STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner.

DISA Rule

SV-222532r508029_rule

Vulnerability Number

V-222532

Group Title

SRG-APP-000158

Rule Version

APSC-DV-001640

Severity

CAT II

CCI(s)

• CCI-000778 - The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.

Weight

10

Fix Recommendation

Configure the application to utilize mutual authentication when specified by data protection requirements.

Check Contents

Review the application documentation and interview the application administrator.

Determine if mutual authentication is mandated by the data owner or by mission data protection objectives and data type.

Review application architecture and design documents.

Identify endpoint devices that interact with the application. These can be SOA gateways, VOIP phones, or other devices that are used to connect to and exchange data with the application.

If the design documentation specifies, this could potentially also include remote client workstations.

In order for two way SSL/mutual authentication to work properly, the server must be configured to request client certificates.

Access the applications management console.

Navigate to the SSL management utility or web page that is used to configure two way mutual authentication.

Verify endpoints are configured for client authentication (mutual authentication).

Some application architectures such as Java configure their settings in text/xml formatted files; in that case, have the application administrator identify the configuration files used by the application.
E.g., web.xml stored in WEB-INF/ sub directory of the application root folder.

Open the web.xml file using a text editor.

Verify the application deployment descriptor for the application and the resource requiring protection under the "login-config" element is set to CLIENT-CERT.

If SSL mutual authentication is required and is not being utilized, this is a finding.

Vulnerability Number

V-222532

Documentable

False

Rule Version

APSC-DV-001640

Severity Override Guidance

Review the application documentation and interview the application administrator.

Determine if mutual authentication is mandated by the data owner or by mission data protection objectives and data type.

Review application architecture and design documents.

Identify endpoint devices that interact with the application. These can be SOA gateways, VOIP phones, or other devices that are used to connect to and exchange data with the application.

If the design documentation specifies, this could potentially also include remote client workstations.

In order for two way SSL/mutual authentication to work properly, the server must be configured to request client certificates.

Access the applications management console.

Navigate to the SSL management utility or web page that is used to configure two way mutual authentication.

Verify endpoints are configured for client authentication (mutual authentication).

Some application architectures such as Java configure their settings in text/xml formatted files; in that case, have the application administrator identify the configuration files used by the application.
E.g., web.xml stored in WEB-INF/ sub directory of the application root folder.

Open the web.xml file using a text editor.

Verify the application deployment descriptor for the application and the resource requiring protection under the "login-config" element is set to CLIENT-CERT.

If SSL mutual authentication is required and is not being utilized, this is a finding.

Check Content Reference

M

Target Key

4093

Comments