Check: SRG-APP-000225-AS-000166
Application Server SRG:
SRG-APP-000225-AS-000166
(in versions v4 r2 through v2 r2)
Title
The application server must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. (Cat II impact)
Discussion
Fail-secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption of mission-essential processes.
Check Content
Review application server documentation and configuration to determine if the application server fails to a secure state if system initialization fails, shutdown fails, or aborts fail. If the application server cannot be configured to fail securely, this is a finding.
Fix Text
Configure the application server to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
Additional Identifiers
Rule ID: SV-204769r961122_rule
Vulnerability ID: V-204769
Group Title: SRG-APP-000225
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001190 |
Fail to an organization-defined known-system state for the list of organization-defined types of system failures on organization-defined system components on the indicated components while preserving organization-defined system state information in failure. |
Controls
| Number | Title |
|---|---|
| SC-24 |
Fail in Known State |