| Checked | Name | Title |
|---|
| ☐ | SV-95907r1_rule | The WebSphere Application Server maximum in-memory session count must be set according to application requirements. |
| ☐ | SV-95909r1_rule | The WebSphere Application Server admin console session timeout must be configured. |
| ☐ | SV-95911r1_rule | The WebSphere Application Server automatic repository checkpoints must be enabled to track configuration changes. |
| ☐ | SV-95913r1_rule | The WebSphere Application Server administrative security must be enabled. |
| ☐ | SV-95915r1_rule | The WebSphere Application Server bus security must be enabled. |
| ☐ | SV-95917r1_rule | The WebSphere Application Server security auditing must be enabled. |
| ☐ | SV-95919r1_rule | The WebSphere Application Server groups in the user registry mapped to WebSphere auditor roles must be configured in accordance with the security plan. |
| ☐ | SV-95921r1_rule | The WebSphere Application Server users in the WebSphere auditor role must be configured in accordance with the System Security Plan. |
| ☐ | SV-95923r1_rule | The WebSphere Application Server audit event type filters must be configured. |
| ☐ | SV-95925r1_rule | The WebSphere Application Server audit service provider must be enabled. |
| ☐ | SV-95927r1_rule | The WebSphere Application Server users in a local user registry group must be authorized for that group. |
| ☐ | SV-95929r1_rule | The WebSphere Application Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher. |
| ☐ | SV-95931r1_rule | The WebSphere Application Server global application security must be enabled. |
| ☐ | SV-95933r1_rule | The WebSphere Application Server Single Sign On (SSO) must have SSL enabled for Web and SIP Security. |
| ☐ | SV-95935r1_rule | The WebSphere Application Server security cookies must be set to HTTPOnly. |
| ☐ | SV-95937r1_rule | The WebSphere Application Server Java 2 security must be enabled. |
| ☐ | SV-95939r1_rule | The WebSphere Application Server Java 2 security must not be bypassed. |
| ☐ | SV-95941r1_rule | The WebSphere Application Server users in the admin role must be authorized. |
| ☐ | SV-95943r1_rule | The WebSphere Application Server LDAP groups must be authorized for the WebSphere role. |
| ☐ | SV-95945r1_rule | The WebSphere Application Server users in a LDAP user registry group must be authorized for that group. |
| ☐ | SV-95947r1_rule | The WebSphere Application Server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. |
| ☐ | SV-95949r1_rule | The WebSphere Application Server management interface must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. |
| ☐ | SV-95951r1_rule | The WebSphere Application Server must generate log records when successful/unsuccessful attempts to access subject privileges occur. |
| ☐ | SV-95953r1_rule | The WebSphere Application Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements. |
| ☐ | SV-95955r1_rule | The WebSphere Application Server must allocate audit log record storage capacity in accordance with organization-defined log record storage requirements. |
| ☐ | SV-95957r1_rule | The WebSphere Application Server must provide an immediate real-time alert to authorized users of all log failure events requiring real-time alerts. |
| ☐ | SV-95959r1_rule | The WebSphere Application Server must alert the SA and ISSO, at a minimum, in the event of a log processing failure. |
| ☐ | SV-95961r1_rule | The WebSphere Application Server audit subsystem failure action must be set to Log warning. |
| ☐ | SV-95963r1_rule | The WebSphere Application Server must shut down by default upon log failure (unless availability is an overriding concern). |
| ☐ | SV-95965r1_rule | The WebSphere Application Server high availability applications must be configured to fail over to another system in the event of log subsystem failure. |
| ☐ | SV-95967r1_rule | The WebSphere Application Server must be configured to protect log information from any type of unauthorized read access. |
| ☐ | SV-95969r1_rule | The WebSphere Application Server must protect log information from unauthorized modification. |
| ☐ | SV-95971r1_rule | The WebSphere Application Server must protect log information from unauthorized deletion. |
| ☐ | SV-95973r1_rule | The WebSphere Application Server wsadmin file must be protected from unauthorized access. |
| ☐ | SV-95975r1_rule | The WebSphere Application Server wsadmin file must be protected from unauthorized modification. |
| ☐ | SV-95977r1_rule | The WebSphere Application Server wsadmin file must be protected from unauthorized deletion. |
