Alt. Token authentication for non-privileged network access to non-privileged accounts."},{"id":"6dac9061-74cc-4977-9329-868304b1b125","vulnId":"V-222527","severity":"medium","ruleTitle":"The application must use multifactor (Alt. Token) authentication for local access to privileged accounts.","description":"Multifactor authentication (MFA) requires using two or more factors to achieve authentication and access.\n\nFactors include:\n(i) something a user knows (e.g., password/PIN);\n(ii) something a user has (e.g., cryptographic identification device, token); or\n(iii) something a user is (e.g., biometric).\n\nMFA decreases the attack surface by virtue of the fact that attackers must obtain two factors, a physical token or a biometric and a PIN, in order to authenticate. It is not enough to simply steal a user's password to obtain access. \n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nAn Alt. Token is a separate CAC or token used specifically for administrative account access and serves as a separate identifier much like a separate user account.\n\nLocal access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.","checkContent":"Review the application documentation and interview the application administrator to identify application access methods.\n\nAsk the application administrator to present both their primary CAC and their Alt. Token. Ask the application administrator to log on to the application using the local application console. \n\nAttempt to use both the CAC and Alt. Tokens to authenticate to the application.\n\nValidate the application requests the user to input their CAC PIN and that they cannot perform administrative functions.\n\nHave user log off and reauthenticate with their Alt. Token and verify they can perform administrative functions.\n\nIf the application allows administrative access to the application without requiring an Alt. Token, this is a finding.","fixText":"Configure the application to only use Alt. Tokens when locally accessing privileged application accounts."},{"id":"a52bb8de-5d81-4d59-ac14-9dbaf248593b","vulnId":"V-222528","severity":"medium","ruleTitle":"The application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to nonprivileged accounts.","description":"To assure accountability, prevent unauthenticated access, and prevent misuse of the system, privileged users must utilize multifactor authentication (MFA) for local access.\n\nMFA is defined as using two or more factors to achieve authentication.\n\nFactors include:\n(i) Something a user knows (e.g., password/PIN);\n(ii) Something a user has (e.g., cryptographic identification device, token); or\n(iii) Something a user is (e.g., biometric).\n\nA nonprivileged account is defined as an information system account with authorizations of a regular or nonprivileged user.\n\nLocal access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.\n\nApplications integrating with the DOD Active Directory and utilize the DOD CAC are examples of compliant multifactor authentication solutions.","checkContent":"Review the application documentation and interview the application administrator to identify application access methods.\n\nIf the application is not PKI-enabled due to the hosted data being publicly releasable, this check is Not Applicable.\n\nAsk the application administrator to log on to the application. Have the application admin use their nonprivileged credentials.\n\nValidate the application prompts the user to provide a certificate from the CAC.\n\nValidate the application requests the user to input their CAC PIN.\n\nIf the application allows access without requiring a CAC or Alt. Token, this is a finding.","fixText":"Configure the application to require CAC or Alt. Token authentication for nonprivileged network access."},{"id":"a620a5be-fb08-43e1-a8d4-71d921ca0431","vulnId":"V-222529","severity":"medium","ruleTitle":"The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator.","description":"$5c","checkContent":"Review the application documentation, examine user accounts and group membership, and interview the application administrator to identify group or shared accounts. Document the group or shared account information.\n\nIf the application does not use group or shared accounts, this requirement is Not Applicable.\n\nCreate a test account or use an existing group member account.\n\nEnsure the test account is not authenticated to the application and attempt to access the application with the group account credentials.\n\nIf the application allows access without first requiring the group member to authenticate with their individual credentials, this is a finding.","fixText":"Design and configure the application to individually authenticate group account members prior to allowing access."},{"id":"eb1d4bce-210f-4f1a-a3a4-81ae2de643ed","vulnId":"V-222530","severity":"medium","ruleTitle":"The application must implement replay-resistant authentication mechanisms for network access to privileged accounts.","description":"A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.\n\nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.\n\nA privileged account is any information system account with authorizations of a privileged user.\n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.","checkContent":"$5d","fixText":"Design and configure the application to utilize replay-resistant mechanisms when authenticating privileged accounts."},{"id":"1a62c583-6f6f-4719-8b5e-62e5441a292d","vulnId":"V-222531","severity":"medium","ruleTitle":"The application must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.","description":"A replay attack is a man-in-the-middle style attack which allows an attacker to repeat or alter a valid data transmission that may enable unauthorized access to the application. Authentication sessions between the authenticating client and the application server validating the user credentials must not be vulnerable to a replay attack.\n\nThe protection methods selected to protect against a replay attack will vary according to the application architecture.\n\nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.\n\nA nonprivileged account is any operating system account with authorizations of a nonprivileged user.\n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one time use), challenges (e.g., TLS, WS_Security), and PKI certificates. Additional techniques include time-synchronous or challenge-response one-time authenticators.","checkContent":"$5e","fixText":"Design and configure the application to utilize replay-resistant mechanisms when authenticating nonprivileged accounts."},{"id":"b5246de8-b1d8-4f27-ba33-1aca38f0f7bc","vulnId":"V-222532","severity":"medium","ruleTitle":"The application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner.","description":"$5f","checkContent":"$60","fixText":"Configure the application to utilize mutual authentication when specified by data protection requirements."},{"id":"bb750699-f420-4bbf-a95c-0dc6419d539c","vulnId":"V-222533","severity":"medium","ruleTitle":"The application must authenticate all network connected endpoint devices before establishing any connection.","description":"$61","checkContent":"$62","fixText":"Configure the application to authenticate all network connected endpoint devices/service consumers before establishing connections."},{"id":"9bfd319c-c2bc-4333-916e-1346761a2106","vulnId":"V-222534","severity":"medium","ruleTitle":"Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.","description":"$63","checkContent":"$64","fixText":"Configure the application to utilize mutual authentication when the application is processing non-releasable data."},{"id":"e796bfe8-c52c-4f9d-a921-0ac14fa0f5da","vulnId":"V-222535","severity":"medium","ruleTitle":"The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication.","description":"$65","checkContent":"$66","fixText":"Configure the application to disable device accounts after 35 days of inactivity or to utilize DOD PKI certificates that provide an expiration date."},{"id":"50cc41ee-2e54-4145-85fe-065bc3265e9e","vulnId":"V-222536","severity":"high","ruleTitle":"The application must enforce a minimum 15-character password length.","description":"$67","checkContent":"Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.\n\nIf the application does not use passwords, this requirement is Not Applicable.\n\nAccess the application management interface and create a test user account or log on to the system with a test account and access the functionality that provides password change capabilities.\n\nWhen prompted to provide the password, attempt to create a password shorter than 15 characters in length.\n\nIf a password shorter than 15 characters can be created, this is a finding.","fixText":"Configure the application to require 15 characters in the password."},{"id":"feeaa773-011c-4c19-8abc-da20401382ca","vulnId":"V-222537","severity":"medium","ruleTitle":"The application must enforce password complexity by requiring that at least one uppercase character be used.","description":"$68","checkContent":"Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.\n\nIf the application does not use passwords, this requirement is Not Applicable.\n\nAccess the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities.\n\nWhen prompted to provide the password, attempt to create a password that does not have one uppercase character.\n\nIf a password without at least one upper-case character can be created, this is a finding.","fixText":"Configure the application to require at least one uppercase character in the password."},{"id":"6e421a6c-521e-44d1-8125-cdf9ed873089","vulnId":"V-222538","severity":"medium","ruleTitle":"The application must enforce password complexity by requiring that at least one lowercase character be used.","description":"$69","checkContent":"Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.\n\nIf the application does not use passwords, this requirement is Not Applicable.\n\nAccess the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities.\n\nWhen prompted to provide the password, attempt to create a password that does not have one lowercase character.\n\nIf a password without at least one lower-case character can be created, this is a finding.","fixText":"Configure the application to require at least one lowercase character in the password."},{"id":"d3df63bc-25f9-46fb-9fc3-b7336cfe1c06","vulnId":"V-222539","severity":"medium","ruleTitle":"The application must enforce password complexity by requiring that at least one numeric character be used.","description":"$6a","checkContent":"Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.\n\nIf the application does not use passwords, this requirement is Not Applicable.\n\nAccess the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities.\n\nWhen prompted to provide the password, attempt to create a password that does not have one numeric character.\n\nIf a password without at least one numeric character can be created, this is a finding.","fixText":"Configure the application to require at least one numeric character in the password."},{"id":"cdf35d0e-9e4b-4364-a29e-5e1fea226428","vulnId":"V-222540","severity":"medium","ruleTitle":"The application must enforce password complexity by requiring that at least one special character be used.","description":"$6b","checkContent":"Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.\n\nIf the application does not use passwords, this requirement is Not Applicable.\n\nAccess the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities.\n\nWhen prompted to provide the password, attempt to create a password that does not have one special character.\n\nIf a password without at least one special character can be created, this is a finding.","fixText":"Configure the application to require at least one special character in the password."},{"id":"3fc344fe-1cd9-4d2c-ad94-0a157981e48d","vulnId":"V-222541","severity":"medium","ruleTitle":"The application must require the change of at least eight of the total number of characters when passwords are changed.","description":"$6c","checkContent":"Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.\n\nIf the application does not use passwords, this requirement is Not Applicable.\n\nAccess the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities.\n\nWhen prompted to provide the password, attempt to change less than 8 characters of the total number of characters in the password.\n\nIf less than 8 characters of the password are changed, this is a finding.","fixText":"Configure the application to require the change of at least eight characters in the password when passwords are changed."},{"id":"10588501-3033-44f0-a697-b593feb2f2ae","vulnId":"V-222542","severity":"high","ruleTitle":"The application must only store cryptographic representations of passwords.","description":"$6d","checkContent":"$6e","fixText":"Use strong cryptographic hash functions when creating password hash values.\n\nUtilize random salt values when creating the password hash.\n\nEnsure strong access control permissions on data files containing authentication data."},{"id":"6f84de17-3a65-4b60-91bb-de2c7f192525","vulnId":"V-222543","severity":"high","ruleTitle":"The application must transmit only cryptographically-protected passwords.","description":"$6f","checkContent":"$70","fixText":"Configure the application to encrypt passwords when they are being transmitted."},{"id":"4644c0ab-c72b-460d-a8c6-917ecf19ae0d","vulnId":"V-222544","severity":"medium","ruleTitle":"The application must enforce 24 hours/1 day as the minimum password lifetime.","description":"$71","checkContent":"Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.\n\nIf the application does not use passwords, this requirement is Not Applicable.\n\nAccess the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities.\n\nAttempt to change the password more than once.\n\nIf a password can be changed more than once within 24 hours, the minimum lifetime setting is not set and this is a finding.","fixText":"Configure the application to have a minimum password lifetime of 24 hours."},{"id":"70be1ea8-f1b5-491f-a109-01ed26a3ffe2","vulnId":"V-222545","severity":"medium","ruleTitle":"The application must enforce a 60-day maximum password lifetime restriction.","description":"$72","checkContent":"Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.\n\nIf the application does not use passwords, this requirement is Not Applicable.\n\nAccess the application management interface and view the user password settings page.\n\nReview user password settings and validate the application is configured to expire and force a password change after 60 days.\n\nIf user passwords are not configured to expire after 60 days, or if the application does not have the ability to control this setting, this is a finding.","fixText":"Configure the application to have a maximum password lifetime of 60 days."},{"id":"e4b69598-5309-4980-a6d5-4854f1a7e0b7","vulnId":"V-222546","severity":"medium","ruleTitle":"The application must prohibit password reuse for a minimum of five generations.","description":"$73","checkContent":"Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.\n\nIf the application does not use passwords, this requirement is Not Applicable.\n\nAccess the application management interface and view the user password settings page.\n\nReview user password settings and validate the application is configured to prohibit password reuse for a minimum of five password generations.\n\nIf the application does not prevent users from reusing their previous five passwords, or if the application does not have the ability to control this setting, this is a finding.","fixText":"Configure the application to prohibit password reuse for up to five passwords."},{"id":"8fb9f971-c341-4273-ae1f-4aa0febe0df1","vulnId":"V-222547","severity":"medium","ruleTitle":"The application must allow the use of a temporary password for system logons with an immediate change to a permanent password.","description":"$74","checkContent":"Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.\n\nIf the application does not use passwords, this requirement is Not Applicable.\n\nAccess the application management interface and view the user password settings page.\n\nReview user password settings and validate the application is configured to specify when a password is temporary and force a password change when the administrator either creates a new user account or changes a user’s password.\n\nIf the application can not specify a password as temporary and force the user to change the temporary password upon successful authentication, this is a finding.","fixText":"Configure the application to specify when a password is temporary and change the temporary password on the first use."},{"id":"cee15883-7861-4c58-9e36-46fea6d824c5","vulnId":"V-222548","severity":"medium","ruleTitle":"The application password must not be changeable by users other than the administrator or the user with which the password is associated.","description":"$75","checkContent":"Review the application documentation and interview application administrator.\n\nDetermine if the application utilizes passwords. If the application does not utilize passwords, the requirement is NA.\n\nIdentify the processes, commands or web pages the application uses to allow application users to change their own passwords. This includes but is not limited to password resets.\n\nIf the application does not allow users to change or reset their passwords, the requirement is NA.\n\nObtain two application test accounts, referred to here as User A and User B. Access the application as User A. Utilize the application password reset or change processes and determine if User A is allowed to specify or otherwise force a password change for User B.\n\nIf User A is allowed to change or force a reset of User B's password, this is a finding.","fixText":"Use a CAC to authenticate users instead of using passwords. If application users are prohibited or prevented from obtaining a CAC due to DoD policy requirements and passwords are the only viable option, design the application to utilize a secure password change or password reset process.\n\nUtilize out of band (OOB) communication techniques to communicate password change requests to users.\n\nEnsure verification processes exist that allow users to validate the change request prior to implementing the password change.\n\nEnsure users are only allowed to change their own passwords."},{"id":"81083902-6c23-4608-9c47-ae77b6a23b60","vulnId":"V-222549","severity":"medium","ruleTitle":"The application must terminate existing user sessions upon account deletion.","description":"$76","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify the user management functions of the application and create a test user account.\n\nAccess the application and perform application functions as the test user.\n\nAccess the user management functions and delete the test account while the test user sessions are still active.\n\nVerify the test user application sessions are terminated by attempting to perform additional application functions.\n\nIf the test user retains access after the test account has been deleted, this is a finding.","fixText":"Configure the application to terminate existing sessions of users whose accounts are deleted."},{"id":"0046c0e9-cf3b-4166-a0c0-4a598c55a5c0","vulnId":"V-222550","severity":"high","ruleTitle":"The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.","description":"$77","checkContent":"Review the application documentation, the application architecture and interview the application administrator to identify the method employed by the application for validating certificates.\n\nReview the method to determine if a certification path that includes status information is constructed when certificate validation occurs.\n\nSome applications may utilize underlying OS certificate validation and certificate path building capabilities while others may build the capability into the application itself.