STIGQter: STIG Summary:| Checked | Name | Title |
|---|---|---|
| ☐ | SV-239652r679028_rule | The Security Token Service must limit the amount of time that each TCP connection is kept alive. |
| ☐ | SV-239653r679031_rule | The Security Token Service must limit the number of concurrent connections permitted. |
| ☐ | SV-239654r679034_rule | The Security Token Service must limit the maximum size of a POST request. |
| ☐ | SV-239655r679037_rule | The Security Token Service must protect cookies from XSS. |
| ☐ | SV-239656r679251_rule | The Security Token Service must record user access in a format that enables monitoring of remote access. |
| ☐ | SV-239657r679043_rule | The Security Token Service must generate log records during Java startup and shutdown. |
| ☐ | SV-239658r679046_rule | Security Token Service log files must only be modifiable by privileged users. |
| ☐ | SV-239659r679049_rule | The Security Token Service application files must be verified for their integrity. |
| ☐ | SV-239660r679052_rule | The Security Token Service must only run one web app. |
| ☐ | SV-239661r679055_rule | The Security Token Service must not be configured with unused realms. |
| ☐ | SV-239662r679058_rule | The Security Token Service must be configured to limit access to internal packages. |
| ☐ | SV-239663r679061_rule | The Security Token Service must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled. |
| ☐ | SV-239664r679064_rule | The Security Token Service must have mappings set for Java servlet pages. |
| ☐ | SV-239665r679067_rule | The Security Token Service must not have the Web Distributed Authoring (WebDAV) servlet installed. |
| ☐ | SV-239666r679070_rule | The Security Token Service must be configured with memory leak protection. |
| ☐ | SV-239667r679073_rule | The Security Token Service must not have any symbolic links in the web content directory tree. |
| ☐ | SV-239668r679076_rule | The Security Token Service directory tree must have permissions in an "out-of-the-box" state. |
| ☐ | SV-239669r679079_rule | The Security Token Service must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. |
| ☐ | SV-239670r679082_rule | The Security Token Service must limit the number of allowed connections. |
| ☐ | SV-239671r679085_rule | The Security Token Service must set "URIEncoding" to UTF-8. |
| ☐ | SV-239672r679088_rule | The Security Token Service must use the "setCharacterEncodingFilter" filter. |
| ☐ | SV-239673r679091_rule | The Security Token Service must set the welcome-file node to a default web page. |
| ☐ | SV-239674r679094_rule | The Security Token Service must not show directory listings. |
| ☐ | SV-239675r679097_rule | The Security Token Service must be configured to show error pages with minimal information. |
| ☐ | SV-239676r679100_rule | The Security Token Service must not enable support for TRACE requests. |
| ☐ | SV-239677r679103_rule | The Security Token Service must have the debug option disabled. |
| ☐ | SV-239678r679106_rule | Rsyslog must be configured to monitor and ship Security Token Service log files. |
| ☐ | SV-239679r679109_rule | The Security Token Service must be configured with the appropriate ports. |
| ☐ | SV-239680r679112_rule | The Security Token Service must disable the shutdown port. |
| ☐ | SV-239681r679115_rule | The Security Token Service must set the secure flag for cookies. |