STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server must be configured to encrypt log information.

DISA Rule

SV-95979r1_rule

Vulnerability Number

V-81265

Group Title

SRG-APP-000126-AS-000085

Rule Version

WBSP-AS-000810

Severity

CAT II

CCI(s)

• CCI-001350 - The information system implements cryptographic mechanisms to protect the integrity of audit information.

Weight

10

Fix Recommendation

From the administrative console, click Security >> Security Auditing >> Audit record encryption configuration.

Select the "Enable encryption" checkbox.

Select the keystore that contains the encrypting certificate from the drop-down menu or click "New" to create a new keystore.

If you are using an existing certificate to encrypt your audit records, ensure the Certificate in the keystore is selected and specify the intended certificate in the "Certificate alias" drop-down menu.

If you are generating a new certificate to encrypt your audit records, do NOT use the "Create a new certificate in the selected keystore" option, this will generate a SHA-1 signed certificate, which is not allowed.

Instead, select Security >> SSL Certificate and key management >> KeyStores and Certificates.

Select the keystore that is associated with the server hosting the audit logs.

Select "Personal Certificates".

Select "Create".

Select either a CA-Signed or Chained Certificate based on your requirements.

Fill in the information required to generate the certificate.

Restart the DMGR and all the JVMs.

Check Contents

Review System Security Plan documentation.

If the System Security Plan does not specify the encryption of audit records, this requirement is NA.

From the administrative console, click Security >> Security Auditing >> Audit record encryption configuration.

If the "Enable encryption" check box is not selected, this is a finding.

Vulnerability Number

V-81265

Documentable

False

Rule Version

WBSP-AS-000810

Severity Override Guidance

Review System Security Plan documentation.

If the System Security Plan does not specify the encryption of audit records, this requirement is NA.

From the administrative console, click Security >> Security Auditing >> Audit record encryption configuration.

If the "Enable encryption" check box is not selected, this is a finding.

Check Content Reference

M

Target Key

3399

Comments