| Checked | Name | Title |
|---|
| ☐ | SV-235928r628562_rule | Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions. |
| ☐ | SV-235929r628565_rule | Oracle WebLogic must use cryptography to protect the integrity of the remote access session. |
| ☐ | SV-235930r628568_rule | Oracle WebLogic must employ automated mechanisms to facilitate the monitoring and control of remote access methods. |
| ☐ | SV-235931r628571_rule | Oracle WebLogic must ensure remote sessions for accessing security functions and security-relevant information are audited. |
| ☐ | SV-235932r672375_rule | Oracle WebLogic must support the capability to disable network protocols deemed by the organization to be non-secure except for explicitly identified components in support of specific operational requirements. |
| ☐ | SV-235933r628577_rule | Oracle WebLogic must automatically audit account creation. |
| ☐ | SV-235934r628580_rule | Oracle WebLogic must automatically audit account modification. |
| ☐ | SV-235935r628583_rule | Oracle WebLogic must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged. |
| ☐ | SV-235936r628586_rule | Oracle WebLogic must limit the number of failed login attempts to an organization-defined number of consecutive invalid attempts that occur within an organization-defined time period. |
| ☐ | SV-235937r628589_rule | Oracle WebLogic must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted. |
| ☐ | SV-235938r628592_rule | Oracle WebLogic must automatically lock accounts when the maximum number of unsuccessful login attempts is exceeded for an organization-defined time period or until the account is unlocked by an administrator. |
| ☐ | SV-235939r628595_rule | Oracle WebLogic must protect against an individual falsely denying having performed a particular action. |
| ☐ | SV-235940r628598_rule | Oracle WebLogic must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance. |
| ☐ | SV-235941r628601_rule | Oracle WebLogic must generate audit records for the DoD-selected list of auditable events. |
| ☐ | SV-235942r628604_rule | Oracle WebLogic must produce process events and severity levels to establish what type of HTTPD-related events and severity levels occurred. |
| ☐ | SV-235943r628607_rule | Oracle WebLogic must produce audit records containing sufficient information to establish what type of JVM-related events and severity levels occurred. |
| ☐ | SV-235944r628610_rule | Oracle WebLogic must produce process events and security levels to establish what type of Oracle WebLogic process events and severity levels occurred. |
| ☐ | SV-235945r628613_rule | Oracle WebLogic must produce audit records containing sufficient information to establish when (date and time) the events occurred. |
| ☐ | SV-235946r628616_rule | Oracle WebLogic must produce audit records containing sufficient information to establish where the events occurred. |
| ☐ | SV-235947r628619_rule | Oracle WebLogic must produce audit records containing sufficient information to establish the sources of the events. |
| ☐ | SV-235948r628622_rule | Oracle WebLogic must produce audit records that contain sufficient information to establish the outcome (success or failure) of application server and application events. |
| ☐ | SV-235949r628625_rule | Oracle WebLogic must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event. |
| ☐ | SV-235950r628628_rule | Oracle WebLogic must provide the ability to write specified audit record content to an audit log server. |
| ☐ | SV-235951r628631_rule | Oracle WebLogic must provide a real-time alert when organization-defined audit failure events occur. |
| ☐ | SV-235952r628634_rule | Oracle WebLogic must alert designated individual organizational officials in the event of an audit processing failure. |
| ☐ | SV-235953r628637_rule | Oracle WebLogic must notify administrative personnel as a group in the event of audit processing failure. |
| ☐ | SV-235954r628640_rule | Oracle WebLogic must use internal system clocks to generate time stamps for audit records. |
| ☐ | SV-235955r628643_rule | Oracle WebLogic must synchronize with internal information system clocks which, in turn, are synchronized on an organization-defined frequency with an organization-defined authoritative time source. |
| ☐ | SV-235956r628646_rule | Oracle WebLogic must protect audit information from any type of unauthorized read access. |
| ☐ | SV-235957r628649_rule | Oracle WebLogic must protect audit tools from unauthorized access. |
| ☐ | SV-235958r628652_rule | Oracle WebLogic must protect audit tools from unauthorized modification. |
| ☐ | SV-235959r628655_rule | Oracle WebLogic must protect audit tools from unauthorized deletion. |
| ☐ | SV-235960r628658_rule | Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs). |
| ☐ | SV-235961r628661_rule | Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities. |
| ☐ | SV-235962r672376_rule | Oracle WebLogic must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services. |
| ☐ | SV-235963r628667_rule | Oracle WebLogic must utilize automated mechanisms to prevent program execution on the information system. |
| ☐ | SV-235964r628670_rule | Oracle WebLogic must uniquely identify and authenticate users (or processes acting on behalf of users). |
| ☐ | SV-235965r628673_rule | Oracle WebLogic must authenticate users individually prior to using a group authenticator. |
| ☐ | SV-235966r628676_rule | Oracle WebLogic must enforce minimum password length. |
| ☐ | SV-235967r628679_rule | Oracle WebLogic must enforce password complexity by the number of upper-case characters used. |
| ☐ | SV-235968r628682_rule | Oracle WebLogic must enforce password complexity by the number of lower-case characters used. |
| ☐ | SV-235969r628685_rule | Oracle WebLogic must enforce password complexity by the number of numeric characters used. |
| ☐ | SV-235970r628688_rule | Oracle WebLogic must enforce password complexity by the number of special characters used. |
| ☐ | SV-235971r628691_rule | Oracle WebLogic must encrypt passwords during transmission. |
| ☐ | SV-235972r628694_rule | Oracle WebLogic must utilize encryption when using LDAP for authentication. |
| ☐ | SV-235973r628697_rule | Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor. |
| ☐ | SV-235974r628700_rule | Oracle WebLogic must map the PKI-based authentication identity to the user account. |
| ☐ | SV-235975r628703_rule | Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. |
| ☐ | SV-235976r628706_rule | Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes. |
| ☐ | SV-235977r628709_rule | Oracle WebLogic must employ cryptographic encryption to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications. |
| ☐ | SV-235978r628712_rule | Oracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions. |
| ☐ | SV-235979r628715_rule | Oracle WebLogic must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity. |
| ☐ | SV-235980r628718_rule | Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system. |
| ☐ | SV-235981r628721_rule | Oracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data. |
| ☐ | SV-235982r628724_rule | Oracle WebLogic must protect the integrity and availability of publicly available information and applications. |
| ☐ | SV-235983r628727_rule | Oracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality. |
| ☐ | SV-235984r628730_rule | Oracle WebLogic must ensure authentication of both client and server during the entire session. |
| ☐ | SV-235985r628733_rule | Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded. |
| ☐ | SV-235986r628736_rule | Oracle WebLogic must be configured to perform complete application deployments. |
| ☐ | SV-235987r628739_rule | Oracle WebLogic must protect the confidentiality of applications and leverage transmission protection mechanisms, such as TLS and SSL VPN, when deploying applications. |
| ☐ | SV-235988r628742_rule | Oracle WebLogic must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment. |
| ☐ | SV-235989r628745_rule | Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks. |
| ☐ | SV-235990r628748_rule | Oracle WebLogic must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority. |
| ☐ | SV-235991r628751_rule | Oracle WebLogic must fail securely in the event of an operational failure. |
| ☐ | SV-235992r628754_rule | Oracle WebLogic must employ approved cryptographic mechanisms when transmitting sensitive data. |
| ☐ | SV-235993r628757_rule | Oracle WebLogic must identify potentially security-relevant error conditions. |
| ☐ | SV-235994r628760_rule | Oracle WebLogic must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages. |
| ☐ | SV-235995r628763_rule | Oracle WebLogic must restrict error messages so only authorized personnel may view them. |
| ☐ | SV-235996r628766_rule | Oracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role. |
| ☐ | SV-235997r628769_rule | Oracle WebLogic must be integrated with a tool to monitor audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure). |
| ☐ | SV-235998r628772_rule | Oracle WebLogic must be managed through a centralized enterprise tool. |
| ☐ | SV-235999r628775_rule | Oracle WebLogic must be integrated with a tool to implement multi-factor user authentication. |
STIGQter: STIG Summary: