STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server memory session settings must be defined according to application load requirements.

DISA Rule

SV-96101r1_rule

Vulnerability Number

V-81387

Group Title

SRG-APP-000435-AS-000163

Rule Version

WBSP-AS-001580

Severity

CAT III

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

From the admin console navigate to Servers >> all servers >> [web application server] >> Session management.

For every [web application server], set the "Maximum in-memory session count", "allow overflow", and "session timeout" values according to your organizational requirements.

Check Contents

Review System Security Plan documentation.

Identify the application load requirements defined by system owner.

Regular application user session timeout values are defined at the DoD level at 20 minutes.

An ISSO risk acceptance is required to deviate from that value.

If session timeout values are not set to "20" and an ISSO risk acceptance is provided, this is not a finding.

From the admin console, navigate to Servers >> all servers >> [web application server] >> Session management.

For every [web application server], verify maximum in-memory session count.

Verify "allow overflow" and "session timeout" are set according to application load requirements.

If they are not set according to application load requirements, this is a finding.

Vulnerability Number

V-81387

Documentable

False

Rule Version

WBSP-AS-001580

Severity Override Guidance

Review System Security Plan documentation.

Identify the application load requirements defined by system owner.

Regular application user session timeout values are defined at the DoD level at 20 minutes.

An ISSO risk acceptance is required to deviate from that value.

If session timeout values are not set to "20" and an ISSO risk acceptance is provided, this is not a finding.

From the admin console, navigate to Servers >> all servers >> [web application server] >> Session management.

For every [web application server], verify maximum in-memory session count.

Verify "allow overflow" and "session timeout" are set according to application load requirements.

If they are not set according to application load requirements, this is a finding.

Check Content Reference

M

Target Key

3399

Comments