IBM WebSphere Liberty Server STIG Version Comparison
IBM WebSphere Liberty Server Security Technical Implementation Guide
Comparison
There are 3 differences between versions v1 r2 (Oct. 27, 2022) (the "left" version) and v2 r2 (April 2, 2025) (the "right" version).
Check IBMW-LS-000040 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
The WebSphere Liberty Server must log remote session and security activity.
Check Content
Review the ${server.config.dir}/server.xml file, file and ensure ensureaudit-1.0 audit-1.0 and appSecurity-2.0 are defined within the <featureManager> setting in the server.xml file. If audit-1.0 and appSecurity-2.0 are not defined within the <featureManager> setting in the server.xml file, this is a finding. EXAMPLE: <featureManager> <feature>audit-1.0</feature> <feature>appSecurity-3.0</feature> <feature>servlet-3.1</feature> <feature>ejbLite-3.1</feature> </featureManager> finding. EXAMPLE: <featureManager> <feature>audit-1.0</feature> <feature>appSecurity-3.0</feature> </featureManager>
Discussion
Security auditing must be configured in order to log remote session activity. Security auditing will not be performed unless the audit feature (audit-1.0) has been enabled. The security feature (appSecurity-2.0) must be enabled for the security auditing to capture security transactions. The servlet (servlet-3.1) feature must be enabled to generate web-based security events. The ejb (ejbLite-3.1) feature must be enabled to generate ejb-based security events. Remote session activity will then be logged, regardless of the user attempting that activity. Satisfies: SRG-APP-000016-AS-000013, SRG-APP-000080-AS-000045, SRG-APP-000089-AS-000050, SRG-APP-000091-AS-000052, SRG-APP-000095-AS-000056, SRG-APP-000096-AS-000059, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000101-AS-000072, SRG-APP-000266-AS-000168, SRG-APP-000343-AS-000030, SRG-APP-000172-AS-000121
Fix
To log remote access events, the featureManager setting in the ${server.config.dir}/server.xml must contain the audit, audit appSecurity, and ejbLite appSecurity features. <featureManager> <feature>audit-1.0</feature> <feature>appSecurity-2.0</feature> </featureManager>