\n\nThe certification path will include the intermediary certificate CAs along with a status of the CA server's signing certificate and will end at the trusted root anchor.\n\nIf the application does not construct a certificate path to an accepted trust anchor, this is a finding.","fixText":"Design the application to construct a certification path to an accepted trust anchor when using PKI-based authentication."},{"id":"fb6aff3d-21e8-4465-b3e2-e3d584c45311","vulnId":"V-222551","severity":"high","ruleTitle":"The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.","description":"If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.\n\nThe cornerstone of the PKI is the private key used to encrypt or digitally sign information.\n\nIf the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user.\n\nBoth the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.","checkContent":"$78","fixText":"Configure the application or relevant access control mechanism to enforce authorized access to the application private key(s)."},{"id":"603c080d-ab38-4fa0-acb9-489d4554e54c","vulnId":"V-222552","severity":"medium","ruleTitle":"The application must map the authenticated identity to the individual user or group account for PKI-based authentication.","description":"Without mapping the certificate used to authenticate to a corresponding user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.\n\nSome CAs will include identifying information like an email address within the certificate itself. When the email is assigned to an individual, this helps to identify the individual user who has been assigned the certificate. When identifying information is not available within the certificate itself, the application must provide a mapping that allows administrators to quickly determine who the owner of the certificate is. When responding to a security incident, particularly involving user access violations, time is of the essence so this information must be readily available to investigators.","checkContent":"Review the application documentation and interview the application administrator to identify how the application maps individual user certificates or group accounts to individual users.\n\nAccess the application as a regular user while reviewing the application logs to determine if the application records the individual name of the user or if the application only includes certificate information.\n\nIf the application only logs certificate information which contains no discernable user data, ask the system admin what their process is for mapping the certificate information to the user.\n\nIf the application does not map the certificate data to an individual user or group, or if the administrator has no automated process established for determining the identity of the user, this is a finding.","fixText":"Configure the application to map certificate information to individual users or group accounts or create a process for automatically determining the individual user or group based on certificate information provided in the logs."},{"id":"821ea0c0-036d-4af1-8b8c-1e84b464308b","vulnId":"V-222553","severity":"medium","ruleTitle":"The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.","description":"A local cache of revocation data is also known as a CRL list. This list contains a list of revoked certificates and can be periodically downloaded to ensure certificates can still be checked for revocation when network access is not available or access to the Online Certificate Status Protocol (OCSP) server is not available.\n\nWithout configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).","checkContent":"Review the application documentation and interview the system administrator to identify how the application checks certificate revocation.\n\nIf the application resides on the SIPRnet and does not have access to the root CAs, this requirement is Not Applicable.\n\nDifferent application frameworks may handle this requirement for the developer or the developer may have chosen to implement their own implementation for managing and implementing the CRL.\n\nHave the administrator demonstrate the process used for obtaining and importing the CRL. CAs may publish the CRL in an LDAP directory or it may be posted to an HTTP server.\n\nVerify the application is configured to import the CRL on a regular basis.\n\nHave the administrator demonstrate the configuration setting that enables CRL checking in the event the OCSP server is not available.\n\nIf the application is not configured to implement a CRL, this is a finding.","fixText":"Implement a CRL import process and configure the application to check the CRL if OCSP is not available."},{"id":"e057112e-778e-4c83-a99b-517243feaf34","vulnId":"V-222554","severity":"high","ruleTitle":"The application must not display passwords/PINs as clear text.","description":"$79","checkContent":"Ask the application admin to log on to the application.\n\nObserve the authentication process and verify any display feedback provided when the admin enters her/his password is obfuscated and not clear text.\n\nFor applications that display authentication feedback for a very limited time, ensure the feedback time the character is displayed is only momentary i.e., fractions of a second.\n\nUsing a text editor, copy the obfuscated password and paste to a text file. Do not save the file.\n\nIf the application displays clear text when the password/PIN is entered, or if the time period for displayed feedback exceeds fractions of a second, or if the clear text password/PIN is displayed when pasted, this is a finding.","fixText":"Configure the application to obfuscate passwords and PINs when they are being entered so they cannot be read.\n\nDesign the application so obfuscated passwords cannot be copied and then pasted as clear text."},{"id":"1e3832cc-22d6-4979-8e4e-e2c2c48462fb","vulnId":"V-222555","severity":"high","ruleTitle":"The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.","description":"$7a","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify if the application provides access to cryptographic modules and if access is required in order to manage cryptographic modules contained within the application.\n\nIf the application does not provide authenticated access to a cryptographic module, the requirement is not applicable.\n\nReview and identify the cryptographic module. Refer to the NIST website listing all FIPS-approved cryptographic modules.\n\nhttp://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm\n\nIf the cryptographic module that requires authentication is not on the FIPS-approved module list, this is a finding.","fixText":"Use FIPS-approved cryptographic modules."},{"id":"d8d7ecb1-f4a9-407f-be7b-c35192594b24","vulnId":"V-222556","severity":"medium","ruleTitle":"The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).","description":"Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system.\n\nNon-organizational users include all information system users other than organizational users which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors and guest researchers).\n\nNon-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server.","checkContent":"Review the application documentation and interview the application administrator.\n\nIf the application does not host non-organizational users, this requirement is not applicable.\n\nReview the application and verify authentication is enabled and required in order for users to access the application.\n\nReview the application user base and determine if all user accounts are documented and assigned to a unique individual.\n\nReview risk acceptance documentation to determine if there are specific accesses identified that do not require authentication.\n\nIf the application does not identify and authenticate non-organizational users and there is no risk acceptance documentation approving the exception, this is a finding.","fixText":"Configure the application to identify and authenticate all non-organizational users."},{"id":"cb786415-07a3-4fec-84c7-962c11deb59b","vulnId":"V-222557","severity":"medium","ruleTitle":"The application must accept Personal Identity Verification (PIV) credentials from other federal agencies.","description":"Access may be denied to authorized users if federal agency PIV credentials are not accepted.\n\nPersonal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","checkContent":"Review the application documentation and interview the application administrator to identify application access methods.\n\nIf the application is not PK-enabled due to the hosted data being publicly releasable, this check is not applicable.\n\nIf the application is only deployed to SIPRNet, this requirement is not applicable.\n\nIf the application is not intended to be available to Federal government (non-DoD) partners this requirement is not applicable.\n\nAsk the application administrator to demonstrate how the application is configured to allow the use of PIV credentials from other agencies.\n\nIf the application is required to provide authenticated access to Federal agencies and it does not accept a PIV, this is a finding.","fixText":"Configure the application to accept PIV credentials when utilizing authentication provided by Federal (Non-DoD) agencies."},{"id":"0f8d385d-e191-4efe-8403-951de2a8d155","vulnId":"V-222558","severity":"medium","ruleTitle":"The application must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.","description":"Inappropriate access may be granted to unauthorized users if federal agency PIV credentials are not electronically verified.\n\nPersonal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","checkContent":"Review the application documentation and interview the application administrator to identify application access methods.\n\nIf the application is not PK-enabled due to the hosted data being publicly releasable, this check is not applicable.\n\nIf the application is only deployed to SIPRNet, this requirement is not applicable.\n\nIf the application is not intended to be available to Federal government (non-DoD) partners this requirement is not applicable.\n\nAsk the application administrator to demonstrate how the application is configured to verify the PIV credentials from other agencies when they are presented as an authentication token.\n\nIf the application is required to provide authenticated access to Federal agencies and it does not verify the PIV, this is a finding.","fixText":"Configure the application to verify the PIV credentials presented when utilizing authentication provided by Federal (Non-DoD) agencies."},{"id":"64acee2d-2ceb-48b7-9d0f-aabebda88850","vulnId":"V-222559","severity":"medium","ruleTitle":"The application must accept Federal Identity, Credential, and Access Management (FICAM)-approved third-party credentials.","description":"$7b","checkContent":"Review the application documentation and interview the application administrator to identify application access methods.\n\nIf the application is not PKI-enabled due to the hosted data being publicly releasable, this check is Not Applicable.\n\nIf the application is only deployed to SIPRNet, this requirement is Not Applicable.\n\nIf the application is not intended to be available to federal government partners this requirement is Not Applicable.\n\nAsk the application administrator to demonstrate how the application is configured to allow the use of third-party credentials, verify the third-party credentials are FICAM approved.\n\nIf the application does not accept FICAM-approved credentials when accepting third-party credentials, this is a finding.","fixText":"Configure applications intended to be accessible to nonfederal government agencies to use FICAM-approved third-party credentials."},{"id":"7281eec0-b01d-4b37-9c65-1c9f592e7234","vulnId":"V-222560","severity":"medium","ruleTitle":"The application must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.","description":"$7c","checkContent":"Review the application documentation and interview the application administrator to identify application access methods.\n\nIf the application is not PKI-enabled due to the hosted data being publicly releasable, this check is Not Applicable.\n\nIf the application is only deployed to SIPRnet, this requirement is Not Applicable.\n\nIf the application is not intended to be available to federal government partners this requirement is Not Applicable.\n\nThis requirement applies to DOD service providers who are relying parties of external (federal government) identity providers.\n \nAsk the application administrator to demonstrate how the application conforms to FICAM issued profiles such as SAML or OPENID. \n\nIf the application is designed to be a service provider utilizing an external identify provider and does not conform to FICAM-issued profiles, this is a finding.","fixText":"Configure the application to conform to FICAM-issued technical profiles when providing services that rely on external (federal government) identity providers."},{"id":"63a44578-9469-4801-b050-d7cd744ff80b","vulnId":"V-222561","severity":"medium","ruleTitle":"Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events.","description":"$7d","checkContent":"Review the application documentation and interview the application administrator to identify application maintenance functions.\n\nIf the application does not provide non-local maintenance and diagnostic capability, this requirement is not applicable.\n\nIdentify the maintenance functions/capabilities that are provided by the application and performed by an individual which can be performed remotely.\n\nFor example, the application may provide the ability to clean up a folder of temporary files, add users, remove users, restart processes, backup certain files, manage logs, or execute diagnostic sessions.\n\nIdentify and open the audit logs that capture maintenance actions performed by the application.\n\nAccessing the application in the appropriate role to execute maintenance tasks, perform several maintenance tasks and observe the logs.\n\nIf the application provides maintenance functions and capabilities and those functions are not logged when they are executed, this is a finding.","fixText":"Configure the application to log when application maintenance functionality is executed remotely."},{"id":"4d356859-a0b0-4855-94f1-9d71ca551be6","vulnId":"V-222562","severity":"medium","ruleTitle":"Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications.","description":"$7e","checkContent":"$7f","fixText":"Configure the application to encrypt remote application maintenance sessions."},{"id":"62038483-388e-4278-aa6b-2cdb346e67c4","vulnId":"V-222563","severity":"medium","ruleTitle":"Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications.","description":"Privileged access contains control and configuration information which is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms to protect confidentiality.\n\nNon-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.\n\nThe application can meet this requirement through leveraging a cryptographic module.","checkContent":"$80","fixText":"Configure the application to encrypt remote application maintenance sessions."},{"id":"22fcad88-33e9-4321-926f-53a367cca4d7","vulnId":"V-222564","severity":"medium","ruleTitle":"Applications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions.","description":"Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.\n\nIf the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Remote connections must be disconnected and verified as disconnected when non-local maintenance sessions have been terminated and are no longer available for use.","checkContent":"$81","fixText":"Configure the application to verify termination of remote maintenance sessions."},{"id":"2b4bb15a-35a8-4455-b57b-c8b0c8a29591","vulnId":"V-222565","severity":"medium","ruleTitle":"The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.","description":"$82","checkContent":"$83","fixText":"Configure the application to use strong authentication (CAC) when accessing the application for maintenance purposes."},{"id":"51216080-395c-4e52-a1d1-3da0eb622231","vulnId":"V-222566","severity":"medium","ruleTitle":"The application must terminate all sessions and network connections when nonlocal maintenance is completed.","description":"If a maintenance session or connection remains open after maintenance is completed, it may be hijacked by an attacker and used to compromise or damage the system.\n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.\n\nThis requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch).","checkContent":"$84","fixText":"Configure the application to expire idle user sessions after 10 minutes of inactivity for admin users and after 15 minutes of inactivity for regular users."},{"id":"bbb7179e-832e-451b-a487-53a35d653203","vulnId":"V-222567","severity":"medium","ruleTitle":"The application must not be vulnerable to race conditions.","description":"$85","checkContent":"Review the application documentation and architecture.\n\nIf the application is a COTS application and the vendor will not provide code review test results that demonstrate the application has been tested and is not susceptible to race conditions, the requirement is NA.\n\nInterview the application admin and identify the most recent code testing and analysis that has been conducted.\n\nReview the test results; verify configuration of analysis tools are set to check for the existence of race conditions. \n\nIf race conditions are identified in the test results, verify the latest test results are being used, if not, ensure remediation has been completed.\n\nIf the test results show race conditions exist and no remediation evidence is presented, or if test results are not available, this is a finding.","fixText":"Be aware of potential timing issues related to application programming calls when designing and building the application.\n\nValidate that variable values do not change while a switch event is occurring."},{"id":"121b6323-71b0-4877-b5df-6724054f9cc7","vulnId":"V-222568","severity":"medium","ruleTitle":"The application must terminate all network connections associated with a communications session at the end of the session.","description":"$86","checkContent":"$87","fixText":"Configure or design the application to terminate application network sessions at the end of the session."},{"id":"0f98d2b1-0ae6-4c72-a815-699bbdd06a38","vulnId":"V-222570","severity":"medium","ruleTitle":"The application must utilize FIPS-validated cryptographic modules when signing application components.","description":"Applications that distribute components of the application must sign the components to provide an identity assurance to consumers of the application component. Components can include application messages or application code.\n\nUse of weak or untested encryption algorithms undermines the purposes of utilizing encryption to validate the author of application components. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance the modules have been tested and validated.\n\nIf the application resides on a National Security System (NSS) it must not use algorithms weaker than SHA-384.","checkContent":"$88","fixText":"Utilize FIPS-validated algorithms when signing application components."},{"id":"53898691-e7b9-4d7c-8c6b-2cefb4326628","vulnId":"V-222571","severity":"medium","ruleTitle":"The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIf the application resides on a National Security System (NSS) it must not use a hashing algorithm weaker than SHA-384.","checkContent":"$89","fixText":"Configure the application to use a FIPS-validated hashing algorithm when creating a cryptographic hash."},{"id":"f5d41ae2-513e-43b0-afb3-d7a22f5f0b4e","vulnId":"V-222572","severity":"medium","ruleTitle":"The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.","checkContent":"Interview the system administrator, review the application components, and the application requirements to determine if the application processes data requiring cryptographic protection.\n\nReview the application documentation and interview the application administrator to identify the cryptographic modules used by the application.\n\nAccess the NIST site to determine if the cryptographic modules used by the application have been FIPS-validated.\n\nhttp://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm\n\nIf the application is using cryptographic modules that are not FIPS-validated to protect unclassified data, this is a finding.","fixText":"Configure the application to use a FIPS-validated cryptographic module."},{"id":"a8e844d6-ae64-441d-970f-cabe545e88df","vulnId":"V-222573","severity":"medium","ruleTitle":"Applications making SAML assertions must use FIPS-approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.","description":"A predictable SessionIndex could lead to an attacker computing a future SessionIndex, thereby, possibly compromising the application.\n\nUse of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.","checkContent":"Interview the system administrator, review the application components, and the application requirements to determine if the application uses SAML assertions.\n\nIf the application does not use SAML assertions, the requirement is not applicable.\n\nReview the application documentation and interview he application administrator to identify the cryptographic modules used by the application.\n\nAccess the NIST site to determine if the cryptographic modules used by the application have been FIPS-validated.\n\nhttp://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm\n\nIf the application is using cryptographic modules that are not FIPS-validated when generating the SessionIndex in the SAML AuthnStatement, this is a finding.","fixText":"Configure the application to use a FIPS-validated cryptographic module."},{"id":"b81500d6-3949-4baa-b3a4-2287c26ad000","vulnId":"V-222574","severity":"medium","ruleTitle":"The application user interface must be either physically or logically separated from data storage and management interfaces.","description":"Application management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access application management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges.\n\nThe separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, different TCP/UDP ports, virtualization techniques, combinations of these methods, or other methods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different security domain and with additional access controls.","checkContent":"Review the application documentation and interview the application administrator.\n\nReview the design documents and the interfaces used by the application.\n\nVerify that the application provides separate interfaces for user traffic and for management traffic. The separation may be virtual in nature (virtual host, virtual NIC, virtual network) or physically separate.\n\nIf the application user interface and the application management interface are shared, this is a finding.","fixText":"Configure the application so user interface to the application and management interface to the application is separated."},{"id":"8bc8e8d5-f52f-4482-9aef-71b587365794","vulnId":"V-222575","severity":"medium","ruleTitle":"The application must set the HTTPOnly flag on session cookies.","description":"HTTPOnly is a flag included in a Set-Cookie HTTP response header. If the HTTPOnly flag is included in the HTTP response header, the cookie cannot be accessed through client side scripts like JavaScript.\n\nIf the HTTPOnly flag is set, even if a cross-site scripting (XSS) flaw in the application exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.\n\nThe HTTPOnly setting is browser dependent however most popular browsers support the feature. If a browser does not support HTTPOnly and a website attempts to set an HTTPOnly cookie, the HTTPOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically the session cookie) becomes vulnerable to theft or modification by a malicious script running on the client system.","checkContent":"$8a","fixText":"Configure the application to set the HTTPOnly flag on session cookies."},{"id":"9ddb4623-9403-4edd-831f-cdff93bb9b72","vulnId":"V-222576","severity":"medium","ruleTitle":"The application must set the secure flag on session cookies.","description":"Many web development frameworks such as PHP, .NET, ASP as well as application servers include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework.\n\nSetting the secure bit on session cookie ensures the session cookie is only sent via TLS/SSL HTTPS connections. This helps to ensure confidentiality as the session cookie is not able to be viewed by unauthorized parties as it transits the network.\n\nSetting the secure flag on all cookies may also be warranted depending upon application design but at a minimum, the session cookie must always be secured.","checkContent":"$8b","fixText":"Configure the application to ensure the secure flag is set on session cookies."},{"id":"53c04535-bbe3-4b16-92fd-973ee4fe1989","vulnId":"V-222577","severity":"high","ruleTitle":"The application must not expose session IDs.","description":"$8c","checkContent":"Review the application documentation and configuration.\n\nInterview the application administrator and obtain implementation documentation identifying system architecture.\n\nIdentify the application communication paths. This includes system to system communication and client to server communication that transmit session identifiers over the network.\n\nHave the application administrator identify the methods and mechanisms used to protect the application session ID traffic. Acceptable methods include SSL/TLS both one-way and two-way and VPN tunnel.\n\nThe protections must be implemented on a point-to-point basis based upon the architecture of the application.\n\nFor example; a web application hosting static data will provide SSL/TLS encryption from web client to the web server. More complex designs may encrypt from application server to application server (if applicable) and application server to database as well.\n\nIf the session IDs are unencrypted across network segments, this is a finding.","fixText":"Configure the application to protect session IDs from interception or from manipulation."},{"id":"7774e52b-eeb8-4749-a0e0-72e0e67dc6c8","vulnId":"V-222578","severity":"high","ruleTitle":"The application must destroy the session ID value and/or cookie on logoff or browser close.","description":"Many web development frameworks such as PHP, .NET, and ASP include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework.\n\nSession cookies contain application session information that can be used to impersonate the web application user or hijack their application session. Once the user's session has terminated, these session IDs must be destroyed and not reused.","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify how the application destroys session IDs.\n\nIf using a web development framework, ask the application administrator to provide details on the framework's session configuration.\n\nReview framework configuration setting to determine how the session identifiers are destroyed.\n\nReview the client system and using a browser or other tool capable of viewing client cookies, identify cookies set by the application and verify that application session ID cookies are destroyed once the user has logged off or the browser has closed.\n\nIf the session IDs and associated cookies are not destroyed on logoff or browser close, this is a finding.","fixText":"Configure the application to destroy session ID cookies once the application session has terminated."},{"id":"76b20597-a67c-4e8a-b32b-2f0afa4b6c3e","vulnId":"V-222579","severity":"medium","ruleTitle":"Applications must use system-generated session identifiers that protect against session fixation.","description":"Session fixation allows an attacker to hijack a valid user’s application session. The attack focuses on the manner in which a web application manages the user’s session ID. Applications become vulnerable when they do not assign a new session ID when authenticating users thereby using the existing session ID.\n\nMany web development frameworks such as PHP, .NET, and ASP include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework.\n\nIn many cases, creating a new session ID cookie containing a new unique value whenever authentication is performed will address the issue of session fixation.\n\nAllowing the user to submit a session ID also introduces the risk that the application could be subject to a session fixation attack.","checkContent":"Review the application documentation and interview the application administrator to identify how the application generates user session IDs.\n\nApplication session testing is required in order to verify this requirement.\n\nRequest the latest application vulnerability or penetration test results.\n\nVerify the test configuration includes session handling vulnerability tests.\n\nIf the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.\n\nIf the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.","fixText":"Design the application to generate new session IDs with unique values when authenticating user sessions."},{"id":"560325ae-ce9b-414b-914b-49dc5d8435d3","vulnId":"V-222580","severity":"medium","ruleTitle":"Applications must validate session identifiers.","description":"Many web development frameworks such as PHP, .NET, and ASP include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework.","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify how the application validates session IDs.\n\nIf using a web development framework, ask the application administrator to provide details on the framework's session configuration as it relates to session validation.\n\nIf the application is not configured to validate user session identifiers, this is a finding.","fixText":"Configure the application to configure user session identifiers."},{"id":"e47bc1f9-2aad-4e85-bb24-87734f60f779","vulnId":"V-222581","severity":"medium","ruleTitle":"Applications must not use URL embedded session IDs.","description":"Many web development frameworks such as PHP, .NET, and ASP include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework.\n\nUsing a session ID that is copied to the URL introduces the risks that the session ID information will be written to log files, made available in browser history files, or made publicly available within the URL.\n\nUsing cookies to establish session ID information is desired.","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify how the application generates session IDs.\n\nIf using a web development framework, ask the application administrator to provide details on the framework's session configuration.\n\nReview the framework configuration setting to determine how the session identifiers are created.\n\nIdentify any compensating controls that may be leveraged to minimize risk to user sessions.\n\nIf the framework or the application is configured to transmit cookies within the URL or via URL rewriting, or if the session ID is created using a GET method and there are no compensating controls configured to address user session security, this is a finding.","fixText":"Configure the application to transmit session ID information via cookies."},{"id":"99ba00bf-402d-41f7-a068-128b616ae1d7","vulnId":"V-222582","severity":"medium","ruleTitle":"The application must not re-use or recycle session IDs.","description":"$8d","checkContent":"Review the application documentation and interview the application administrator to identify how the application generates user session IDs.\n\nApplication session testing is required in order to verify this requirement.\n\nRequest the latest application vulnerability or penetration test results.\n\nVerify the test configuration includes session handling vulnerability tests.\n\nIf the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.\n\nIf the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.","fixText":"Design the application to not re-use session IDs."},{"id":"55c85531-7032-4b0e-8d89-7b2d0ba22ae0","vulnId":"V-222583","severity":"medium","ruleTitle":"The application must generate a unique session identifier using a FIPS 140-2/140-3 approved random number generator.","description":"The application server will use session IDs to communicate between modules or applications within the application server and between the application server and users. The session ID allows the application to track the communications along with credentials that may have been used to authenticate users or modules.\n\nUnique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of those identifiers.\n\nUnique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.","checkContent":"Review the application server configuration and documentation to determine if the application server uses a FIPS 140-2/140-3 approved random number generator to create unique session identifiers.\n\nHave a user log on to the application server to determine if the session IDs generated are random and unique.\n\nIf the application server does not generate unique session identifiers and does not use a FIPS 140-2/140-3 random number generator to create the randomness of the session ID, this is a finding.","fixText":"Configure the application server to generate unique session identifiers and to use a FIPS 140-2/140-3 random number generator to generate the randomness of the session identifiers."},{"id":"4c4ba4fe-cda8-4069-868a-60725045f39f","vulnId":"V-222584","severity":"medium","ruleTitle":"The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.\n\nThis requirement focuses on communications protection for the application session rather than for the network packet.\n\nThis requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).","checkContent":"Review the application documentation and interview the application administrator to identify certificate location.\n\nInternet Explorer can be used to view certificate information:\n\nSelect “Tools”\nSelect “Internet Options”\nSelect “Content” tab\nSelect “Certificates”\nSelect the certificate used for authentication:\n\nClick “View”\nSelect “Details” tab\nSelect “Issuer”\n\nIf the application utilizes PKI certificates other than DoD-approved PKI and ECA certificates, this is a finding.","fixText":"Configure the application to utilize DoD-approved PKI established CAs when verifying DoD-signed certificates."},{"id":"c26015f8-199a-4700-80e6-fec8502e1e2d","vulnId":"V-222585","severity":"high","ruleTitle":"The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.","description":"$8e","checkContent":"$8f","fixText":"Fix any vulnerability found when the application is an insecure state (initialization, shutdown and aborts)."},{"id":"c7b777c1-d498-4c99-ab05-10767e22be0c","vulnId":"V-222586","severity":"medium","ruleTitle":"In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.","description":"Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving application state information helps to facilitate application restart and return to the operational mode of the organization with less disruption to mission-essential processes.","checkContent":"Review application documentation, interview application administrator to identify how the application logs error events.\n\nThe application operational requirements documentation should provide the specific information that must be preserved in order to return the application back into operation as quickly and efficiently as possible. The application administrator will need to identify and provide the information based upon operational requirements documents.\n\nApplication diagnostic information should be kept in logs for evaluation and investigation into root cause.\n\nIf documentation is provided stating that no particular information needs to be retained in order to expediently bring the application back online, this is not a finding.\n\nIf the application does not log the data required to determine root cause of application failure, or if information specified as required in order to expediently bring the application back online is not retained, this is a finding.","fixText":"Create operational configuration documentation that identifies information needed for the application to return back into service or specify no such data is required, and retain data required to determine root cause of application failures."},{"id":"59d917b8-1bb0-4f0c-8b0e-e96fcb2b60d1","vulnId":"V-222587","severity":"medium","ruleTitle":"The application must protect the confidentiality and integrity of stored information when required by DOD policy or the information owner.","description":"$90","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify the data processed by the application and the accompanying data protection requirements.\n\nDetermine if the data owner has specified stored data protection requirements.\n\nDetermine if the application is processing publicly releasable, CUI, or classified stored data.\n\nDetermine if the application configuration information contains sensitive information.\n\nAccess the data repository and have the application administrator, application developer, or designer identify the data integrity and confidentiality protections used to protect stored data.\n\nIf the application processes classified data or the data owner has specified data protection requirements and the application administrator is unable to demonstrate how the data is protected, this is a finding.","fixText":"Identify data elements that require protection. Document the data types and specify protection requirements and methods used."},{"id":"0b803e7d-887e-43ca-b133-42bc686b8ca3","vulnId":"V-222588","severity":"high","ruleTitle":"The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.","description":"Applications handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).","checkContent":"Review the documentation and interview the application administrator.\n\nIdentify the data processed by the application and the accompanying data protection requirements.\n\nDetermine if the data owner has specified data protection encryption requirements regarding modification of data.\n\nDetermine if the application is processing publicly releasable, CUI, or classified data.\n\nDetermine if the application configuration information contains sensitive information.\n\nIf the data is strictly publicly releasable information and system documentation specifies no data encryption is required for any hosted application data, this is not applicable.\n\nAccess the data repository and have the application administrator identify the encryption protections that are utilized.\n\nIf the application processes classified data or if the data owner has specified encryption requirements and the application administrator is unable to demonstrate how the data is encrypted, this is a finding.","fixText":"Identify data elements that require protection.\n\nDocument the data types and specify encryption requirements.\n\nEncrypt data according to DOD policy or data owner requirements."},{"id":"aabaf250-45d0-44a7-a33b-63429c27e682","vulnId":"V-222589","severity":"high","ruleTitle":"The application must use appropriate cryptography in order to protect stored DOD information when required by the information owner or DOD policy.","description":"Applications handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect the confidentiality of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\n\nSpecial care must be taken to cryptographically protect classified data.","checkContent":"$91","fixText":"Identify data elements that require protection.\n\nDocument the data types and specify encryption requirements.\n\nEncrypt classified data using Type 1, Suite B, or other NSA-approved encryption solutions."},{"id":"001b3818-946e-486c-b074-043a796e28bf","vulnId":"V-222590","severity":"medium","ruleTitle":"The application must isolate security functions from non-security functions.","description":"An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.\n\nSecurity functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.\n\nDevelopers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Applications restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities.","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify if the application utilizes access controls.\n\nCommonly employed access controls include Role-Based Access Controls (RBAC), Access Control Lists (ACL) and Mandatory Access Controls (MAC).\n\nEnsure the application utilizes a control structure that is capable of protecting security assets such as policy and configuration settings from unauthorized modification.\n\nIf the application does not protect security functions that enforce security policy and protect security configuration settings, this is a finding.","fixText":"Implement controls within the application that limits access to security configuration functionality and isolates regular application function from security-oriented function."},{"id":"50f85b1e-b32e-49cf-b8f8-99466190e202","vulnId":"V-222591","severity":"medium","ruleTitle":"The application must maintain a separate execution domain for each executing process.","description":"Applications can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces.\n\nAn example is a web browser with process isolation that provides tabs that are separate processes using separate address spaces to prevent one tab crashing the entire browser.","checkContent":"Review the application documentation, the architecture documentation and interview the application administrator.\n\nIdentify if the application architecture provides the capability to sandbox executing processes so as to prevent a process in one application domain from sharing another application domain.\n\nAsk the application administrator to demonstrate how the application processes are separated. This may be demonstrated by examining the OS processes running on the system and identifying the separate application processes.\n\nIf the application does not maintain a separate execution domain for each executing process, this is a finding.","fixText":"Design and configure applications to maintain a separate execution domain for each executing process."},{"id":"d09aca61-9878-4dee-8767-3a44b491b079","vulnId":"V-222592","severity":"medium","ruleTitle":"Applications must prevent unauthorized and unintended information transfer via shared system resources.","description":"$92","checkContent":"Review the application documentation and interview the application administrator to identify if the application shares information resources via file sharing protocol or if the application includes configuration settings that provide access to data files on the hard drive.\n\nAlso determine if the application transfers data via shared system resources.\n\nIf the application shares system resources with other applications, verify that a security boundary exists which controls and prevents other applications, processes, or users from accessing application data. The control mechanism will vary based upon the resource that is being shared. Hard disk sharing could possibly utilize file permissions restrictions, whereas shared overall system resources could implement virtualization or containers that restrict access.\n\nIf the application does not prevent unauthorized and unintended information transfer via shared system resources, this is a finding.","fixText":"Configure or design the application to utilize a security control that will implement a boundary that will prevent unauthorized and unintended information transfer via shared system resources."},{"id":"f48278d5-5d8f-470e-a20c-fbb9b9997688","vulnId":"V-222593","severity":"medium","ruleTitle":"XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways.","description":"$93","checkContent":"Review the application architecture documentation and interview the application administrator to identify what steps have been taken to protect the XML aspect of the application from DoS attacks.\n\nIf the application does not contain or utilize XML, the requirement is not applicable.\n\nAsk the application administrator to demonstrate how the application is configured to provide the following protections:\n\n- Validation against recursive payloads\n- Validation against oversized payloads\n- Protection against XML entity expansion\n- Validation against overlong element names\n- Optimized configuration for maximum message throughput\n\nIf the application administrator cannot demonstrate how these protections are implemented either within the application itself or by third-party tools or utilities like an XML gateway, this is a finding.","fixText":"Implement:\n\n- Validation against recursive payloads\n- Validation against oversized payloads\n- Protection against XML entity expansion\n- Validation against overlong element names\n- Optimized configuration for maximum message throughput in order to ensure DoS attacks against web services are limited."},{"id":"4f0d44ca-d5ed-4b71-8b78-f80dcb05c959","vulnId":"V-222594","severity":"medium","ruleTitle":"The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.","description":"$94","checkContent":"Review the application documentation and interview the application administrator.\n\nAsk the application administrator if any anti-DoS technology or anti-DoS emergency response services are deployed to protect the application.\n\nCheck for code review, penetration or vulnerability test results that attempt to DoS the application or use the application as a DoS tool.\n\nExamine test results and testing configuration to ensure that the application was tested and the application was not reported as being susceptible to DoS attacks either from external sources or from the application itself. Also verify the testing results show that the application cannot be weaponized to attack other systems.\n\nIf the test results indicate the application is susceptible to DoS attacks or can be weaponized to attack other applications or systems, this is a finding.","fixText":"Design and deploy the application to utilize controls that will prevent the application from being affected by DoS attacks or being used to attack other systems. This includes but is not limited to utilizing throttling techniques for application traffic such as QoS or implementing logic controls within the application code itself that prevents application use that results in network or system capabilities being exceeded."},{"id":"8cfcfa81-8889-450b-89b7-cf61cd1ed487","vulnId":"V-222595","severity":"medium","ruleTitle":"The web service design must include redundancy mechanisms when used with high-availability systems.","description":"$95","checkContent":"Interview the application administrator and review the system documentation to determine if the application has been designated as a high availability system and if the application is designed to operate in a high availability environment.\n\nIf the application has not been designated as a high availability system, this requirement is not applicable.\n\nReview the application architecture documentation and identify solutions that provide application DoS protections. \n\nVerify the application has been built to work in a clustered or otherwise high availability environment in accordance with documented availability requirements.\n\nThis includes:\n\n- load balancers\n- redundant systems such as multiple web, application servers or DB servers\n- high bandwidth or redundant data circuits\n- multiple data centers (geographic dispersal)\n- server clusters\n\nIf the application has been designated as high availability but the architecture is not built to high availability standards, this is a finding.","fixText":"Build the application to address issues that are found in a redundant environment and utilize redundancy mechanisms to provide high availability."},{"id":"0c40f582-c6cd-43d1-a957-f494b2545069","vulnId":"V-222596","severity":"high","ruleTitle":"The application must protect the confidentiality and integrity of transmitted information.","description":"$96","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify application clients, servers and associated network connections including application networking ports. \n\nIdentify the types of data processed by the application and review any documented data protection requirements.\n\nIdentify the application communication protocols.\n\nReview application documents for instructions or guidance on configuring application encryption settings.\n\nVerify the application is configured to enable encryption protections for data in accordance with the data protection requirements. If no data protection requirements exist, ensure all application data is encrypted.\n\nIf the application does not utilize TLS, IPsec or other approved encryption mechanism to protect the confidentiality and integrity of transmitted information, this is a finding.","fixText":"Configure all of the application systems to require TLS encryption in accordance with data protection requirements."},{"id":"277696f4-c2fb-44aa-aa90-48af514b8e4a","vulnId":"V-222597","severity":"medium","ruleTitle":"The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).","description":"$97","checkContent":"Review the application documentation, the application architecture designs and interview the application administrator.\n\nAsk the application admin to identify the network path taken by the application data and demonstrate the application support integrity mechanisms for transmission of both incoming and outgoing files and any transmitted data.\n\nFor example, hashing/digital signature and cyclic redundancy checks (CRCs) can be used to confirm integrity on data streams and transmitted files.\n\nUse of TLS can be used to assure integrity in point-to-point communication sessions.\n\nWhen the application uses messaging or web services or other technologies where the data can traverse multiple hops, the individual message or packet must be encrypted to protect the integrity of the message.\n\nIf the application is not configured to provide cryptographic protections to application data while it is transmitted unless protected by alternative safety measures like a PDS, this is a finding.","fixText":"Configure the application to use cryptographic protections to prevent unauthorized disclosure of application data based upon the application architecture."},{"id":"443cf3c4-2f0f-43e6-bc56-a88d586da711","vulnId":"V-222598","severity":"medium","ruleTitle":"The application must maintain the confidentiality and integrity of information during preparation for transmission.","description":"$98","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify web servers and associated network connections.\n\nAccess the application with a web browser.\n\nVerify the web browser goes secure automatically by automatically redirecting the browser to a secure port running TLS encryption, or ensure the port used by the application uses TLS encryption by default.\n\nFor tiered applications, (web server, application server, database server) verify the communication channels between the tiers is also encrypted.\n\nIf the application does not utilize TLS to protect the confidentiality and integrity of transmitted information, this is a finding.","fixText":"Configure all of the application systems to require TLS encryption."},{"id":"7b426da1-80bb-471a-af07-4a726d34475f","vulnId":"V-222599","severity":"medium","ruleTitle":"The application must maintain the confidentiality and integrity of information during reception.","description":"$99","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify web servers and associated network connections.\n\nAccess the application with a web browser.\n\nVerify the web browser goes secure automatically by automatically redirecting the browser to a secure port running TLS encryption, or ensure the port used by the application uses TLS encryption by default.\n\nFor tiered applications, (web server, application server, database server) ensure the communication channels between the tiers is also encrypted.\n\nIf the application does not utilize TLS to protect the confidentiality and integrity of transmitted information, this is a finding.","fixText":"Configure all of the application systems to require TLS encryption."},{"id":"2d5e8880-ce5f-42f6-bdd0-4c39be7974f8","vulnId":"V-222600","severity":"medium","ruleTitle":"The application must not disclose unnecessary information to users.","description":"Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version).\n\nThese events usually occur when the web application has not been configured to send specific error messages for error events. Instead, when a processing anomaly occurs, the application displays technical information about the type of application server, database in use, or other technical details.\n\nThis provides attackers additional information which they can use to find other attack avenues, or tailor specific attacks, on the application.","checkContent":"Review the application system documentation and interview the application administrators.\n\nAsk them to demonstrate how the web server and application configuration does not disclose any information about the application which could be used by an attacker to gain access to the application.\n\nAsk the application representative to logon as a non-privileged user and review all screens of the application to identify any potential data that should not be disclosed to the user.\n\nReview web server configuration and determine if custom error pages are configured to display on error events.\n\nReview error pages sent to application users to verify the pages are generic in nature and provide no technical details related to application architecture.\n\nIf the application displays any application technical data such as database version, application server information, or any other technical details that should not be disclosed to a regular user, this is a finding.","fixText":"Configure the application to not display technical details about the application architecture on error events."},{"id":"f3bc2523-5f90-4830-b3f1-87ff63843fa2","vulnId":"V-222601","severity":"high","ruleTitle":"The application must not store sensitive information in hidden fields.","description":"Hidden fields allow developers to process application data without having to display it on the screen. Using hidden fields to pass data in forms is a common practice among web applications and by itself is not a security risk. \n\nHowever, hidden fields are not secure and can be easily manipulated by users. Information requiring confidentiality or integrity protections must not be placed in a hidden field. If data that is sensitive must be stored in a hidden field, it must be encrypted.\n\nFurthermore, hidden fields used to control access decisions can lead to a complete compromise of access control mechanisms allowing immediate compromise of the user's application session.","checkContent":"Interview application administrator and review application documentation to identify and familiarize with the application features and functions.\n\nRequest most recent code review and vulnerability scan results. Review test configuration to ensure testing for hidden fields was conducted. Review test results for incidents of hidden data fields. \n\nExamine identified hidden fields and determine what type of data is stored in the hidden fields.\n\nIf the data stored in the hidden fields are determined to be authentication or session related data, or if the code review or vulnerability scan results are not available and configured to test for hidden fields, this is a finding.","fixText":"Design and configure the application to not store sensitive information in hidden fields. \n\nEncrypt sensitive information stored in hidden fields using DoD-approved encryption and use server side session management techniques for user session management."},{"id":"bda1ef7e-93d6-4be8-8575-ccb7c0c925ae","vulnId":"V-222602","severity":"high","ruleTitle":"The application must protect from Cross-Site Scripting (XSS) vulnerabilities.","description":"$9a","checkContent":"$9b","fixText":"Verify user input is validated and encode or escape user input to prevent embedded script code from executing.\n\nDevelop your application using a web template system or a web application development framework that provides auto escaping features rather than building your own escape logic."},{"id":"855511a9-7c40-4466-a36f-af2f02a674b1","vulnId":"V-222603","severity":"medium","ruleTitle":"The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.","description":"$9c","checkContent":"$9d","fixText":"Configure the application to use unpredictable challenge tokens and check the HTTP referrer to ensure the request was issued from the site itself. Implement mitigating controls as required such as using web reputation services."},{"id":"65f045b9-516c-407c-82b0-40998126f4fa","vulnId":"V-222604","severity":"high","ruleTitle":"The application must protect from command injection.","description":"$9e","checkContent":"Review the application documentation and the system configuration settings.\n\nInterview the application administrator for details regarding security assessment including automated code review and vulnerability scans conducted to test for command injection.\n\nReview the scan results from the entire application.\n\nVerify scan configuration is set to check for command injection vulnerabilities.\n\nIf results indicate vulnerability, verify a subsequent scan has been run to ensure the issue has been remediated.\n\nManual test procedures are available on the OWASP website. Procedures may need to be modified to suit application architecture.\n\nhttps://www.owasp.org/index.php/Testing_for_Command_Injection_%28OTG-INPVAL-013%29\n\nIf testing results are not provided demonstrating the vulnerability does not exist, or if the application representative cannot demonstrate how actions are taken to identify and protect from command injection vulnerabilities, this is a finding.","fixText":"Modify the application so as to escape/sanitize special character input or configure the system to protect against command injection attacks based on application architecture."},{"id":"09bb96b5-e95f-4a2a-b117-b51e1a2e8497","vulnId":"V-222605","severity":"medium","ruleTitle":"The application must protect from canonical representation vulnerabilities.","description":"Canonical representation vulnerabilities can occur when a data conversion process does not convert the data to its simplest form resulting in the possible misrepresentation of the data.\n\nThe application may behave in an unexpected manner when acting on input that has not been sanitized or normalized.\n\nVulnerable application code is written to expect one form of data and executes its program logic on another form of data thereby creating instability or unexpected behavior.\n\nThe Open Web Application Security Project (OWASP) website provides test and remediation procedures that can be used for testing if vulnerability scan tools or results are not available.\n\nThe site is available by pointing your browser to https://www.owasp.org.","checkContent":"$9f","fixText":"A suitable canonical form should be chosen and all user input canonicalized into that form before any authorization decisions are performed.\n\nSecurity checks should be carried out after decoding is completed. Moreover, it is recommended to check that the encoding method chosen is a valid canonical encoding for the symbol it represents."},{"id":"52eb0032-e252-462f-bd54-06b5cc5d284e","vulnId":"V-222606","severity":"medium","ruleTitle":"The application must validate all input.","description":"$a0","checkContent":"Review the application documentation, the code review reports and the vulnerability assessment scan results from automated vulnerability assessment tools.\n\nVerify scan configuration settings include input validation and fuzzing tests.\n\nTest data entry fields on all pages/screens of the application.\n\nProcedures on testing input are relevant to the architecture of the application.\n\nA reference on input validation testing is included at the OWASP website. The site includes testing procedures for input validation that affect many different technologies.\n\nIdentify the relevant testing procedures based upon the application architecture and components being tested.\n\nhttps://www.owasp.org/index.php/Testing_for_Input_Validation\n\nIf test results include input validation errors, or if no test results exist, this is a finding.","fixText":"Design and configure the application to validate input prior to executing commands."},{"id":"9a4bb123-8733-4fdf-836e-b16dbc633ccf","vulnId":"V-222607","severity":"high","ruleTitle":"The application must not be vulnerable to SQL Injection.","description":"$a1","checkContent":"Review the application documentation and interview the application administrator.\n\nRequest the latest vulnerability scan test results.\n\nVerify the scan configuration is configured to test for SQL injection flaws.\n\nReview the scan results to determine if any SQL injection flaws were detected during application testing.\n\nIf SQL injection flaws were discovered, request a subsequent scan that will show that the issues have been remediated.\n\nIf the scan results are not available, identify the database product in use and refer to the OWASP web application testing guide for detailed instructions on performing a manual SQL injection test. The instructions are located here and many tests are organized by database product:\n\nhttps://www.owasp.org/index.php/Testing_for_SQL_Injection_%28OTG-INPVAL-005%29\n\nIf the application is vulnerable to SQL injection attack, contains SQL injection flaws, or if scan results do not exist, this is a finding.","fixText":"Modify the application and remove SQL injection vulnerabilities."},{"id":"826aa04b-e8d3-4eb5-8b80-19737d598ed8","vulnId":"V-222608","severity":"high","ruleTitle":"The application must not be vulnerable to XML-oriented attacks.","description":"Extensible Markup Language (XML) is widely employed in web technology and applications like web services (SOAP, REST, and WSDL) and is also used for configuration files. XML vulnerability examples include XML injection, XML Spoofing, XML-based Denial of Service attacks and information disclosure attacks.\n\nWhen utilizing XML, web applications must take steps to ensure they are addressing XML-related security issues. This is accomplished by choosing well-designed application components, building application code that follows security best practices and by patching application components when vulnerabilities are identified.\n\nXML firewalls or gateways may be employed to assist in protecting applications by controlling access to XML-based applications, filtering XML content, rate-limiting requests, and validating XML traffic.","checkContent":"Review the application documentation, the application architecture and interview the application administrator.\n\nIdentify any XML-based web services or XML functionality performed by the application.\n\nDetermine if an XML firewall is deployed to protect application from XML-related attacks.\n\nIf the application does not process XML, the requirement is not applicable.\n\nReview the latest application vulnerability assessment and verify the scan was configured to test for XML-related vulnerabilities and security issues.\n\nExamples include but are not limited to:\n\nXML Injection\nXML related Denial of Service\nXPATH injection\nXML Signature attacks\nXML Spoofing\n\nIf an XML firewall is deployed, request configuration information regarding the application and validate the firewall is configured to protect the application.\n\nIf the vulnerability scan is not configured to scan for XML-oriented vulnerabilities, if no scan results exist, or if the XML firewall is not configured to protect the application, this is a finding.","fixText":"Design the application to utilize components that are not vulnerable to XML attacks.\n\nPatch the application components when vulnerabilities are discovered."},{"id":"336564ca-e527-4f5e-b81b-165de9fceafd","vulnId":"V-222609","severity":"high","ruleTitle":"The application must not be subject to input handling vulnerabilities.","description":"$a2","checkContent":"Review the application documentation and interview the application administrator.\n\nIf working with the developer, request documentation on their development processes and what their standard operating procedure is for sanitizing all application input.\n\nIdentify the latest vulnerability scan results.\n\nReview the scan results and scan configuration settings.\n\nVerify the scan was configured to identify input validation vulnerabilities.\n\nIf the scan results detected high risk vulnerabilities, verify a more recent scan shows remediation of the vulnerabilities is available for examination.\n\nReview any risk acceptance documentation that indicates the ISSO has reviewed and accepted the risk.\n\nIf the vulnerability scan is not configured to test for input validation vulnerabilities if the most recent scan results show that high risk input validation vulnerabilities exist and a documented risk acceptance from the ISSO is not available, or if the scan results do not exist, this is a finding.","fixText":"Follow best practice when accepting user input and verify that all input is validated before the application processes the input.\n\nRemediate identified vulnerabilities and obtain documented risk acceptance for those issues that cannot be remediated immediately."},{"id":"03e3e68f-6e05-4089-b745-b1dfb19d787e","vulnId":"V-222610","severity":"medium","ruleTitle":"The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify application components. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nError messages should not include variable names, variable types, SQL strings, or source code. Errors that contain field names from the screen and a description of what should be in the field should not be considered a finding.","checkContent":"Review the application documentation and interview the application administrator for details regarding how the application displays error messages.\n\nUtilize the application as a non-privileged user and attempt to execute functionality that will generate error messages.\n\nReview the error messages displayed to ensure no sensitive information is provided to end users.\n\nIf error messages are designed to provide users with just enough detail to pass along to support staff in order to aid in troubleshooting such as date, time, or other generic information, this is not a finding.\n\nIf variable names, SQL strings, system path information, or source or program code are displayed in error messages sent to non-privileged users, this is a finding.","fixText":"Configure the server to not send error messages containing system information or sensitive data to users.\n\nUse generic error messages."},{"id":"78adb275-0c65-4a88-8acb-d086bd3ec848","vulnId":"V-222611","severity":"medium","ruleTitle":"The application must reveal error messages only to the ISSO, ISSM, or SA.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify application components. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nError messages should not include variable names, variable types, SQL strings, or source code. Errors that contain field names from the screen and a description of what should be in the field should not be considered a finding.","checkContent":"Review the application documentation and interview the application administrator for details regarding how the application displays error messages.\n\nAuthenticate to the application as a non-privileged user and attempt to execute functionality that will generate error messages.\n\nReview the error messages displayed to ensure no sensitive information is provided to end users.\n\nAuthenticate as a privileged user and repeat tests.\n\nIf error messages are designed to provide users with just enough detail to pass along to support staff in order to aid in troubleshooting such as date, time or other generic information, this is not a finding.\n\nIf detailed error messages are provided to privileged users, this is not a finding.\n\nIf variable names, SQL strings, system path information, or source or program code are displayed in error messages sent to non-privileged users, this is a finding.","fixText":"Configure the server to only send error messages containing system information or sensitive data to privileged users.\n\nUse generic error messages for non-privileged users."},{"id":"092c3ce7-28f3-4869-a981-4d698426faea","vulnId":"V-222612","severity":"high","ruleTitle":"The application must not be vulnerable to overflow attacks.","description":"$a3","checkContent":"Review the application documentation and architecture.\n\nInterview the application admin and identify the most recent code testing and analysis that has been conducted.\n\nReview the test results; verify configuration of analysis tools are set to check for the existence of overflows. This includes but is not limited to buffer overflows, stack overflows, heap overflows, integer overflows and format string overflows.\n\nIf overflows are identified in the test results, verify the latest test results are being used, if not, ensure remediation has been completed.\n\nIf the test results show overflows exist and no remediation evidence is presented, or if test results are not available, this is a finding.","fixText":"Design the application to use a language or compiler that performs automatic bounds checking.\n\nUse an abstraction library to abstract away risky APIs.\n\nUse compiler-based canary mechanisms such as StackGuard, ProPolice, and the Microsoft Visual Studio/GS flag.\n\nUse OS-level preventative functionality and control user input validation.\n\nPatch applications when overflows are identified in vendor products."},{"id":"9421f216-b493-4f66-bbf8-674e7294af55","vulnId":"V-222613","severity":"medium","ruleTitle":"The application must remove organization-defined software components after updated versions have been installed.","description":"Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.","checkContent":"Review the application documentation and interview the application admin to identify application locations on system.\n\nIdentify application versions that are installed on the system.\n\nReview the file system structure to see if older versions of the application are still installed.\n\nIf old versions of the application or components are still installed on the system, this is a finding.","fixText":"Configure or design the application to remove old components when updating."},{"id":"b4c7ffa4-a0ac-4fd3-a586-4c3de1f806aa","vulnId":"V-222614","severity":"medium","ruleTitle":"Security-relevant software updates and patches must be kept up to date.","description":"$a4","checkContent":"Review the application documentation to identify application versions and patching.\n\nInterview the application administrator and inquire about patching process.\n\nReview IAVMs and CTOs to determine if the application is being updated in accordance with authoritative sources.\n\nIf application updates are not checked on at least on a weekly basis and applied immediately or in accordance with POA&Ms, IAVMs, CTOs, DTMs or other authoritative patching guidelines or sources, this is a finding.","fixText":"Check for application updates at least weekly and apply patches immediately or in accordance with POA&Ms, IAVMs, CTOs, DTMs or other authoritative patching guidelines or sources."},{"id":"c3861c98-c74c-4f34-9e5f-e6383b6b1666","vulnId":"V-222615","severity":"medium","ruleTitle":"The application performing organization-defined security functions must verify correct operation of security functions.","description":"Without verification, security functions may not operate correctly and this failure may go unnoticed.\n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to applications performing security functions and security function verification/testing.","checkContent":"Review the application documentation and interview the system administrator to determine if the application performs security function testing.\n\nIf the application is not designed or intended to perform security function testing, the requirement is not applicable.\n\nAccess the application design documents and determine if the application is designed to verify the correct operation of security functions.\n\nReview application logs and take note of log entries that indicate security function testing is being performed and verified.\n\nIf the application is designed to perform security function testing and does not verify the correct operation of security functions, this is a finding.","fixText":"Design the application to verify the correct operation of security functions."},{"id":"200d096f-8df4-49fe-86b0-8125503fe0c1","vulnId":"V-222616","severity":"medium","ruleTitle":"The application must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days.","description":"Without verification, security functions may not operate correctly and this failure may go unnoticed.\n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nNotifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis requirement applies to applications performing security functions and the applications performing security function verification/testing.","checkContent":"Review the application documentation and interview the system administrator to determine if the application performs security function testing.\n\nIf the application is not designed or intended to perform security function testing, the requirement is not applicable.\n\nAccess the application design documents or have the system administrator provide proof if the application is designed to verify the correct operation of security functions.\n\nReview application logs and take note of log entries that indicate security function testing is being performed and verified on startup, restart, or on command by an authorized user.\n\nIf the application is designed to perform security function testing and does not verify the correct operation of security functions on startup, restart, or upon command by a privileged user, this is a finding.","fixText":"Design the application to verify the correct operation of security functions on command and on application startup and restart."},{"id":"e9842ee7-9383-44bf-be2a-e589c3a3c00a","vulnId":"V-222617","severity":"low","ruleTitle":"The application must notify the ISSO and ISSM of failed security verification tests.","description":"If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain.\n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis requirement applies to applications performing security functions and the applications performing security function verification/testing.","checkContent":"$a5","fixText":"Configure the application to send notices to the ISSO and ISSM indicating the application failed a verification test."},{"id":"3ad68bed-e23d-4821-8fe1-4d65da79de00","vulnId":"V-222618","severity":"medium","ruleTitle":"Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy.","description":"Use of un-trusted Level 1A mobile code technologies can introduce security vulnerabilities and malicious code into the client system.\n\n1A code is defined as:\n\n- ActiveX controls\n- Mobile code script (JavaScript, VBScript)\n- Windows Scripting Host (WSH) (downloaded via URL or email)\n\nWhen JavaScript and VBScript execute within the browser they are Category 3, however, when they execute in WSH, they are 1A.","checkContent":"$a6","fixText":"Configure the application so Category 1A mobile code is signed."},{"id":"df58597c-89e7-4fdf-b84d-5952fb2aa0fc","vulnId":"V-222619","severity":"medium","ruleTitle":"The ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed.","description":"A comprehensive account management process will ensure that only authorized users can gain access to applications and that individual accounts designated as inactive, suspended, or terminated are promptly deactivated. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised.","checkContent":"Interview the application representative to verify that a documented process exists for user and system account creation, termination, and expiration.\n\nObtain a list of recently departed personnel and verify that their accounts were removed or deactivated on all systems in a timely manner (e.g., less than two days).\n \nIf a documented account management process does not exist or unauthorized users have active accounts, this is a finding.","fixText":"Establish an account management process."},{"id":"66d79d4e-83dc-475b-b8d7-b3fde7ca458f","vulnId":"V-222620","severity":"high","ruleTitle":"Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ.","description":"$a7","checkContent":"Review the application documentation.\n\nReview the application data protection requirements and identify if all data types hosted on server are identical.\n\nReview the network diagram and identify web servers/web services, web application servers, and database servers.\n\nIf the application is not hosted in the DoD DMZ, this requirement is not applicable.\n\nVerify the application web servers are separated from the application and database servers if the application is a tiered design as per DoD DMZ STIG requirements.\n\nIf the application is tiered and the network infrastructure hosting the application is not configured to provide separation and security access controls between the tiered layers in accordance with DoD DMZ requirements, this is a finding.","fixText":"Separate web server from other application tiers and place it on a separate network segment apart from the application and database servers in accordance with DoD DMZ data access controls requirements."},{"id":"5503dc7b-093f-42b1-bb4a-3cc79aaba362","vulnId":"V-222621","severity":"medium","ruleTitle":"The ISSO must ensure application audit trails are retained for at least 30 months (12 months active + 18 months cold storage) for applications without SAMI data and five years for applications including SAMI data.","description":"Log files are a requirement to trace intruder activity or to audit user activity.","checkContent":"Verify a process is in place to retain application audit log files for 30 months (12 months active + 18 months cold storage) for non-SAMI data and five years for SAMI data.\n\nIf audit logs have not been retained for 30 months (12 months active + 18 months cold storage) or five years for SAMI data, this is a finding.","fixText":"Retain application audit log files for 30 months (12 months active + 18 months cold storage) for non-SAMI data and five years for SAMI data."},{"id":"d5618a9a-1b7d-4c39-ac79-eb111fb25798","vulnId":"V-222622","severity":"medium","ruleTitle":"The ISSO must review audit trails periodically based on system documentation recommendations or immediately upon system security events.","description":"Without access control the data is not secure. It can be compromised, misused, or changed by unauthorized access at any time.","checkContent":"Interview the application representative and ask for the system documentation that states how often audit logs are reviewed. Also, determine when the audit logs were last reviewed.\n\nIf the application representative cannot provide system documentation identifying how often the auditing logs are reviewed, or has not audited within the last time period stated in the system documentation, this is a finding.","fixText":"Establish a scheduled process for reviewing logs.\n\nMaintain a log or records of dates and times audit logs are reviewed."},{"id":"7fc3d115-6a52-4144-92ac-f66af8bfe593","vulnId":"V-222623","severity":"medium","ruleTitle":"The ISSO must report all suspected violations of IA policies in accordance with DoD information system IA procedures.","description":"Violations of IA policies must be reviewed and reported. If there are no policies regarding the reporting of IA violations, IA violations may not be tracked or addressed in a proper manner.","checkContent":"Interview the application representative and review the SOPs to ensure that violations of IA policies are analyzed and reported.\n \nIf there is no policy for reporting IA violations, this is a finding.","fixText":"Create and maintain a policy to report IA violations."},{"id":"3bf6412b-7d35-4bee-bda0-065010ad1d1f","vulnId":"V-222624","severity":"medium","ruleTitle":"The ISSO must ensure active vulnerability testing is performed.","description":"$a8","checkContent":"$a9","fixText":"Perform active vulnerability and fuzz testing of the application.\n\nVerify the vulnerability scanning tool is configured to test all application components and functionality.\n\nAddress discovered vulnerabilities."},{"id":"fba0fe7a-4acd-4b76-bd49-f04500343a9c","vulnId":"V-222625","severity":"medium","ruleTitle":"Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated.","description":"In order to understand data flows within web services, the process flow of data must be developed and documented.\n\nThere are several different ways that web service deadlock occurs, many times it is due to when a client invokes a synchronous method on a web service, the client will block waiting for the method to complete. If attempts to call the client (invoke a callback) while the client is waiting for the original method to complete, then each party will deadlock waiting for the other.\n\nThis is referred to as deadlock. The same situation could occur if a callback handler attempted to call a synchronous method on its caller.\n\nApplications that utilize web services must account for and document how they deal with a deadlock issue. This can be accomplished by documenting data flow and specifically accounting for the risk in the design of the application.","checkContent":"Review the application documentation and the system diagrams detailing application system to system and service to service communication methods.\n\nInterview the application admin to identify any application web services that are deployed by the application.\n\nIf the application does not deploy web services, the requirement is not applicable.\n\nIf the application consumes web services but is not responsible for development of the services, the requirement is not applicable.\n\nReview the data flow diagrams and the system documentation to determine if the issue of web service deadlock is addressed.\n\nIf the issue is not addressed in the documentation or configuration settings, ask the application admin to demonstrate how deadlock issues are addressed.\n\nIf deadlock issues are not being addressed via documented web service configuration or design, this is a finding.","fixText":"Develop web services to account for deadlock issues."},{"id":"364fabf5-84ae-42a2-9e5b-67f84bf8d013","vulnId":"V-222626","severity":"medium","ruleTitle":"The designer must ensure the application does not store configuration and control files in the same directory as user data.","description":"Application configuration settings and user data are required to be stored in separate locations in order to prevent application users from possibly being able to access application configuration settings or application data files. Without proper access controls and separation of application configuration settings from user data, there is the potential that existing code or configuration settings could be changed by users. These changes in code can lead to a Denial of Service (DoS) attack or allow malicious code to be placed within the application. In addition, collocating application data and code complicates many issues such as backup, recovery, directory access privilege, and upgrades.","checkContent":"Review the application documentation and interview the application administrator.\n\nAsk the application administrator or examine the application documentation to determine the file location of the application configuration settings and user data.\n\nIdentify the directory where the application code, configuration settings and other application control data are located.\n\nIdentify where user data is stored.\n\nExamine file permissions to application folder.\n\nIf the application user data is located in the same directory as the application configuration settings or control files, or if the file permissions allow application users write access to application configuration settings, this is a finding.","fixText":"Separate the application user data into a different directory than the application code and user file permissions to restrict user access to application configuration settings."},{"id":"bf052374-fcaf-48c4-a1ce-2f6874b6dc99","vulnId":"V-222627","severity":"medium","ruleTitle":"The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.","description":"Not all COTS products are covered by a STIG. Those products not covered by a STIG, should follow commercially accepted best practices, independent testing results and vendors lock down guides and recommendations if they are available.","checkContent":"Review the application documentation to identify application name, features and version.\n\nIdentify if a DoD STIG or NSA guide is available.\n\nIf no STIG is available for the product, the application and application components must be configured by the following as available: \n\n- commercially accepted practices, \n- independent testing results, or \n- vendor literature and lock down guides.\n\nIf the application and application components do not have DoD STIG or NSA guidance available and are not configured according to: \ncommercially accepted practices, \nindependent testing results,\nor vendor literature and lock down guides, this is a finding.","fixText":"Configure the application according to the product STIG or when a STIG is not available, utilize:\n\n- commercially accepted practices,\n- independent testing results, or\n- vendor literature and lock down guides."},{"id":"aa526c2a-37e1-492a-b352-9fa10fb33f05","vulnId":"V-222628","severity":"medium","ruleTitle":"New IP addresses, data services, and associated ports used by the application must be submitted to the appropriate approving authority for the organization, which in turn will be submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM)","description":"Failure to comply with DoD Ports, Protocols, and Services (PPS) Vulnerability Analysis and associated PPS mitigations may result in compromise of enclave boundary protections and/or functionality of the application.","checkContent":"All application ports, protocols, and services needed for application operation need to be in compliance with the DoD Ports and Protocols guidance.\n\nCheck:\n\nhttp://iase.disa.mil/ppsm/Pages/index.aspx\n\nto verify the ports, protocols, and services are in compliance with the PPS CAL.\n\nCheck all necessary ports and protocols needed for application operation (only those accessed from outside the local enclave) are checked against the DoD Ports and Protocols guidance to ensure compliance.\n\nIdentify the ports needed for the application:\n\n- Look at System Security Plan/Accreditation documentation\n- Ask System Administrator\n- Go to Network Administrator\n- Go to Network Reviewer\n- If a network scan is available, use it\n- Use netstat/task manager\n- Check /etc./services\n\nIf the application is not in compliance with DoD Ports and Protocols guidance, this is a finding.","fixText":"Verify the accreditation documentation lists all interfaces and the ports, protocols, and services used.\n\nVerify that all ports, protocols, and services are used in accordance with the DoD PPSM."},{"id":"40ae4ce8-fed8-45f5-8252-b29d84a76924","vulnId":"V-222629","severity":"medium","ruleTitle":"The application must be registered with the DoD Ports and Protocols Database.","description":"Failure to register the applications usage of ports, protocols, and services with the DoD PPS Database may result in a Denial of Service (DoS) because of enclave boundary protections at other end points within the network.","checkContent":"Verify registration of the application and ports in the Ports and Protocols Database for a production site.\n\nIf the application requires registration, and is not registered or all ports used have not been identified in the database, this is a finding.","fixText":"Register the application and ports in the Ports and Protocols Database."},{"id":"c7847d5b-20c4-4f98-93df-d2f4e0fb05c2","vulnId":"V-222630","severity":"medium","ruleTitle":"The Configuration Management (CM) repository must be properly patched and STIG compliant.","description":"A Configuration Management (CM) repository is used to manage application code versions and to securely store application code.\n\nFailure to properly apply security patches and secure the software Configuration Management system could affect the confidentiality and integrity of the application source-code. \n\nCompromise of the Configuration Management system could lead to unauthorized changes to applications including the addition of malware, root kits, back doors, logic bombs or other malicious functions into valid application code. \n\nThis requirement is intended to be applied to application developers or organizations responsible for code management or who have and operate an application CM repository.","checkContent":"Review the application system documentation and interview the application administrator.\n\nIdentify if the STIG is being applied to application developers or organizations responsible for code management or who have and operate an application CM repository. If this is not the case, the requirement is not applicable.\n\nReview CM patch management processes and procedures. Have the system and CM admins demonstrate their patch management processes and verify the system has the latest security patches applied. \n\nReview the ATO documentation and verify the system that operates the CM repository software has had all relevant STIGs applied.\n\nIf CM repository is not at the latest security patch level and is not operating on a STIG compliant system, this is a finding.","fixText":"Patch the CM system when new security patches are made available and apply the relevant STIGs."},{"id":"c2e73028-3d77-480d-a065-5e70f9fabe7f","vulnId":"V-222631","severity":"medium","ruleTitle":"Access privileges to the Configuration Management (CM) repository must be reviewed every three months.","description":"A Configuration Management (CM) repository is used to manage application code versions and to securely store application code.\n\nIncorrect access privileges to the CM repository can lead to malicious code or unintentional code being introduced into the application.\n\nThis requirement is intended to be applied to application developers or organizations responsible for code management or who have and operate an application CM repository.","checkContent":"Review the application system documentation.\n\nInterview the application administrator.\n\nIdentify if development of the application is done in house and if application configuration management repository exists.\n\nIf application development is not done in house and if a code configuration management repository does not exist, the requirement is not applicable.\n\nReview CM management processes and procedures.\n\nVerify the CM repository access permissions are reviewed at least every three months.\n\nAsk the application administrator or the CM administrator when the last time the CM access privileges were reviewed.\n\nIf CM access privileges have not been reviewed within the last three months, this is a finding.","fixText":"Review access privileges to the CM repository at least every three months."},{"id":"b193d20c-bba3-4532-b167-a0967c702826","vulnId":"V-222632","severity":"medium","ruleTitle":"A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained.","description":"$aa","checkContent":"$ab","fixText":"Create and update a SCM plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization. Configure CMR to comply."},{"id":"e0393a3f-7936-4b2a-a68e-df4e8c00ac25","vulnId":"V-222633","severity":"medium","ruleTitle":"A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established.","description":"Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. An SCM plan or charter identifies what should be under configuration management control. Without an SCM plan and a CCB, application releases can't be tracked and vulnerabilities can be inserted intentionally or unintentionally into the code base of the application.\n\nThis requirement is intended to be applied to application developers or organizations responsible for code management or who have and operate an application CM repository.","checkContent":"Interview the application representative and determine if application development is performed on site by the organization.\n\nIf application development is not done in house, the requirement is not applicable.\n\nIf so, determine if a CCB exists. Ask about the membership of the CCB, and identify the primary members. Ask if there is CCB charter documentation.\n\nInterview the application representative and determine how often the CCB meets.\n\nAsk if there is CCB charter documentation. The CCB charter documentation should indicate how often the CCB meets.\n\nIf there is no charter documentation, ask when the last time the CCB met and when was the last release of the application.\n\nCCBs do not have to physically meet, and the CCB chair may authorize a release based on phone and/or e-mail conversations.\n\nIf there is no evidence of CCB activity or meetings prior to the last release cycle, this is a finding.","fixText":"Setup and maintain a Configuration Control Board."},{"id":"6d903346-a1d0-47dd-9503-0fdc642ba046","vulnId":"V-222634","severity":"medium","ruleTitle":"The application services and interfaces must be compatible with and ready for IPv6 networks.","description":"If the application has not been upgraded to execute on an IPv6-only network, there is a possibility the application will not execute properly, and as a result, a denial of service could occur.\n\nIn order to operate on an IPV6 network, the application must be capable of making IPV6 compatible network socket calls.","checkContent":"Verify the application environment is compliant with all DoD IPv6 Standards Profile for IPv6 Capable Products guidance for servers.\n\nIf the application environment is not compliant with all DoD IPv6 Standards Profile for IPv6 Capable Products guidance for servers, this is a finding.","fixText":"Design application to be compliant with all Department of Defense (DoD) Information Technology Standards Registry (DISR) IPv6 profiles."},{"id":"96f3a2a3-84b2-4228-ad6c-b1c80bd44ab4","vulnId":"V-222635","severity":"medium","ruleTitle":"The application must not be hosted on a general purpose machine if the application is designated as critical or high availability by the ISSO.","description":"Critical applications should not be hosted on a multi-purpose server with other applications. Applications that share resources are susceptible to the other shared application security defects. Even if the critical application is designed and deployed securely, an application that is not designed and deployed securely, can cause resource issues and possibly crash effecting the critical application.","checkContent":"Ask the application representative to review the servers where the application is deployed. \n\nAsk what other applications are deployed on those servers.\n\nIdentify the criticality of the applications installed on the system.\n\nIf a mission critical application is deployed onto the same server as non-mission critical applications, this is a finding.","fixText":"Deploy mission critical applications on servers that are not shared by other less critical applications."},{"id":"6c7f2f78-f2b8-4696-9ead-06498a863f1b","vulnId":"V-222636","severity":"medium","ruleTitle":"A contingency plan must exist in accordance with DOD policy based on the application's availability requirements.","description":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. \n\nAll applications must document procedures to include business recovery plans, system contingency plans, facility disaster recovery plans, and plan acceptance.","checkContent":"Review contingency plans.\n\nFor high availability applications, verify the contingency plan exists and provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational continuity.\n \nFor moderate availability applications, verify the contingency plan exists and provides for the resumption of mission or business essential functions within 12 hours activation or as defined in the contingency plan.\n\nFor low availability applications, verify the contingency plan exists and provides for the partial resumption of mission or business essential functions within 5 to 30 days of activation as defined in the contingency plan.\n \nIf the contingency plan does not exist or does not meet the severity level requirements, this is a finding.","fixText":"Create and maintain a contingency plan that identifies essential mission and business functions and associated contingency requirements."},{"id":"5d18b001-c743-42ec-ae54-a27190c3338a","vulnId":"V-222637","severity":"medium","ruleTitle":"Recovery procedures and technical system features must exist so recovery is performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted recovery.","description":"Without a disaster recovery plan, the application is susceptible to interruption in service due to damage within the processing site.\n\nIf the application is part of the site’s disaster recovery plan, ensure that the plan contains detailed instructions pertaining to the application. Verify that recovery procedures indicate the steps needed for secure and trusted recovery.","checkContent":"Review disaster recovery plan.\n\nVerify that a disaster recovery plan is in place for the application.\n\nVerify that the recovery procedures include any special considerations for trusted recovery.\n\nIf the application is not part of the site’s disaster recovery plan, or if any special considerations for trusted recovery are not documented, this is a finding.","fixText":"Create and maintain a disaster recovery plan."},{"id":"ebdef2ce-2f36-4a10-a355-0c18a60863d3","vulnId":"V-222638","severity":"medium","ruleTitle":"Data backup must be performed at required intervals in accordance with DoD policy.","description":"Without proper backups, the application is not protected from the loss of data or the operating environment in the event of hardware or software failure.","checkContent":"$ac","fixText":"Develop and implement backup procedures based on risk level of the system and in accordance with DoD policy."},{"id":"af448172-8259-4e32-a1eb-c69efb164b2a","vulnId":"V-222639","severity":"medium","ruleTitle":"Back-up copies of the application software or source code must be stored in a fire-rated container or stored separately (offsite).","description":"Application developers and application administrators must take steps to ensure continuity of development effort and operations should a disaster strike. \n\nSteps include protecting back-up copies of development code and application software.\n\nImproper storage of the back-up copies can result in extended outages of the information system in the event of a fire or other situation that results in destruction of the back-up as well as the operating copy.\n\nTo address this risk, copies of application software and application source code must be stored in a fire-rated container or separately (offsite) from the operational or development environments.","checkContent":"When reviewing a COTS or GOTS application, verify that a back-up copy of the software is stored in a fire rated container or is stored separately (offsite) from the operational environment.\n\nDetermine if application development is done in-house. \n\nIf application development occurs in-house and source code is available, verify a back-up copy of the source code is kept in a fire-rated container or stored offsite from the development environment.\n\nIf back-up copies of the application software or source code are not stored in a fire-rated container or stored separately (offsite) from their respective environments, this is a finding.","fixText":"Store a back-up copy of the application software and source code in a fire-rated container or store it separately (offsite) from their respective environments."},{"id":"66b2e9b1-47f8-4914-b7e9-db9f3c4ce9f6","vulnId":"V-222640","severity":"medium","ruleTitle":"Procedures must be in place to assure the appropriate physical and technical protection of the backup and restoration of the application.","description":"Protection of backup and restoration assets is essential for the successful restore of operations after a catastrophic failure or damage to the system or data files. Failure to follow proper procedures may result in the permanent loss of system data and/or the loss of system capability resulting in failure of the customer’s mission.","checkContent":"Validate that backup and recovery procedures incorporate protection of the backup and restoration assets.\n\nVerify assets housing the backup data (e.g., SANS, tapes, backup directories, software) and the assets used for restoration (e.g., equipment and system software) are included in the backup and recovery procedures.\n\nIf backup and restoration devices are not included in the recovery procedures, this is a finding.","fixText":"Develop and implement procedures to insure that backup and restoration assets are properly protected and stored in an area/location where it is unlikely they would be affected by an event that would affect the primary assets."},{"id":"46fcc030-a07f-41a4-93cd-9e63b10a001a","vulnId":"V-222641","severity":"medium","ruleTitle":"The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange.","description":"If the application does not use encryption and authenticate endpoints prior to establishing a communication channel and prior to transmitting encryption keys, these keys may be intercepted, and could be used to decrypt the traffic of the current session, leading to potential loss or compromise of DoD data.","checkContent":"If the application does not implement key exchange, this check is not applicable.\n\nIdentify all application or supporting infrastructure features using key exchange.\n\nVerify the application is using FIPS-140-2 validated cryptographic modules for encryption of keys during key exchange.\n\nIf the application does not implement encryption for key exchange, this is a finding.","fixText":"Use encryption for key exchange."},{"id":"8f7c0904-72c6-4918-a6dc-00a92105afed","vulnId":"V-222642","severity":"high","ruleTitle":"The application must not contain embedded authentication data.","description":"Authentication data stored in code could potentially be read and used by anonymous users to gain access to a backend database or application servers. This could lead to compromise of application data.","checkContent":"Review the application documentation and any available source code; this includes configuration files such as global.asa, if present, scripts, HTML files, and any ASCII files.\n\nIdentify any instances of passwords, certificates, or sensitive data included in code.\n\nIf credentials were found, check the file permissions and ownership of the offending file.\n\nIf access to the folder hosting the file is not restricted to the related application process and administrative users, this is a finding.\n\nThe finding details should note specifically where the offending credentials or data were located and what resources they enabled.","fixText":"Remove embedded authentication data stored in code, configuration files, scripts, HTML file, or any ASCII files."},{"id":"39a06b74-c7ad-4024-be70-ef8387322946","vulnId":"V-222643","severity":"high","ruleTitle":"The application must have the capability to mark sensitive/classified output when required.","description":"Failure to properly mark output could result in a disclosure of sensitive or classified data, which is an immediate loss in confidentiality.","checkContent":"$ad","fixText":"Enable the application to adequately mark sensitive/classified output."},{"id":"5a66f03b-6eba-4802-a9e9-cb34460b4cd5","vulnId":"V-222644","severity":"low","ruleTitle":"Prior to each release of the application, updates to system, or applying patches; tests plans and procedures must be created and executed.","description":"Without test plans and procedures for application releases or updates, unexpected results may occur which could lead to a denial of service to the application or components.\n\nThis requirement is meant to apply to developers or organizations that are doing development work when releasing a version update or a patch to the application.","checkContent":"If the review is not being done with the developer of the application, this requirement is not applicable.\n\nAsk the application representative to provide tests plans, procedures, and results to ensure they are updated for each application release or updates to system patches.\n\nIf test plans, procedures, and results do not exist, or are not updated for each application release, this is a finding.","fixText":"Execute tests plans prior to release or patch update."},{"id":"48e16817-e713-42f3-8445-df3efcfb497d","vulnId":"V-222645","severity":"medium","ruleTitle":"Application files must be cryptographically hashed prior to deploying to DoD operational networks.","description":"$ae","checkContent":"$af","fixText":"Developers/release managers create cryptographic hash values of application files and/or application packages prior to transitioning the application from test to a production environment. They protect cryptographic hash information so it cannot be altered and make a read copy of the hash information available to application Admins so they can validate application packages and files after they download the files.\n\nApplication Admins validate cryptographic hashes prior to deploying the application to production."},{"id":"efce2452-0714-4e41-a1f7-a08d0411b4b7","vulnId":"V-222646","severity":"medium","ruleTitle":"At least one tester must be designated to test for security flaws in addition to functional testing.","description":"If there is no person designated to test for security flaws, vulnerabilities can potentially be missed during testing.\n\nThis requirement is meant to apply to developers or organizations that are doing development work.","checkContent":"Review the organization chart and interview the admin staff.\n\nIdentify personnel designated as application security testers.\n\nIf the organization operating the application is not doing development work, this requirement is not applicable.\n\nIf the organization has not designated personnel to conduct security testing, this is a finding.","fixText":"Designate personnel to conduct security testing on the applications."},{"id":"85ec98c2-b688-4c47-89d6-91d80e6d6c4e","vulnId":"V-222647","severity":"low","ruleTitle":"Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state.","description":"Secure state assurance cannot be accomplished without testing the system state at least annually to ensure the system remains in a secure state upon initialization, shutdown, and aborts.","checkContent":"Review the process documentation and interview the admin staff.\n\nIdentify if testing procedures exist and if they include annual testing to ensure the application remains in a secure state on initialization, shutdown, and aborts.\n\nChecks should include at a minimum, attempts to access the application and application configuration settings without credentials or with improper credentials both locally and remotely.\n\nDates should be noted as to the last date of testing.\n\nIf annual testing procedures do not exist, or if administrators are unable to provide testing dates that indicate the tests were conducted within the last year, this is a finding.","fixText":"Create test procedures to test the security state of the application and exercise test procedures annually."},{"id":"f15ef860-d34a-4157-8d9e-49f114ff9272","vulnId":"V-222648","severity":"medium","ruleTitle":"An application code review must be performed on the application.","description":"$b0","checkContent":"This requirement is meant to apply to developers or organizations that are doing the application development work and have the responsibility for maintaining the application source code. Otherwise, the requirement is not applicable.\n\nReview the system documentation and ask the application representative to describe the code review process or provide documentation outlining the organizations code review process.\n\nIf code reviews are conducted with software tools, have the application representative provide the latest code review report for the application.\n\nEnsure the code review looks for all known security flaws including but not limited to:\n\n- format string exploits\n- memory leaks\n- buffer overflows\n- race conditions\n- sql injection\n- dead/unused/commented code\n- input validation exploits\n\nIf the organization does not conduct code reviews on the application that attempt to identify all known and potential security issues, or if code review results are not available for review, this is a finding.","fixText":"Conduct and document code reviews on the application during development and identify and remediate all known and potential security vulnerabilities prior to releasing the application."},{"id":"14ef0534-982a-4505-8baf-48903db3a1f0","vulnId":"V-222649","severity":"low","ruleTitle":"Code coverage statistics must be maintained for each release of the application.","description":"$b1","checkContent":"If the organization does not do or manage the application development work for the application, this requirement is not applicable.\n\nAsk the application representative to provide code coverage statistics maintained for the application.\n\nIf these code coverage statistics do not exist, this is a finding.","fixText":"Track application testing and maintain statistics that show how much of the application function was tested."},{"id":"0b70b0b2-794f-45d8-a371-442714fa509e","vulnId":"V-222650","severity":"medium","ruleTitle":"Flaws found during a code review must be tracked in a defect tracking system.","description":"This requirement is meant to apply to developers or organizations that are doing application development work.\n\nIf flaws are not tracked they may possibly be forgotten to be included in a release. Tracking flaws in the configuration management repository will help identify code elements to be changed, as well as the requested change.","checkContent":"This requirement is meant to apply to developers or organizations that are doing application development work.\n\nIf application development is not being done or managed by the organization, this requirement is not applicable.\n\nAsk the application representative to demonstrate that the configuration management repository captures flaws in the code review process. The configuration management repository may consist of a separate application for capturing code defects.\n\nIf there is no configuration management repository or the code review flaws are not captured in the configuration management repository, this is a finding.","fixText":"Track software defects in a defect tracking system."},{"id":"02bf8b8d-7d05-4e7a-970f-300700daf0e9","vulnId":"V-222651","severity":"medium","ruleTitle":"The changes to the application must be assessed for IA and accreditation impact prior to implementation.","description":"When changes are made to an application, either in the code or in the configuration of underlying components such as the OS or the web or application server, there is the potential for security vulnerabilities to be opened up on the system.\n\nIA assessment of proposed changes is necessary to verify security integrity is maintained within the application.","checkContent":"Interview the application and system administrators and determine if changes to the application are assessed for IA impact prior to implementation.\n\nReview the CCB process documentation to ensure potential changes to the application are evaluated to determine impact. An informal group may be tasked with impact assessment of upcoming version changes.\n\nIf IA impact analysis is not performed, this is a finding.","fixText":"Review IA impact to the system prior to implementing changes."},{"id":"a0a47e33-2304-422f-9db3-5e14c3c90b64","vulnId":"V-222652","severity":"medium","ruleTitle":"Security flaws must be fixed or addressed in the project plan.","description":"This requirement is meant to apply to developers or organizations that are doing application development work.\n\nApplication development efforts include the creation of a project plan to track and organize the development work.\n\nIf security flaws are not tracked within the project plan, it is possible the flaws will be overlooked and included in a release.\n\nTracking flaws in the project plan will help identify code elements to be changed as well as the requested change.","checkContent":"This requirement is meant to apply to developers or organizations that are doing application development work. If the organization managing the application is not performing or managing the development of the application the requirement is not applicable.\n\nAsk the application representative to demonstrate how security flaws are integrated into the project plan.\n\nIf security flaws are not addressed in the project plan or there is no process to introduce security flaws into the project plan, this is a finding.","fixText":"Address security flaws within a project plan to ensure they are tracked and addressed by management."},{"id":"88504829-464d-483b-a0f6-8305cdcbe14e","vulnId":"V-222653","severity":"low","ruleTitle":"The application development team must follow a set of coding standards.","description":"$b2","checkContent":"This requirement is meant to apply to developers or organizations that are doing application development work. If the organization operating the application under review is not doing the development or managing the development of the application, the requirement is not applicable.\n\nAsk the application representative about their coding standards. Ask for a coding standards document, review the document and ask the developers if they are aware of and if they use the coding standards. Make a determination if the application developers follow the coding standard. \n\nIf the developers do not follow a coding standard, or if a coding standard document does not exist, this is a finding.","fixText":"Create and maintain a coding standard process and documentation for developers to follow. \n\nInclude programming best practices based on the languages being used for application development. Include items that should be standardized across the team that deals with how developers write their application code."},{"id":"012d4d45-665f-433e-a8e0-21b518522aa2","vulnId":"V-222654","severity":"low","ruleTitle":"The designer must create and update the Design Document for each release of the application.","description":"This requirement is meant to apply to developers or organizations that are doing application development work.\n\nThe application design document or configuration guide includes configuration settings, recommendations and best practices that pertain to the secure deployment of the application.\n\nIt also contains the detailed functional architecture as well as any changes to the application architecture corresponding to a new version release and must be documented to ensure all risks are assessed and mitigated to the maximum extent practical.\n\nFailure to do so may result in unexposed risk, and failure to mitigate the risk leading to failure or compromise of the system.","checkContent":"$b3","fixText":"Create and maintain the Design Document for each release of the application and identify the following:\n\n- All external interfaces (from the threat model)\n- The nature of information being exchanged\n- Categories of sensitive information processed or stored and their specific protection plans\n- The protection mechanisms associated with each interface\n- User roles required for access control\n- Access privileges assigned to each role\n- Unique application security requirements\n- Categories of sensitive information processed or stored and specific protection plans (e.g., Privacy Act, HIPAA, etc.)\n- Restoration priority of subsystems, processes, or information."},{"id":"b7fe516f-5ed0-49c5-ae1e-9300b25d98e6","vulnId":"V-222655","severity":"medium","ruleTitle":"Threat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered.","description":"$b4","checkContent":"$b5","fixText":"Establish and maintain threat models and review for each application release and when new threats are discovered. Identify potential mitigations to identified threats. Verify mitigations are implemented to threats based on their risk analysis."},{"id":"ede34bc6-18c8-4e85-9201-d5e9be422ea3","vulnId":"V-222656","severity":"medium","ruleTitle":"The application must not be subject to error handling vulnerabilities.","description":"Error handling is the failure to check the return values of functions or catch top level exceptions within a program. Improper error handling in an application can lead to an application failure or possibly result in the application entering an insecure state. \n\nThe primary way to detect error handling vulnerabilities is to perform code reviews. If a manual code review cannot be performed, static code analysis tools should be employed in conjunction with tests to help force the error conditions by specifying invalid input (such as fuzzed data and malformed filenames) and by using different accounts to run the application. These tests may give indications of vulnerability, but they are not comprehensive.\n\nIn order to minimize error handling errors, ensure proper return code and exception handling is implemented throughout the application.","checkContent":"Review the application documentation, code review reports and the results from static code analysis tools.\n\nIdentify the most recent security scans and code analysis testing conducted. Verify testing configuration includes tests for error handling issues.\n\nCheck test results for identified error handling vulnerabilities within the application.\n\nIf the test results indicate the existence of error handling vulnerabilities and no remediation evidence is presented, this is a finding.\n\nIf no test results are available for review, this is a finding.","fixText":"Ensure proper return code and exception handling is implemented throughout the application."},{"id":"139914e8-f234-4f96-85ed-c28a14f77219","vulnId":"V-222657","severity":"medium","ruleTitle":"The application development team must provide an application incident response plan.","description":"An application incident response process is managed by the development team and should include a method for individuals to submit potential security vulnerabilities to the development or maintenance team. \n\nThe plan should dictate what is to be done with the reported vulnerabilities. Reported vulnerabilities must be tracked throughout the process to ensure they are triaged, corrected, and tested. The corresponding update is released to the user community and the user community is notified of the availability of the application update.\n\nWithout an established application incident management plan and process, discovered issues and vulnerabilities will go unreported. Vulnerabilities will not be triaged and managed, and there may be delays in corrective actions.\n\nInformation on how to submit bug and vulnerability reports must also be included in the application design document or configuration guide.\n\nThis requirement is meant to be applied when reviewing an application with the development team.","checkContent":"If the application is a COTS application and the development team is not accessible to interview this requirement is not applicable.\n\nInterview the application development team members. Request and review the application incident response plan. \n\nEnsure the plan includes an implemented process that:\n\n- Tracks reported vulnerabilities and bugs\n- Confirms reported vulnerabilities and bugs\n- Tracks remediation effort\n- Notifies application users of available updates that address the reported issues.\n\nIf the application incident response plan does not exist and at a minimum does not implement the aforementioned processes, this is a finding.","fixText":"The development team creates an application incident response plan documenting and establishing a process that at a minimum:\n\n- Tracks reported vulnerabilities and bugs\n- Confirms reported vulnerabilities and bugs\n- Tracks remediation effort\n- Notifies application users of available updates that address the reported issues."},{"id":"090fefa3-b64b-4b63-89da-649bc0be3f10","vulnId":"V-222658","severity":"high","ruleTitle":"All products must be supported by the vendor or the development team.","description":"Unsupported commercial and government developed software products should not be used because fixes to newly identified bugs will not be implemented by the vendor or development team. The lack of security updates can result in potential vulnerabilities.","checkContent":"Review the application documentation and interview the application administrator.\n\nIdentify all software components.\n\nReview the version information and identify the vendor if COTS software.\n\nAccess the vendor website to verify the version is still supported.\n\nAsk the application representative for proof that the application and all of its components are supported.\n\nExamples of proof may include:\n\ndesign documentation that includes support information, support specific contract documentation, successful creation of vendor support tickets, website toll free support phone numbers etcetera.\n\nIf any of the software components are not supported by a COTS vendor or a GOTS organization, this is a finding.","fixText":"Remove or decommission all unsupported software products in the application."},{"id":"7c7c38c4-e521-482c-ab1b-3bd2b85285e3","vulnId":"V-222659","severity":"high","ruleTitle":"The application must be decommissioned when maintenance or support is no longer available.","description":"Unsupported software products should not be used because fixes to newly identified bugs will not be implemented by the vendor or development team. The lack of security updates can result in potential vulnerabilities.\n\nWhen maintenance updates and patches are no longer available, the application is no longer considered supported, and should be decommissioned.","checkContent":"Interview the application representative and determine if all the application components are under maintenance contract. The entire application may be covered by a single maintenance agreement. The application should be decommissioned if maintenance or security support is no longer being provided by the vendor or by the development staff of a custom developed application.\n\nIf the application or any of the application components are not being maintained, this is a finding.","fixText":"Ensure there is maintenance for the application."},{"id":"ffa94891-9234-4c2c-8309-a3a36f6cd0fb","vulnId":"V-222660","severity":"low","ruleTitle":"Procedures must be in place to notify users when an application is decommissioned.","description":"When maintenance no longer exists for an application, there are no individuals responsible for making security updates. The application support staff should maintain procedures for decommissioning. The decommissioning process should include notifying users of the pending decommissioning event. If the users are not informed of the decommissioning event, attackers may be able to stand up similar looking system and fool users into attempting to log onto a duplicate system. This can be as simple as a banner informing users.\n\nThis risk is primarily geared towards insider threat scenarios and externally accessible applications that provide access to publicly releasable data but should also be applied to internal systems as a best practice.","checkContent":"Interview the application representative to determine if provisions are in place to notify users when an application is decommissioned.\n \nIf provisions are not in place to notify users when an application is decommissioned, this is a finding.","fixText":"Create and establish procedures to notify users when an application is decommissioned."},{"id":"80e67b5f-a286-444e-997c-b8f6741d31a0","vulnId":"V-222661","severity":"medium","ruleTitle":"Unnecessary built-in application accounts must be disabled.","description":"Default passwords and properties of built-in accounts are often publicly available. Anyone with necessary knowledge, internal or external, can compromise an application using built-in accounts.\n\nBuilt-in accounts are those that are added as part of the installation of the application software. These accounts exist for many common Commercial Off-the-Shelf (COTS) or open source components of enterprise applications (e.g., OS, web browser or database software).","checkContent":"Review the application documentation and identify if the application creates or utilizes built-in accounts.\n\nExamine the account list for obvious examples (e.g., accounts with vendor names such as Oracle or Tivoli).\n\nVerify that these accounts have been removed or disabled.\n\nIf enabled built-in accounts are present, ask the application representative the reason for their existence.\n\nIf the account is required in order for the application to operate properly, verify the account password has been changed to a DoD acceptable value.\n\nIf these accounts are not necessary to run the application, or if the accounts are required and the password has not been changed to meet DoD password requirements, this is a finding.","fixText":"Disable unnecessary built-in userids, use other strong authentication when possible and use strong passwords if accounts are necessary for application operation."},{"id":"48b47154-93fd-4777-80b3-287c383196a0","vulnId":"V-222662","severity":"high","ruleTitle":"Default passwords must be changed.","description":"Default passwords can easily be compromised by attackers allowing immediate access to the applications.","checkContent":"Identify the application name and version and do an Internet search for the product name and the string \"default password\".\n\nIf default passwords are found, attempt to authenticate with the published default passwords.\n\nIf authentication is successful, this is a finding.","fixText":"Configure the application to use strong authenticators instead of passwords when possible. Otherwise, change default passwords to a DoD-approved strength password and follow all guidance for passwords."},{"id":"e472c3fd-0523-4e8a-92c7-4305326c9437","vulnId":"V-222663","severity":"medium","ruleTitle":"An Application Configuration Guide must be created and included with the application.","description":"$b6","checkContent":"$b7","fixText":"Create the application configuration guide in accordance with configuration examples provided in the vulnerability discussion and check.\n\nVerify the application configuration guide is distributed along with the application."},{"id":"483e3797-b827-4084-9f28-0754776e05ec","vulnId":"V-222664","severity":"medium","ruleTitle":"If the application contains classified data, a Security Classification Guide must exist containing data elements and their classification.","description":"Without a classification guide the marking, storage, and output media of classified material can be inadvertently mixed with unclassified material, leading to its possible loss or compromise.","checkContent":"$b8","fixText":"Create and maintain a security classification guide."},{"id":"082fe495-8447-42a7-827f-55bca9ad2926","vulnId":"V-222665","severity":"medium","ruleTitle":"The designer must ensure uncategorized or emerging mobile code is not used in applications.","description":"$b9","checkContent":"Review the application documentation and interview application administrator.\n\nDetermine what mobile code types are used by the application.\n\nIf uncategorized mobile code types are found, ask the application administrator to provide the documented waiver and risk acceptance. If the application is using uncategorized or emerging mobile code and there is no waiver provided, this is a finding.","fixText":"Remove uncategorized or emerging mobile code from the application or obtain a waiver and risk acceptance to operate."},{"id":"cbd86c46-a6cd-4b71-b9cb-bc13be655dcc","vulnId":"V-222666","severity":"medium","ruleTitle":"Production database exports must have database administration credentials and sensitive data removed before releasing the export.","description":"Production database exports are often used to populate development databases. Test and development environments do not typically have the same rigid security protections that production environments do. When production data is used in test and development, the production database exports will need to be scrubbed to prevent information like passwords and other sensitive data from becoming available to development and test staff that may not have a need to know. Sensitive data should not be included in database exports because of classification, privacy, and other types of data protection requirement issues. Not all application developers have need-to-know sensitive information such as HIPAA data, Privacy Act Data, production admin passwords or classified data.","checkContent":"Review the application documentation and identify the existence of databases within the application architecture.\n\nAsk the application admin to identify when data exports from this database are imported to test or development databases.\n \nIf no data is exported to test or development databases, this check is not applicable.\n\nIf there are such data exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as passwords, financial, personnel, personal, HIPAA, Privacy Act, or classified data is included.\n\nIf any database exports include sensitive data and that data is not sanitized or removed prior to or immediately after import to the development database, this is a finding.","fixText":"Remove sensitive data from production database exports."},{"id":"ce0af7f9-2642-4fa7-b7f3-e93f95807bfa","vulnId":"V-222667","severity":"medium","ruleTitle":"Protections against DoS attacks must be implemented.","description":"Known DoS threats documented in the threat model should be mitigated, to prevent DoS type attacks.","checkContent":"Ask the application representative for the threat model document.\n\nExamine the threat model document and determine if DoS attacks are specified as a threat.\n\nIf there are no DoS threats identified in the threat model, the requirement is not applicable.\n\nVerify the mitigations provided for DoS attacks are implemented from the threat model.\n\nIf mitigations for DoS attacks are identified in the threat model but are not implemented, this is a finding.","fixText":"Implement mitigations from the threat model for DOS attacks."},{"id":"d2db8c49-9b57-43af-86c9-886261522f42","vulnId":"V-222668","severity":"medium","ruleTitle":"The system must alert an administrator when low resource conditions are encountered.","description":"In order to prevent DoS type attacks, applications should be monitored when resource conditions reach a predefined threshold. This could indicate the onset of a DoS attack or could be the precursor to an application outage.","checkContent":"Review the system documentation and interview the application and system administrators.\n\nExamine the system to determine if an automated, continuous on-line monitoring and audit trail creation capability is present with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user configurable capability to automatically disable the system if serious IA violations are detected.\n\nIf this monitoring capability does not exist, this is a finding.","fixText":"Implement mechanisms to alert system administrators about a low resource condition."},{"id":"ff6fdc5d-480c-4980-855a-469cd84295e3","vulnId":"V-222669","severity":"low","ruleTitle":"At least one application administrator must be registered to receive update notifications, or security alerts, when automated alerts are available.","description":"Administrators should register for updates to all COTS and custom-developed software, so when security flaws are identified, they can be tracked for testing and updates of the application can be applied.\n\nAdmin personnel should be registered to receive updates to all components of the application, such as Web Server, Application Servers, and Database Servers. Also, if update notifications are provided for any custom-developed software, libraries or third-party tools, deployment personnel must also register for these updates.","checkContent":"Review the components of the application.\n\nAsk the application representative to demonstrate deployment personnel are registered to receive notifications for update notification for all of the application components including custom-developed software, libraries and third-party tools.\n\nIf no deployment personnel are registered to receive the alerts, this is a finding.","fixText":"Register administrators to receive update notifications so they can patch and update applications and application components."},{"id":"124b7cfd-e11a-4cad-a86c-e5f2ea86d6aa","vulnId":"V-222670","severity":"low","ruleTitle":"The application must provide notifications or alerts when product update and security related patches are available.","description":"An application vulnerability management and update process must be in place to notify and provide users and administrators with a means of obtaining security patches and updates for the application.\n\nAn important part of the maintenance phase of an application is managing vulnerabilities for updated versions of the application after the application is released. When a security flaw is discovered in an application deployed in a production environment, notification to the user community must take place as quickly as possible. \n\nThis notification should be planned for in the design phase of the application. This notification should be a warning of any potential risks to the application or data. A notification mechanism will be established to notify users of the vulnerability and the potential risks, the availability of a solution, and/or potential mitigations reducing risks to the application.","checkContent":"Review the components of the application. Interview the application administrator.\n\nHave the application administrator demonstrate the application notification process that occurs when a security patch or product update is available.\n\nThe process must include a brief description of the issue and any potential risks related to the issue.\n\nThe process must also include information regarding the availability of the patch or update and how it can be obtained as well as any potential mitigations that can be utilized in the interim.\n\nIf there is no application security patch or update notification process, this is a finding.\n\nIf the application notification process does not include a brief description, information on risks, how to obtain the patch or update and any potential mitigations, this is a finding.","fixText":"Provide a distribution mechanism for obtaining updates to the application.\n\nInclude a description of the issue, a summary of risk as well as potential mitigations and how to obtain the update."},{"id":"6605c15c-a60a-436f-b436-e466b9506c05","vulnId":"V-222671","severity":"medium","ruleTitle":"Connections between the DoD enclave and the Internet or other public or commercial wide area networks must require a DMZ.","description":"In order to protect DoD data and systems, all remote access to DoD information systems must be mediated through a managed access control point, such as a remote access server in a DMZ.","checkContent":"Interview the application representative and determine if the application is publicly accessible.\n\nIf the application is publicly accessible and traffic is not being routed through a DMZ, this is a finding.","fixText":"Setup a DMZ between DoD and public networks."},{"id":"a42bc734-f364-477a-9d39-0e58a52b6529","vulnId":"V-222672","severity":"low","ruleTitle":"The application must generate audit records when concurrent logons from different workstations occur.","description":"When an application provides users with the ability to concurrently logon, an event must be recorded that indicates the user has logged on from different workstations. It is important to ensure that audit logs differentiate between the two sessions.\n\nThe event data must include the user ID, the workstation information and application session information that provides the details necessary to determine which application session executed what action on the system.","checkContent":"Review the application documentation and interview the application administrator to identify where log records are stored.\n\nAccess log records then log on to the application as a regular user from one workstation. Take note of workstation IP address and confirm the address as the source workstation.\n\nHave the application administrator log on to the application from another workstation using the same account.\n\nValidate the IP address of the second workstation is recorded in the logs.\n\nIf the application does not create an audit record when concurrent logons occur from different workstations, this is a finding.","fixText":"Configure the application to log concurrent logons from different workstations."},{"id":"49ff1c2b-9ab8-4c73-aeaf-fa1d82f47608","vulnId":"V-222673","severity":"medium","ruleTitle":"The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function.","description":"$ba","checkContent":"This requirement is meant to be applied to developers and development teams only, otherwise, this requirement is not applicable. \n\nInterview the application representative.\n\nAsk for evidence of annual security training for application managers, designers, developers, and testers. \n\nExamples of evidence include course completion certificates and a class roster. At a minimum, security training should include security awareness training pertaining to overall principles of secure application development.\n\nTraining must be in addition to DoD 8570 training requirements as DoD 8570 annual security training does not presently cover application SDLC security concerns. \n\nIf there is no evidence of security training, this is a finding.","fixText":"Provide application development/operational related security specific annual training for managers, designers, developers, and testers."},{"id":"80eec1e2-182f-424a-8fd9-b9557e45dcce","vulnId":"V-265634","severity":"medium","ruleTitle":"The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","description":"$bb","checkContent":"$bc","fixText":"Configure application to encrypt stored classified information; Ensure encryption is performed using NIST FIPS 140-2-validated encryption.\n\nEncrypt stored, non-SAMI classified information using NIST FIPS 140-2-validated encryption.\n\nImplement NSA-validated type-1 encryption of all SAMI data stored in the enclave."}]}]]}]

Application Security and Development Security Technical Implementation Guide

Checks (286)