| ☐ | SV-95979r1_rule | The WebSphere Application Server must be configured to encrypt log information. |
| ☐ | SV-95981r1_rule | The WebSphere Application Server must be configured to sign log information. |
| ☐ | SV-95983r1_rule | The WebSphere Application Server process must not be started from the command line with the -password option. |
| ☐ | SV-95985r1_rule | The WebSphere Application Server files must be owned by the non-root WebSphere user ID. |
| ☐ | SV-95987r1_rule | The WebSphere Application Server sample applications must be removed. |
| ☐ | SV-95989r1_rule | The WebSphere Application Server must remove JREs left by web server and plug-in installers for web servers and plugins running in the DMZ. |
| ☐ | SV-95991r1_rule | The WebSphere Application Server must be run as a non-admin user. |
| ☐ | SV-95993r1_rule | The WebSphere Application Server must disable JSP class reloading. |
| ☐ | SV-96007r1_rule | The WebSphere Application Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-96013r1_rule | The WebSphere Application Server LDAP user registry must be used. |
| ☐ | SV-96019r1_rule | The WebSphere Application Server local file-based user registry must not be used. |
| ☐ | SV-96025r1_rule | The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used. |
| ☐ | SV-96039r1_rule | The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data. |
| ☐ | SV-96043r1_rule | The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data. |
| ☐ | SV-96047r1_rule | The WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection. |
| ☐ | SV-96055r1_rule | The WebSphere Application Server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. |
| ☐ | SV-96057r1_rule | The WebSphere Application Server application security must be enabled for each security domain except for publicly available applications specified in the System Security Plan. |
| ☐ | SV-96061r1_rule | The WebSphere Application Server secure LDAP (LDAPS) must be used for authentication. |
| ☐ | SV-96065r1_rule | The WebSphere Application Server must prohibit the use of cached authenticators after an organization-defined time period. |
| ☐ | SV-96071r1_rule | The WebSphere Application Server default keystore passwords must be changed. |
| ☐ | SV-96075r1_rule | The WebSphere Application Server must use signer for DoD-issued certificates. |
| ☐ | SV-96079r1_rule | The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes. |
| ☐ | SV-96081r1_rule | The WebSphere Application Server must accept Personal Identity Verification (PIV) credentials from other federal agencies to access the management interface. |
| ☐ | SV-96083r1_rule | The WebSphere Application Server must use DoD-approved Signer Certificates. |
| ☐ | SV-96085r1_rule | The WebSphere Application Servers must not be in the DMZ. |
| ☐ | SV-96087r1_rule | The WebSphere Application Server DoD root CAs must be in the trust store. |
| ☐ | SV-96089r1_rule | The WebSphere Application Server personal certificates in all keystores must be issued by an approved DoD CA. |
| ☐ | SV-96091r1_rule | The WebSphere Application Server must be configured to perform complete application deployments when using A/B clusters. |
| ☐ | SV-96093r1_rule | The WebSphere Application servers with an RMF categorization of high must be in a high-availability (HA) cluster. |
| ☐ | SV-96095r1_rule | The WebSphere Application Server must not generate LTPA keys automatically. |
| ☐ | SV-96097r1_rule | The WebSphere Application Server must periodically regenerate LTPA keys. |
| ☐ | SV-96099r1_rule | The WebSphere Application Server high availability applications must be installed on a cluster. |
| ☐ | SV-96101r1_rule | The WebSphere Application Server memory session settings must be defined according to application load requirements. |
| ☐ | SV-96103r1_rule | The WebSphere Application Server thread pool size must be defined according to application load requirements. |
| ☐ | SV-96105r1_rule | The WebSphere Application Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information. |
| ☐ | SV-96107r1_rule | The WebSphere Application Server distribution and consistency services (DCS) transport links must be encrypted. |
| ☐ | SV-96109r1_rule | The WebSphere Application Server plugin must be configured to use HTTPS only. |
| ☐ | SV-96111r1_rule | The WebSphere Application Server must remove organization-defined software components after updated versions have been installed. |
| ☐ | SV-96113r1_rule | The WebSphere Application Server must apply the latest security fixes. |
| ☐ | SV-96115r1_rule | The WebSphere Application Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs). |
STIGQter: STIG Summary: