├── README.md
├── convert
    ├── NIST800.csv
    ├── NIST800.ods
    └── README.md
├── example
    ├── Application
    │   ├── Application_Security_and_Development.csv
    │   └── Application_Security_and_Development.xml
    ├── README.md
    ├── RHEL6
    │   ├── RHEL6.xml
    │   ├── joined.csv
    │   └── tmp.csv
    └── RHEL7
    │   └── RHEL7.xml
└── xccdf-xml2csv.py


/README.md:
--------------------------------------------------------------------------------
 1 | # XCCDF to CSV
 2 | Converts XCCDF format (used by [DISA STIGs](http://iase.disa.mil/stigs/cci/Pages/index.aspx) and [OpenSCAP](https://github.com/openscap)) to Comma Seperated Value (CSV) table.
 3 | 
 4 | ## Usage
 5 | XCCDF-xml2csv converts XCCDF XML documents into easier to use Comma Seperated Values (Spreadsheet).
 6 | 
 7 | Output files should open easily in Libreoffice or Excel.
 8 | 
 9 | ```
10 | git clone https://github.com/opencontrol/xccdf2csv
11 | cd xccdf2csv
12 | python xccdf-xml2csv.py example/RHEL6/RHEL6.xml > tmp.csv
13 | ```
14 | 
15 | to join/convert DISA CCI to NIST 800-53 Controls use [csvkit](http://csvkit.readthedocs.io/en/latest/install.html) specifically [csvjoin](http://csvkit.readthedocs.io/en/0.9.1/tutorial/3_power_tools.html#csvjoin-merging-related-data)
16 | 
17 | ```
18 | csvjoin -c CCI tmp.csv convert/NIST800.csv > joined.csv
19 | ```
20 | 
21 | ## License 
22 | <a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/deed.en_US"><img alt="Creative Commons License" style="border-width:0" src="http://i.creativecommons.org/l/by-sa/3.0/80x15.png" /></a><br /><span xmlns:dct="http://purl.org/dc/terms/" href="http://purl.org/dc/dcmitype/Text" property="dct:title" rel="dct:type">XCCDF2TSV</span> by <a xmlns:cc="http://creativecommons.org/ns#" href="https://github.com/adamcrosby/xccdf2tsv" property="cc:attributionName" rel="cc:attributionURL">Adam Crosby</a> is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/deed.en_US">Creative Commons Attribution-ShareAlike 3.0 Unported License</a>.
23 | 
24 | ### Other Information
25 | 
26 | In no way are the patent or trademark rights of any person affected by CC0,
27 | nor are the rights that other persons may have in the work or in how the
28 | work is used, such as publicity or privacy rights.
29 | 
30 | Unless expressly stated otherwise, the person who associated a work with
31 | this deed makes no warranties about the work, and disclaims liability for
32 | all uses of the work, to the fullest extent permitted by applicable law.
33 | When using or citing the work, you should not imply endorsement by the
34 | author or the affirmer.
35 | 


--------------------------------------------------------------------------------
/convert/NIST800.ods:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/opencontrol/xccdf2csv/1f0ec43d796bb82d588569e24603ff448b9e5340/convert/NIST800.ods


--------------------------------------------------------------------------------
/convert/README.md:
--------------------------------------------------------------------------------
1 | ## DISA-STIG CCI to NIST 800-53 Controls
2 | NIST800.csv
3 | NIST800.ods
4 | 


--------------------------------------------------------------------------------
/example/Application/Application_Security_and_Development.csv:
--------------------------------------------------------------------------------
  1 | STIG ID,Version,Rule Title,Title,Severity,Check Text,Fix Text,CCI
  2 | 35070,SRG-APP-000001-AS-000001,The application server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.,SRG-APP-000001-AS-000001,medium,"Review the application server product documentation and configuration to determine if the number of concurrent sessions can be limited to the organization-defined number of sessions for all accounts and/or account types.If a feature to limit the number of concurrent sessions is not available, is not set, or is set to unlimited, this is a finding.",Configure the application server to limit the number of concurrent sessions for all accounts and/or account types to the organization-defined number.,CCI-000054
  3 | 35089,SRG-APP-000014-AS-000009,The application server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.,SRG-APP-000014-AS-000009,medium,"Check the application server configuration to ensure all management interfaces use encryption in accordance with the management data.If the application server is not configured to encrypt remote access management sessions in accordance with the categorization of the management data, this is a finding.",Configure the application server to use encryption strength in accordance with the categorization of the management data during remote access management sessions.,CCI-000068
  4 | 35090,SRG-APP-000015-AS-000010,The application server must implement cryptography mechanisms to protect the integrity of the remote access session.,SRG-APP-000015-AS-000010,medium,"Review the application server documentation and configuration to ensure the application server is configured to use cryptography to protect the integrity of remote access sessions.If the application server is not configured to implement cryptography mechanisms to protect the integrity of remote access sessions, this is a finding.",Configure the application server to implement cryptography mechanisms to protect the integrity of the remote access session.,CCI-001453
  5 | 35096,SRG-APP-000068-AS-000035,The application server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.,SRG-APP-000068-AS-000035,medium,"Review the application server management interface configuration to verify the application server is configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access.The banner must read:""You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.By using this IS (which includes any device attached to this IS), you consent to the following conditions:-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.-At any time, the USG may inspect and seize data stored on this IS.-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.""If the application server management interface does not display the banner or displays an unapproved banner, this is a finding.","Configure the application server management interface so it displays the Standard Mandatory DoD Notice and Consent Banner prior to allowing access.The banner must read:""You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.By using this IS (which includes any device attached to this IS), you consent to the following conditions:-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.-At any time, the USG may inspect and seize data stored on this IS.-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.""",CCI-000048
  6 | 35098,SRG-APP-000069-AS-000036,The application server management interface must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.,SRG-APP-000069-AS-000036,medium,"Review application server management interface product documentation and configuration to determine that the logon banner can be displayed until the user takes action to acknowledge the agreement.If the banner screen allows continuation to the application server without user interaction, this is a finding.",Configure the application server management interface to retain the logon banner on the screen until the user takes explicit action to logon to the server.,CCI-000050
  7 | 35135,SRG-APP-000080-AS-000045,The application server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.,SRG-APP-000080-AS-000045,medium,"Review application server product documentation and server configuration to determine if the system does protect against an individual's (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.If the application does not meet this requirement, this is a finding.",Configure the application server to protect against an individual's (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.,CCI-000166
  8 | 35139,SRG-APP-000086-AS-000048,"For application servers providing log record aggregation, the application server must compile log records from organization-defined information system components into a system-wide log trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the log trail.",SRG-APP-000086-AS-000048,medium,"Review the application server log feature configuration to determine if the application server or an external logging tool in conjunction with the application server does compile log records from multiple components within the server into a system-wide log trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the log trail.If the application server does not meet this requirement, this is a finding.",Configure the application server or an external logging tool supporting the application server to compile log records from multiple components within the server into a system-wide log trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the log trail.,CCI-000174
  9 | 35141,SRG-APP-000089-AS-000050,The application server must generate log records for access and authentication events.,SRG-APP-000089-AS-000050,medium,"Review the application server documentation and the deployed system configuration to determine if, at a minimum, system startup and shutdown, system access, and system authentication events are logged.If the logs do not include the minimum logable events, this is a finding.","Configure the application server to generate log records for system startup and shutdown, system access, and system authentication events.",CCI-000169
 10 | 35142,SRG-APP-000090-AS-000051,The application server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged.,SRG-APP-000090-AS-000051,medium,"Review application server product documentation and configuration to determine if the system only allows the ISSM (or individuals or roles appointed by the ISSM) to change logable events.If the system is not configured to perform this function, this is a finding.",Configure the application server to only allow the ISSM (or individuals or roles appointed by the ISSM) to change logable events.,CCI-000171
 11 | 35143,SRG-APP-000091-AS-000052,The application server must generate log records when successful/unsuccessful attempts to access subject privileges occur.,SRG-APP-000091-AS-000052,medium,"Review the application server documentation and the system configuration to determine if the application server generates log records when successful/unsuccessful attempts are made to access privileges.If log records are not generated, this is a finding.",Configure the application server to generate log records when privileges are successfully/unsuccessfully accessed.,CCI-000172
 12 | 35148,SRG-APP-000092-AS-000053,The application server must initiate session logging upon startup.,SRG-APP-000092-AS-000053,medium,"Review the application server product documentation and server configuration to determine if the application server initiates session logging on application server startup.If the application server is not configured to meet this requirement, this is a finding.",Configure the application server to initiate session logging on application server startup.,CCI-001464
 13 | 35150,SRG-APP-000093-AS-000054,"The application server must provide the capability for authorized users to capture, record, and log all content related to a user session.",SRG-APP-000093-AS-000054,medium,"Review the application server documentation to determine if the application server can be configured to capture/record and log all content related to a user session.If the application server does not have the capability to allow an authorized user to capture, record, and log all content related to a user session, this is a finding.","Configure the application server to provide the capability for authorized users to capture, record, and log all content related to a user session.",CCI-001462
 14 | 35159,SRG-APP-000095-AS-000056,The application server must produce log records containing information to establish what type of events occurred.,SRG-APP-000095-AS-000056,medium,"Review the application server log configuration to determine if the application server produces log records showing what type of event occurred.If the log data does not show the type of event, this is a finding.",Configure the application server to include the event type in the log data.,CCI-000130
 15 | 35165,SRG-APP-000096-AS-000059,The application server must produce log records containing sufficient information to establish when (date and time) the events occurred.,SRG-APP-000096-AS-000059,medium,"Review the logs on the application server to determine if the date and time are included in the log event data.If the date and time are not included, this is a finding.",Configure the application server logging system to log date and time with the event.,CCI-000131
 16 | 35167,SRG-APP-000097-AS-000060,The application server must produce log records containing sufficient information to establish where the events occurred.,SRG-APP-000097-AS-000060,medium,"Review the logs on the application server to determine if the logs contain information that establishes where within the application server the event occurred.  The data in the log file should establish the component, module, session identifier, filename, host name, and functionality within the application server where an event occurred.If the application server does not log where within the application server the event took place, this is a finding.",Configure the application server logging system to log where the event took place.,CCI-000132
 17 | 35170,SRG-APP-000098-AS-000061,The application server must produce log records containing sufficient information to establish the sources of the events.,SRG-APP-000098-AS-000061,medium,"Review the application server documentation and deployment configuration to determine if the application server is configured to generate sufficient information to resolve the source, e.g., source IP, of the log event.Request a user access the application server and generate logable events, and then review the logs to determine if the source of the event can be established.If the source of the event cannot be determined, this is a finding.",Configure the application server to generate the source of each logable event.,CCI-000133
 18 | 35176,SRG-APP-000099-AS-000062,The application server must produce log records that contain sufficient information to establish the outcome of events.,SRG-APP-000099-AS-000062,medium,"Review application server documentation and the log files on the application server to determine if the logs contain information that establishes the outcome of event data.If the application server is not configured to meet this requirement, this is a finding.",Configure the application server logging system to log the event outcome.,CCI-000134
 19 | 35182,SRG-APP-000100-AS-000063,The application server must generate log records containing information that establishes the identity of any individual or process associated with the event.,SRG-APP-000100-AS-000063,medium,"Review application server documentation and the log files on the application server to determine if the logs contain information that establishes the identity of the user or process associated with log event data.If the application server does not produce logs that establish the identity of the user or process associated with log event data, this is a finding.",Configure the application server logging system to log the identity of the user or process related to the events.,CCI-001487
 20 | 35186,SRG-APP-000108-AS-000067,"The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.",SRG-APP-000108-AS-000067,medium,"Review application server log configuration.  Verify the application server sends alerts to the SA and ISSO in the event of a log processing failure.If the application server is not configured to meet this requirement, this is a finding.",Configure the application server log feature to alert the SA and ISSO in the event of a log processing failure.,CCI-000139
 21 | 35190,SRG-APP-000109-AS-000068,The application server must shut down by default upon log failure (unless availability is an overriding concern).,SRG-APP-000109-AS-000068,medium,"If the application server is a high availability system, this finding is NA.Review the application server configuration settings to determine if the application server is configured to shut down on a log failure.If the application server is not configured to shut down on a log failure, this is a finding.","If the application server is a high availability system, this finding is NA.Configure the application server to shut down on a log failure.",CCI-000140
 22 | 35191,SRG-APP-000109-AS-000070,The application server must be configured to fail over to another system in the event of log subsystem failure.,SRG-APP-000109-AS-000070,medium,"If the system MAC level and availability do not require redundancy, this requirement is NA.Review the system's accreditation documentation to determine system MAC and confidentiality requirements.  Review application server configuration settings to determine if the application server is configured to fail over operation to another system when the log subsystem fails to operate.If the system MAC level requires redundancy and the application server is not configured to fail over to another system which can handle application and log functions when a log subsystem failure occurs, this is a finding.","If the system MAC level and availability do not require redundancy, this requirement is NA.Configure the application server to fail over to another system which can handle log functions when the logging subsystem fails.",CCI-000140
 23 | 35203,SRG-APP-000116-AS-000076,The application server must use internal system clocks to generate time stamps for log records.,SRG-APP-000116-AS-000076,medium,"Review the application server configuration files to determine if the internal system clock is used for time stamps. If this is not feasible, an alternative workaround is to take an action that generates an entry in the logs and then immediately query the operating system for the current time. A reasonable match between the two times will suffice as evidence that the system is using the internal clock for timestamps.If the application server does not use the internal system clock to generate time stamps, this is a finding.",Configure the application server to use internal system clocks to generate time stamps for log records.,CCI-000159
 24 | 35205,SRG-APP-000118-AS-000078,The application server must protect log information from any type of unauthorized read access.,SRG-APP-000118-AS-000078,medium,"Review the configuration settings to determine if the application server log features protect log information from unauthorized access.Review file system settings to verify the application server sets secure file permissions on log files.If the application server does not protect log information from unauthorized read access, this is a finding.",Configure the application server to protect log information from unauthorized read access.,CCI-000162
 25 | 35212,SRG-APP-000120-AS-000080,The application server must protect log information from unauthorized deletion.,SRG-APP-000120-AS-000080,medium,"Review the configuration settings to determine if the application server log features protect log information from unauthorized deletion.Review file system settings to verify the application server sets secure file permissions on log files to prevent unauthorized deletion.If the application server does not protect log information from unauthorized deletion, this is a finding.",Configure the application server to protect log information from unauthorized deletion.,CCI-000164
 26 | 35213,SRG-APP-000121-AS-000081,The application server must protect log tools from unauthorized access.,SRG-APP-000121-AS-000081,medium,"Review the application server documentation and server configuration to determine if the application server protects log tools from unauthorized access.Request a system administrator attempt to access log tools while logged into the server in a role that does not have the requisite privileges.If the application server does not protect log tools from unauthorized access, this is a finding.",Configure the application server or OS to protect log tools from unauthorized access.,CCI-001493
 27 | 35214,SRG-APP-000122-AS-000082,The application server must protect log tools from unauthorized modification.,SRG-APP-000122-AS-000082,medium,"Review the application server documentation and server configuration to determine if the application server protects log tools from unauthorized modification. Request a system administrator attempt to modify log tools while logged into the server in a role that does not have the requisite privileges.Locate binary copies of log tool executables that are located on the file system and attempt to modify using unprivileged credentials.If the application server does not protect log tools from unauthorized modification, this is a finding.",Configure the application server or the OS to protect log tools from unauthorized modification.,CCI-001494
 28 | 35215,SRG-APP-000123-AS-000083,The application server must protect log tools from unauthorized deletion.,SRG-APP-000123-AS-000083,medium,"Review the application server documentation and server configuration to determine if the application server protects log tools from unauthorized deletion.Locate binary copies of log tool executables that are located on the file system and attempt to delete using unprivileged credentials.If the application server does not protect log tools from unauthorized deletion, this is a finding.",Configure the application server or the OS to protect log tools from unauthorized deletion.,CCI-001495
 29 | 35216,SRG-APP-000125-AS-000084,The application server must back up log records at least every seven days onto a different system or system component than the system or component being logged.,SRG-APP-000125-AS-000084,medium,"Review the application server configuration to determine if the application server backs up log records every seven days onto a different system or media from the system being logged.If the application server does not back up log records every seven days onto a different system or media from the system being logged, this is a finding.",Configure the application server to back up log records every seven days onto a different system or media from the system being logged.,CCI-001348
 30 | 35217,SRG-APP-000126-AS-000085,The application server must use cryptographic mechanisms to protect the integrity of log information.,SRG-APP-000126-AS-000085,medium,"Review the application server documentation and configuration to determine if the application server can protect log data using cryptographic means.If the application server is not configured to encrypt and sign logs, this is a finding.",Configure the application server to encrypt and sign logs.,CCI-001350
 31 | 35224,SRG-APP-000133-AS-000092,The application server must limit privileges to change the software resident within software libraries.,SRG-APP-000133-AS-000092,medium,"Check the application server documentation and configuration to determine if the application server provides role-based access that limits the capability to change shared software libraries.Validate file permission settings to ensure library files are secured in relation to OS access.If the application server does not meet this requirement, this is a finding.",Configure the application server to limit privileges to change the software resident within software libraries through the use of defined user roles and file permissions.,CCI-001499
 32 | 35234,SRG-APP-000141-AS-000095,The application server must adhere to the principles of least functionality by providing only essential capabilities.,SRG-APP-000141-AS-000095,medium,"Review the application server documentation and configuration to determine if the application server can disable non-essential features and capabilities.If the application server is not configured to meet this requirement, this is a finding.",Configure the application server to use only essential features and capabilities.,CCI-000381
 33 | 35299,SRG-APP-000148-AS-000101,The application server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).,SRG-APP-000148-AS-000101,medium,"Review application server documentation and configuration settings to determine if the application server is using an enterprise solution to authenticate organizational users and processes running on the users' behalf.If an enterprise solution is not being used, this is a finding.",Configure the application server to use an enterprise user management system to uniquely identify and authenticate users and processes acting on behalf of organizational users.,CCI-000764
 34 | 35300,SRG-APP-000149-AS-000102,The application server must use multifactor authentication for network access to privileged accounts.,SRG-APP-000149-AS-000102,medium,"Review the application server configuration to ensure the system is authenticating via multifactor authentication for privileged users.If all aspects of application server web management interfaces are not authenticating privileged users via multifactor authentication methods, this is a finding.",Configure the application server to authenticate privileged users via multifactor authentication for network access to the management interface.,CCI-000765
 35 | 35301,SRG-APP-000151-AS-000103,The application server must use multifactor authentication for local access to privileged accounts.,SRG-APP-000151-AS-000103,medium,"Review the application server configuration to ensure the system is authenticating via multifactor authentication for privileged users.If all aspects of application server command line management interfaces are not authenticating privileged users via multifactor authentication methods, this is a finding.",Configure the application server to authenticate privileged users via multifactor authentication for local access to the management interface.,CCI-000767
 36 | 35302,SRG-APP-000153-AS-000104,The application server must authenticate users individually prior to using a group authenticator.,SRG-APP-000153-AS-000104,medium,"Review the application server documentation and configuration to determine if the application server individually authenticates users prior to authenticating via a role or group.Review application server logs to verify user accesses requiring authentication can be traced back to an individual account.If the application server does not authenticate users on an individual basis, this is a finding.",Configure the application server to authenticate users individually prior to allowing any group-based authentication.,CCI-000770
 37 | 35304,SRG-APP-000156-AS-000106,The application server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.,SRG-APP-000156-AS-000106,medium,"Review application server documentation to ensure the application server provides extensions to the SOAP protocol that provide secure authentication. These protocols include, but are not limited to, WS_Security suite.  Review policy and data owner protection requirements in order to identify sensitive data.If secure authentication protocols are not utilized to protect data identified by data owner as requiring protection, this is a finding.",Configure the application server to utilize secure authentication when SOAP web services are used to access sensitive data.,CCI-001941
 38 | 35306,SRG-APP-000158-AS-000108,The application server must uniquely identify all network-connected endpoint devices before establishing any connection.,SRG-APP-000158-AS-000108,medium,"Review application server documentation and configuration to ensure the application server identifies devices before allowing connections.If the application server does not identify a device before connection, this is a finding.",Configure the application server to identify devices before allowing connections.,CCI-000778
 39 | 35309,SRG-APP-000163-AS-000111,"The application server must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.",SRG-APP-000163-AS-000111,medium,"Review the application server documentation and configuration to ensure the application server disables identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.If the application server is not configured to disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity, this is a finding.","Configure the application server to disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.",CCI-000795
 40 | 35317,SRG-APP-000171-AS-000119,The application server must store only encrypted representations of passwords.,SRG-APP-000171-AS-000119,medium,"Review application server documentation and configuration to determine if the application server enforces the requirement to only store encrypted representations of passwords.If the application server is not configured to meet this requirement, this is a finding.",Configure the application server to only store encrypted representations of passwords.,CCI-000196
 41 | 35318,SRG-APP-000172-AS-000120,The application server must transmit only encrypted representations of passwords.,SRG-APP-000172-AS-000120,medium,"Review application server documentation and configuration to determine if the application server enforces the requirement to encrypt passwords when they are transmitted.If the application server is not configured to meet this requirement, this is a finding.",Configure the application server to transmit only encrypted representations of passwords.,CCI-000197
 42 | 35319,SRG-APP-000172-AS-000121,The application server must utilize encryption when using LDAP for authentication.,SRG-APP-000172-AS-000121,medium,"Review application server documentation and configuration to determine if the application server enforces the requirement to encrypt LDAP traffic.If the application server is not configured to meet this requirement, this is a finding.",Configure the application server to encrypt LDAP traffic.,CCI-000197
 43 | 35322,SRG-APP-000175-AS-000124,The application server must perform RFC 5280-compliant certification path validation.,SRG-APP-000175-AS-000124,medium,"Review the application server documentation and deployed configuration to determine whether the application server provides PKI functionality that validates certification paths in accordance with RFC 5280.If PKI is not being used, this is NA.If the application server is using PKI, but it does not perform this requirement, this is a finding.",Configure the application server to validate certificates in accordance with RFC 5280.,CCI-000185
 44 | 35324,SRG-APP-000176-AS-000125,Only authenticated system administrators or the designated PKI Sponsor for the application server must have access to the web servers private key.,SRG-APP-000176-AS-000125,medium,"Review application server configuration and documentation to ensure the application server enforces authorized access to the corresponding private key.If the application server is not configured to enforce authorized access to the corresponding private key, this is a finding.",Configure the application server to enforce authorized access to the corresponding private key.,CCI-000186
 45 | 35325,SRG-APP-000177-AS-000126,The application server must map the authenticated identity to the individual user or group account for PKI-based authentication.,SRG-APP-000177-AS-000126,medium,"Review application server documentation to ensure the application server provides a PKI integration capability that meets DoD PKI infrastructure requirements.If the application server is not configured to meet this requirement, this is a finding.",Configure the application server to utilize the DoD Enterprise PKI infrastructure.,CCI-000187
 46 | 35328,SRG-APP-000178-AS-000127,The application server must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.,SRG-APP-000178-AS-000127,medium,"Review the application server documentation and configuration to determine if any interfaces which are provided for authentication purposes display the user's password when it is typed into the data entry field.If authentication information is not obfuscated when entered, this is a finding.",Configure the application server to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.,CCI-000206
 47 | 35329,SRG-APP-000179-AS-000129,The application server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.,SRG-APP-000179-AS-000129,medium,"Review the application server documentation and deployed configuration to determine which version of TLS is being used.If the application server is not using TLS when authenticating users or non-FIPS-approved SSL versions are enabled, this is a finding.",Configure the application server to use a FIPS-2 approved TLS version to authenticate users and to disable all non-FIPS-approved SSL versions.,CCI-000803
 48 | 35376,SRG-APP-000211-AS-000146,The application server must separate hosted application functionality from application server management functionality.,SRG-APP-000211-AS-000146,medium,"Review the application server documentation and configuration to verify that the application server separates admin functionality from hosted application functionality.If the application server does not separate application server admin functionality from hosted application functionality, this is a finding.",Configure the application server so that admin management functionality and hosted applications are separated.,CCI-001082
 49 | 35381,SRG-APP-000219-AS-000147,The application server must ensure authentication of both client and server during the entire session.,SRG-APP-000219-AS-000147,medium,"Review the application server configuration and documentation to ensure the application server provides mutual authentication capabilities.If the application server does not provide the ability for applications to utilize mutual authentication, this is a finding.",Configure the application server to mutually authenticate during the entire session as required by application design and policy.,CCI-001184
 50 | 35415,SRG-APP-000220-AS-000148,The application server must invalidate session identifiers upon user logout or other session termination.,SRG-APP-000220-AS-000148,medium,"Review the application server configuration and organizational policy to determine if the system is configured to terminate administrator sessions upon administrator logout or any other organization- or policy-defined session termination events, such as idle time limit exceeded.If the configuration is not set to terminate administrator sessions per defined events, this is a finding.",Configure the application server to terminate administrative sessions upon logout or any other organization- or policy-defined session termination events.,CCI-001185
 51 | 35421,SRG-APP-000223-AS-000151,The application server must recognize only system-generated session identifiers.,SRG-APP-000223-AS-000151,medium,"Review the application server configuration to determine if the application server recognizes only system-generated session identifiers.If the application server does not recognize only system-generated session identifiers, this is a finding.",Design the application server to recognize only system-generated session identifiers.,CCI-001664
 52 | 35422,SRG-APP-000224-AS-000152,The application server must generate a unique session identifier using a FIPS 140-2 approved random number generator.,SRG-APP-000224-AS-000152,medium,"Review the application server configuration and documentation to determine if the application server uses a FIPS 140-2 approved random number generator to create unique session identifiers.Have a user log onto the application server to determine if the session IDs generated are random and unique.If the application server does not generate unique session identifiers and does not use a FIPS 140-2 random number generator to create the randomness of the session ID, this is a finding.",Configure the application server to generate unique session identifiers and to use a FIPS 140-2 random number generator to generate the randomness of the session identifiers.,CCI-001188
 53 | 35423,SRG-APP-000225-AS-000153,The application server must be configured to perform complete application deployments.,SRG-APP-000225-AS-000153,medium,"Review the application server configuration and documentation to ensure the system is configured to perform complete application deployments.If the application server is not configured to ensure complete application deployments or provides no rollback functionality, this is a finding.",Configure the application server to detect errors that occur during application deployment and to prevent deployment if errors are encountered.,CCI-001190
 54 | 35424,SRG-APP-000225-AS-000154,The application server must provide a clustering capability.,SRG-APP-000225-AS-000154,medium,"This requirement is dependent upon system MAC and confidentiality.If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA.Review the application server configuration and documentation to ensure the application server is configured to provide clustering functionality.If the application server is not configured to provide clustering or some form of failover functionality, this is a finding.","This requirement is dependent upon system MAC and confidentiality.If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA.Configure the application server to provide application failover or participate in an application cluster which provides failover.",CCI-001190
 55 | 35426,SRG-APP-000231-AS-000156,The application server must employ cryptographic mechanisms to ensure confidentiality and integrity of all information at rest when stored off-line.,SRG-APP-000231-AS-000156,medium,"Review the application server configuration to ensure the system is protecting the confidentiality and integrity of all application server data at rest when stored off-line.If the application server is not configured to protect all application server data at rest when stored off-line, this is a finding.",Configure the application server to employ cryptographic mechanisms to ensure confidentiality and integrity of all application server data at rest when stored off-line.,CCI-001199
 56 | 35436,SRG-APP-000251-AS-000165,"The application server must check the validity of all data inputs to the management interface, except those specifically identified by the organization.",SRG-APP-000251-AS-000165,medium,"Review the application server configuration to determine if the system checks the validity of information inputs to the management interface, except those specifically identified by the organization.If the management interface data inputs are not validated, this is a finding.",Configure the application server to check the validity of data inputs into the management interface except those specifically identified by the organization.,CCI-001310
 57 | 35440,SRG-APP-000266-AS-000169,The application server must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.,SRG-APP-000266-AS-000169,medium,"Review system documentation and logs to determine if the application server writes sensitive information such as passwords or private keys into the logs and administrative messages.If the application server writes sensitive or potentially harmful information into the logs and administrative messages, this is a finding.",Configure the application server to not write sensitive information into the logs and administrative messages.,CCI-001312
 58 | 35441,SRG-APP-000267-AS-000170,The application server must restrict error messages only to authorized users.,SRG-APP-000267-AS-000170,medium,"Review the application server configuration and documentation to determine if the application server will restrict access to error messages so only authorized users may view or otherwise access them.If the application server cannot be configured to restrict access to error messages to only authorized users, this is a finding.",Configure the application server to restrict access to error messages so only authorized users may view or otherwise access them.,CCI-001314
 59 | 35445,SRG-APP-000290-AS-000174,The application server must use cryptographic mechanisms to protect the integrity of log tools.,SRG-APP-000290-AS-000174,medium,"Review the application server configuration to determine if the application server log tools have been cryptographically signed to protect the integrity of the tools.If the application server log tools have not been cryptographically signed, this is a finding.",Configure the application server log tools to be cryptographically signed to protect the integrity of the tools.,CCI-001496
 60 | 35738,SRG-APP-000033-AS-000024,The application server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.,SRG-APP-000033-AS-000024,medium,"Review application server product documentation and configuration to determine if the system enforces authorization requirements for logical access to the system in accordance with applicable policy.If the application server is not configured to utilize access controls or follow access control policies, this is a finding.",Configure the application server to enforce access control policies for logical access to the system in accordance with applicable policy.,CCI-000213
 61 | 35772,SRG-APP-000119-AS-000079,The application server must protect log information from unauthorized modification.,SRG-APP-000119-AS-000079,medium,"Review the configuration settings to determine if the application server log features protect log information from unauthorized modification.Review file system settings to verify the application server sets secure file permissions on log files to prevent unauthorized modification.If the application server does not protect log information from unauthorized modification, this is a finding.",Configure the application server to protect log information from unauthorized modification.,CCI-000163
 62 | 57397,SRG-APP-000343-AS-000030,The application server must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.,SRG-APP-000343-AS-000030,medium,"Review application server documentation and log configuration to verify the application server logs privileged activity.If the application server is not configured to log privileged activity, this is a finding.",Configure the application server to log privileged activity.,CCI-002234
 63 | 57399,SRG-APP-000340-AS-000185,"The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.",SRG-APP-000340-AS-000185,medium,"Review application server documentation and configuration to verify that non-privileged users cannot access or execute privileged functions.Have a user logon as a non-privileged user and attempt to execute privileged functions.If the user is capable of executing privileged functions, this is a finding.",Configure the application server to deny non-privileged users access to and execution of privileged functions.,CCI-002235
 64 | 57401,SRG-APP-000295-AS-000263,The application server must automatically terminate a user session after organization-defined conditions or trigger events requiring a session disconnect.,SRG-APP-000295-AS-000263,medium,"Review application server documentation and configuration settings to determine if the application server is configured to close user sessions after defined conditions or trigger events are met.If the application server is not configured or cannot be configured to disconnect users after defined conditions and trigger events are met, this is a finding.",Configure the application server to terminate user sessions on defined conditions or trigger events.,CCI-002361
 65 | 57403,SRG-APP-000296-AS-000201,The application server management interface must provide a logout capability for user-initiated communication session.,SRG-APP-000296-AS-000201,medium,"Review application server documentation and configuration settings to determine if the application server management interface provides a logout capability.If the application server management interface does not provide a logout capability, this is a finding.",Configure the application server management interface to provide a logout capability for the users.,CCI-002363
 66 | 57405,SRG-APP-000297-AS-000188,The application server management interface must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.,SRG-APP-000297-AS-000188,medium,"Review application server documentation and configuration settings to determine if the application server management interface displays a logout message.If the application server management interface does not display a logout message, this is a finding.",Configure the application server management interface to display an explicit logout message to users.,CCI-002364
 67 | 57407,SRG-APP-000313-AS-000003,The application server must associate organization-defined types of security attributes having organization-defined security attribute values with information in process.,SRG-APP-000313-AS-000003,medium,"Review the application server documentation to determine if the application associates organization-defined types of security attributes with organization-defined security attribute values to information in process.If the application server does not associate the security attributes to information in process or the feature is not implemented, this is a finding.",Configure the application server to associate organization-defined types of security attributes having organization-defined security attribute values with information in process.,CCI-002263
 68 | 57409,SRG-APP-000314-AS-000005,The application server must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.,SRG-APP-000314-AS-000005,medium,"Review the application server documentation to determine if the application associates organization-defined types of security attributes with organization-defined security attribute values to information in transmission.If the application server does not associate the security attributes to information in transmission or the feature is not implemented, this is a finding.",Configure the application server to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.,CCI-002264
 69 | 57411,SRG-APP-000016-AS-000013,The application server must ensure remote sessions for accessing security functions and security-relevant information are logged.,SRG-APP-000016-AS-000013,medium,"Review the application server product documentation to determine if the application server logs remote administrative sessions.If the application server does not log remote sessions for the admin user, then this is a finding.",Configure the application server to log an event for each instance when the administrator accesses the system remotely.,CCI-000067
 70 | 57413,SRG-APP-000315-AS-000094,The application server must control remote access methods.,SRG-APP-000315-AS-000094,medium,"Review organization policy, application server product documentation and configuration to determine if the system enforces the organization's requirements for remote connections.If the system is not configured to enforce these requirements, or the remote connection settings are not in accordance with the requirements, this is a finding.",Configure the application server to enforce remote connection settings.,CCI-002314
 71 | 57415,SRG-APP-000316-AS-000199,The application server must provide the capability to immediately disconnect or disable remote access to the management interface.,SRG-APP-000316-AS-000199,medium,"Review the application server product documentation and server configuration to ensure that there is a capability to immediately disconnect or disable remote access to the management interface.If there is no capability, this is a finding.",Configure the application server to have the capability to immediately disconnect or disable remote access to the management interface.,CCI-002322
 72 | 57417,SRG-APP-000101-AS-000072,The application server must generate log records containing the full-text recording of privileged commands or the individual identities of group account users.,SRG-APP-000101-AS-000072,medium,"Review the application server documentation and deployment configuration to determine if the application server is configured to generate full-text recording of privileged commands or the individual identities of group users at a minimum.Have a user execute a privileged command and review the log data to validate that the full-text or identity of the individual is being logged.If the application server is not meeting this requirement, this is a finding.","Configure the application server to generate the full-text recording of privileged commands or the individual identities of group users, or both.",CCI-000135
 73 | 57419,SRG-APP-000356-AS-000202,The application server must provide centralized management and configuration of the content to be captured in log records generated by all application components.,SRG-APP-000356-AS-000202,medium,"Review application server documentation and configuration to determine if the application server is part of a cluster.If the application server is not part of a cluster, this requirement is NA.If the application server is part of a cluster, verify that the log settings are managed and configured from a centralized management server.If the log settings are not centrally managed, this is a finding.",Configure the application server to allow centralized management and configuration of the content to be captured in log records.,CCI-001844
 74 | 57421,SRG-APP-000357-AS-000038,The application server must allocate log record storage capacity in accordance with organization-defined log record storage requirements.,SRG-APP-000357-AS-000038,medium,"Review the application server documentation and configuration to determine if the application server creates log storage to buffer log data until offloading to a log data storage facility.If the application server does not allocate storage for log data, this is a finding.",Configure the application server to allocate storage for log data before offloading to a log data storage facility.,CCI-001849
 75 | 57423,SRG-APP-000358-AS-000064,The application server must off-load log records onto a different system or media from the system being logged.,SRG-APP-000358-AS-000064,medium,"Verify the log records are being off-loaded to a separate system or transferred from the application server to a storage location other than the application server itself.The system administrator of the device may demonstrate this capability using a log management application, system configuration, or other means.If logs are not being off-loaded, this is a finding.",Configure the application server to off-load the logs to a remote log or management server.,CCI-001851
 76 | 57425,SRG-APP-000515-AS-000203,"The application server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly.",SRG-APP-000515-AS-000203,medium,"Verify the log records are being off-loaded, at a minimum of real time for interconnected systems and weekly for standalone systems.If the application server is not meeting these requirements, this is a finding.",Configure the application server to off-load interconnected systems in real time and standalone systems weekly.,CCI-001851
 77 | 57427,SRG-APP-000359-AS-000065,"The application server must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75% of maximum log record storage capacity.",SRG-APP-000359-AS-000065,medium,"Review the configuration settings to determine if the application server logging system provides a warning to the SA and ISSO when 75% of allocated log record storage volume is reached.If designated alerts are not sent, or the application server is not configured to use a dedicated logging tool that meets this requirement, this is a finding.",Configure the application server to provide an alert to the SA and ISSO when allocated log record storage volume reaches 75% of maximum log record storage capacity.,CCI-001855
 78 | 57429,SRG-APP-000360-AS-000066,The application server must provide an immediate real-time alert to authorized users of all log failure events requiring real-time alerts.,SRG-APP-000360-AS-000066,medium,"Review the configuration settings to determine if the application server log system provides a real-time alert to authorized users when log failure events occur requiring real-time alerts.If designated alerts are not sent to authorized users, this is a finding.",Configure the application server to provide a real-time alert to authorized users when log failure events occur that require real-time alerts.,CCI-001858
 79 | 57431,SRG-APP-000374-AS-000210,The application server must record time stamps for log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).,SRG-APP-000374-AS-000210,medium,"Review the application server documentation and configuration files to determine if time stamps for log records can be mapped to UTC or GMT.If the time stamp cannot be mapped to UTC or GMT, this is a finding.",Configure the application server to use time stamps for log records that can easily be mapped to UTC or GMT.,CCI-001890
 80 | 57433,SRG-APP-000375-AS-000211,The application server must record time stamps for log records that meet a granularity of one second for a minimum degree of precision.,SRG-APP-000375-AS-000211,medium,"Review the application server documentation and configuration files to determine if time stamps for log records meet a granularity of one second.If the time stamp cannot generate to a one-second granularity, this is a finding.",Configure the application server to use time stamps for log records that can meet a granularity of one second.,CCI-001889
 81 | 57435,SRG-APP-000371-AS-000077,The application server must compare internal application server clocks at least every 24 hours with an authoritative time source.,SRG-APP-000371-AS-000077,medium,"Review application server documentation and confirm that the application server compares internal application server clocks at least every 24 hours with an authoritative time source.If the application server does not compare internal application server clocks to an authoritative source or if the frequency is greater than every 24 hours, this is a finding.",Configure the application server to compare internal application server clocks at least every 24 hours with an authoritative time source.,CCI-001891
 82 | 57437,SRG-APP-000372-AS-000212,The application server must synchronize internal application server clocks to an authoritative time source when the time difference is greater than the organization-defined time period.,SRG-APP-000372-AS-000212,medium,"Review application server documentation and configuration to determine if the application server is configured to reset internal information clocks when the difference is greater than a defined threshold with an authoritative time source.If the application server cannot synchronize internal application server clocks to the authoritative time source when the time difference is greater than the organization-defined time period, this is a finding.",Configure the application server to reset internal information system clocks when the time difference is greater than a defined time period with the authoritative time source.,CCI-002046
 83 | 57439,SRG-APP-000495-AS-000220,The application server must generate log records when successful/unsuccessful attempts to modify privileges occur.,SRG-APP-000495-AS-000220,medium,"Review the application server documentation and the system configuration to determine if the application server generates log records when successful/unsuccessful attempts are made to modify privileges.If log records are not generated, this is a finding.",Configure the application server to generate log records when privileges are successfully or unsuccessfully modified.,CCI-000172
 84 | 57441,SRG-APP-000499-AS-000224,The application server must generate log records when successful/unsuccessful attempts to delete privileges occur.,SRG-APP-000499-AS-000224,medium,"Review the application server documentation and the system configuration to determine if the application server generates log records when successful and unsuccessful attempts are made to delete privileges.If log records are not generated, this is a finding.",Configure the application server to generate log records when privileges are successfully or unsuccessfully deleted.,CCI-000172
 85 | 57443,SRG-APP-000503-AS-000228,The application server must generate log records when successful/unsuccessful logon attempts occur.,SRG-APP-000503-AS-000228,medium,"Review product documentation and the system configuration to determine if the application server generates log records on successful and unsuccessful logon attempts by users.If logon attempts do not generate log records, this is a finding.",Configure the application server to generate log records when successful/unsuccessful logon attempts are made by users.,CCI-000172
 86 | 57445,SRG-APP-000504-AS-000229,The application server must generate log records for privileged activities.,SRG-APP-000504-AS-000229,medium,"Review the application server documentation and the system configuration to determine if the application server generates log records for privileged activities.If log records are not generated for privileged activities, this is a finding.",Configure the application server to generate log records for privileged activities.,CCI-000172
 87 | 57481,SRG-APP-000505-AS-000230,The application must generate log records showing starting and ending times for user access to the application server management interface.,SRG-APP-000505-AS-000230,medium,"Review the application server documentation and the system configuration to determine if the application server generates log records showing starting and ending times for user access to the management interface.If log records are not generated showing starting and ending times of user access to the management interface, this is a finding.",Configure the application server to generate log records showing starting and ending times of user access to the management interface.,CCI-000172
 88 | 57483,SRG-APP-000506-AS-000231,The application server must generate log records when concurrent logons from different workstations occur to the application server management interface.,SRG-APP-000506-AS-000231,medium,"Review the application server documentation and the system configuration to determine if the application server generates log records showing concurrent logons from different workstations to the management interface.If concurrent logons from different workstations are not logged, this is a finding.",Configure the application server to generate log records showing concurrent logons from different workstations to the management interface.,CCI-000172
 89 | 57485,SRG-APP-000509-AS-000234,"The application server must generate log records for all account creations, modifications, disabling, and termination events.",SRG-APP-000509-AS-000234,medium,"Review the application server documentation and the system configuration to determine if the application server generates log records when accounts are created, modified, disabled, or terminated.If the application server does not generate log records for account creation, modification, disabling, and termination, this is a finding.","Configure the application server to generate log records when accounts are created, modified, disabled, or terminated.",CCI-000172
 90 | 57487,SRG-APP-000353-AS-000235,"The application server must provide the capability for organization-identified individuals or roles to change the logging to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds.",SRG-APP-000353-AS-000235,medium,"Review the application server configuration to determine if the application server provides the capability for organization-identified individuals or roles to change the logging to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds.If the application server cannot meet this requirement, this is a finding.","Configure the application server to provide the capability for organization-identified individuals or roles to change the logging to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds.",CCI-001914
 91 | 57489,SRG-APP-000355-AS-000055,"The application server must provide the capability for authorized users to remotely view/hear, in real time, all content related to an established user session.",SRG-APP-000355-AS-000055,medium,"Review the application server documentation to determine if the application server can be configured by authorized users to remotely view/hear, in real time, all content related to an established user session.If the application server does not have the capability to allow authorized users to remotely view/hear all content related to an established user session, this is a finding.","Configure the application server to provide the capability for authorized users to remotely view/hear, in real time, all content related to an established user session.",CCI-001920
 92 | 57491,SRG-APP-000380-AS-000088,The application server must enforce access restrictions associated with changes to application server configuration.,SRG-APP-000380-AS-000088,medium,"Review the application server documentation and configuration to determine if the system employs mechanisms to enforce restrictions on application server configuration changes.Configuration changes include, but are not limited to, automatic code deployments, software library updates, and changes to configuration settings within the application server.If the application server does not enforce access restrictions for configuration changes, this is a finding.","Configure the application server to enforce access restrictions associated with changes to the application server configuration to include code deployment, library updates, and changes to application server configuration settings.",CCI-001813
 93 | 57493,SRG-APP-000381-AS-000089,The application server must log the enforcement actions used to restrict access associated with changes to the application server.,SRG-APP-000381-AS-000089,medium,"Check the application server documentation and logs to determine if enforcement actions used to restrict access associated with changes to the application server are logged.If these actions are not logged, this is a finding.",Configure the application server to log the enforcement actions used to restrict access associated with changes to the application server.,CCI-001814
 94 | 57495,SRG-APP-000131-AS-000002,"The application server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.",SRG-APP-000131-AS-000002,medium,"Review system documentation to determine if the application server prevents the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.If the application server does not meet this requirement, this is a finding.","Configure the application server to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.",CCI-001749
 95 | 57497,SRG-APP-000133-AS-000093,The application server must be capable of reverting to the last known good configuration in the event of failed installations and upgrades.,SRG-APP-000133-AS-000093,medium,"Check the application server documentation and configuration to determine if the application server provides an automated rollback capability to a known good configuration in the event of a failed installation and upgrade.If the application server is not configured to meet this requirement, this is a finding.",Configure the application server to automatically rollback to a known good configuration in the event of failed application installations and application server upgrades.,CCI-001499
 96 | 57499,SRG-APP-000516-AS-000237,"The application server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.",SRG-APP-000516-AS-000237,medium,"Review the application server documentation and configuration to determine if the application server is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.If the application server is not configured in accordance with security configuration settings, this is a finding.","Configure the application server to be in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.",CCI-000366
 97 | 57501,SRG-APP-000142-AS-000014,"The application server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.",SRG-APP-000142-AS-000014,medium,"Review the application server documentation and deployment configuration to determine which ports and protocols are enabled.Verify that the ports and protocols being used are not prohibited and are necessary for the operation of the application server and the hosted applications.If any of the ports or protocols is prohibited or not necessary for the application server operation, this is a finding.",Configure the application server to disable any ports or protocols that are prohibited by the PPSM CAL and vulnerability assessments.,CCI-000382
 98 | 57503,SRG-APP-000391-AS-000239,The application server must accept Personal Identity Verification (PIV) credentials to access the management interface.,SRG-APP-000391-AS-000239,medium,"Review application server documentation and configuration to ensure the application server accepts PIV credentials to the management interface.If PIV credentials are not accepted, this is a finding.",Configure the application server to accept PIV credentials to access the management interface.,CCI-001953
 99 | 57505,SRG-APP-000392-AS-000240,The application server must electronically verify Personal Identity Verification (PIV) credentials for access to the management interface.,SRG-APP-000392-AS-000240,medium,"Review application server documentation and configuration to ensure the application server electronically verifies PIV credentials to the management interface.If PIV credentials are not electronically verified, this is a finding.",Configure the application server to electronically verify PIV credentials to access the management interface.,CCI-001954
100 | 57507,SRG-APP-000394-AS-000241,The application server must authenticate all network-connected endpoint devices before establishing any connection.,SRG-APP-000394-AS-000241,medium,"Review application server documentation, application data protection requirements, and configuration to ensure the application server provides an SSL mutual authentication capability and the authentication is completed before the connection is fully established.If data protection requirements require mutual authentication and the application server is not configured to meet this requirement, this is a finding.",Configure the application server to perform mutual authentication of network-connected endpoint devices before the connection is established.,CCI-001958
101 | 57509,SRG-APP-000395-AS-000109,"The application server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.",SRG-APP-000395-AS-000109,medium,"If data protection requirements do not mandate the need to establish the identity of the connecting device before the connection is established, this requirement is NA.Review application server documentation and configuration to determine if the application server authenticates all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.If the application server does not meet this requirement, this is a finding.","If data protection requirements do not mandate the need to establish the identity of the connecting device before the connection is established, this requirement is NA.Configure the application server to authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.",CCI-001967
102 | 57511,SRG-APP-000401-AS-000243,"The application server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.",SRG-APP-000401-AS-000243,medium,"Review application server documentation to ensure the application server provides a PKI integration capability that implements a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.If the application server is not configured to meet this requirement, this is a finding.",Configure the application server to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.,CCI-001991
103 | 57513,SRG-APP-000400-AS-000246,The application server must prohibit the use of cached authenticators after an organization-defined time period.,SRG-APP-000400-AS-000246,medium,"Review application server documentation to ensure the application server prohibits the use of cached authenticators after an organization-defined timeframe.If the application server is not configured to meet this requirement, this is a finding.",Configure the application server to prohibit the use of cached authenticators after an organization-defined timeframe.,CCI-002007
104 | 57515,SRG-APP-000402-AS-000247,The application server must accept Personal Identity Verification (PIV) credentials from other federal agencies to access the management interface.,SRG-APP-000402-AS-000247,medium,"Review the application server documentation and configuration to determine if the application server accepts PIV credentials from other federal agencies to access the management interface.If the application server does not accept other federal agency PIV credentials to access the management interface, this is a finding.",Configure the application server to accept PIV credentials from other federal agencies to access the management interface.,CCI-002009
105 | 57517,SRG-APP-000403-AS-000248,The application server must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies to access the management interface.,SRG-APP-000403-AS-000248,medium,"Review the application server documentation and configuration to determine if the application server electronically verifies PIV credentials from other federal agencies to access the management interface.If the application server does not electronically verify other federal agency PIV credentials to access the management interface, this is a finding.",Configure the unclassified application server to electronically verify PIV credentials from other federal agencies before granting access to the management interface.,CCI-002010
106 | 57519,SRG-APP-000404-AS-000249,The application server must accept FICAM-approved third-party credentials.,SRG-APP-000404-AS-000249,medium,"Review the application server documentation and configuration to determine if the application server accepts FICAM-approved third-party credentials.If the application server does not accept FICAM-approved third-party credentials, this is a finding.",Configure the application server to accept FICAM-approved third-party credentials.,CCI-002011
107 | 57521,SRG-APP-000405-AS-000250,The application server must conform to FICAM-issued profiles.,SRG-APP-000405-AS-000250,medium,"Review the application server documentation and configuration to determine if the application server conforms to FICAM-issued profiles.If the application server does not conform to FICAM-issued profiles, this is a finding.",Configure the application server to conform to FICAM-issued profiles.,CCI-002014
108 | 57523,SRG-APP-000389-AS-000253,The application server must require users to re-authenticate when organization-defined circumstances or situations require re-authentication.,SRG-APP-000389-AS-000253,medium,"Review the application server documentation and configuration to determine if the application server requires a user to re-authenticate when organization-defined circumstances or situations are met.If the application server does not require a user to re-authenticate when organization-defined circumstances or situations are met, this is a finding.",Configure the application server to require a user to re-authenticate when organization-defined circumstances or situations are met.,CCI-002038
109 | 57525,SRG-APP-000390-AS-000254,The application server must require devices to re-authenticate when organization-defined circumstances or situations require re-authentication.,SRG-APP-000390-AS-000254,medium,"Review the application server documentation and configuration to determine if the application server requires devices to re-authenticate when organization-defined circumstances or situations require re-authentication.If the application server does not require a device to re-authenticate, this is a finding.",Configure the application server to require devices to re-authenticate when organization-defined circumstances or situations require re-authentication.,CCI-002039
110 | 57527,SRG-APP-000181-AS-000255,The application server must provide a log reduction capability that supports on-demand reporting requirements.,SRG-APP-000181-AS-000255,medium,"Review application server product documentation and server configuration to determine if the application server provides a log reduction capability with on-demand report.If the application server does not provide log reduction with on-demand reporting, this is a finding.",Configure the application server to provide and utilize log reduction with on-demand reporting.,CCI-001876
111 | 57529,SRG-APP-000435-AS-000163,The application server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.,SRG-APP-000435-AS-000163,medium,"Review application server documentation and configuration to determine if the application server can protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing defined security safeguards.If the application server cannot be configured to protect against or limit the effects of all types of DoS, this is a finding.",Configure the application server to protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing defined security safeguards.,CCI-002385
112 | 57531,SRG-APP-000435-AS-000069,"The application server, when a MAC I system, must be in a high-availability (HA) cluster.",SRG-APP-000435-AS-000069,medium,"If the application server is not a MAC I system, this requirement is NA.Review the application server documentation and configuration to determine if the application server is part of an HA cluster.If the application server is not part of an HA cluster, this is a finding.","If the application server is not a MAC I system, this requirement is NA.Configure the application server to be part of an HA cluster.",CCI-002385
113 | 57533,SRG-APP-000439-AS-000155,The application server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.,SRG-APP-000439-AS-000155,medium,"Review the application server documentation and deployed configuration to determine which version of TLS is being used.If the application server is not using TLS to maintain the confidentiality and integrity of transmitted information or non-FIPS-approved SSL versions are enabled, this is a finding.",Configure the application server to use a FIPS-2 approved TLS version to maintain the confidentiality and integrity of transmitted information and to disable all non-FIPS-approved SSL versions.,CCI-002418
114 | 57535,SRG-APP-000440-AS-000167,The application server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.,SRG-APP-000440-AS-000167,medium,"Review application server documentation and configuration to determine if the application server employs approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.If the application server does not employ approved cryptographic mechanisms, this is a finding.",Configure the application server to use AES 128 or AES 256 encryption for data in transit.,CCI-002421
115 | 57537,SRG-APP-000441-AS-000258,The application server must maintain the confidentiality and integrity of information during preparation for transmission.,SRG-APP-000441-AS-000258,medium,"Review the application server documentation and deployed configuration to determine if the application server maintains the confidentiality and integrity of information during preparation before transmission.If the confidentiality and integrity is not maintained, this is a finding.",Configure the application server to maintain the confidentiality and integrity of information during preparation for transmission.,CCI-002420
116 | 57539,SRG-APP-000442-AS-000259,The application server must maintain the confidentiality and integrity of information during reception.,SRG-APP-000442-AS-000259,medium,"Review application server configuration to determine if the server is using a transmission method that maintains the confidentiality and integrity of information during reception.If a transmission method is not being used that maintains the confidentiality and integrity of the data during reception, this is a finding.",Configure the application server to utilize a transmission method that maintains the confidentiality and integrity of information during reception.,CCI-002422
117 | 57541,SRG-APP-000416-AS-000140,"The application server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.",SRG-APP-000416-AS-000140,medium,"Review application server documentation to verify that the application server is using NSA-approved cryptography to protect classified data and applications resident on the device.If the application server is not using NSA-approved cryptography for classified data and applications, this is a finding.",Configure the application server to utilize NSA-approved cryptography to protect classified information.,CCI-002450
118 | 57543,SRG-APP-000514-AS-000136,Application servers must use NIST-approved or NSA-approved key management technology and processes.,SRG-APP-000514-AS-000136,medium,"Review application server configuration and the NIST FIPS certificate to validate the application server uses NIST-approved or NSA-approved key management technology and processes when producing, controlling or distributing symmetric and asymmetric keys.If the application server does not use this NIST-approved or NSA-approved key management technology and processes, this is a finding.","Configure the application server to utilize NIST-approved or NSA-approved key management technology when the application server produces, controls, and distributes symmetric and asymmetric cryptographic keys.",CCI-002450
119 | 57545,SRG-APP-000514-AS-000137,The application server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.,SRG-APP-000514-AS-000137,medium,"Review the application server configuration to determine if the application server utilizes approved PKI Class 3 or Class 4 certificates.If the application server is not configured to use approved DoD or CNS certificates, this is a finding.",Configure the application server to use DoD- or CNSS-approved Class 3 or Class 4 PKI certificates.,CCI-002450
120 | 57547,SRG-APP-000206-AS-000145,The application server must identify prohibited mobile code.,SRG-APP-000206-AS-000145,medium,"Review the application server configuration to determine if the application server is configured to identify prohibited mobile code.If the application server is not configured to identify prohibited mobile code, this is a finding.",Configure the application server to identify prohibited mobile code.,CCI-001166
121 | 57549,SRG-APP-000223-AS-000150,The application server must generate a unique session identifier for each session.,SRG-APP-000223-AS-000150,medium,"Review the application server configuration to determine if the application server generates a unique session identifier for each session.Request an administrator log onto the server and view the logs to verify a unique session identifier was assigned to the session.If the application server does not generate a unique session identifier for each session, this is a finding.",Configure the application server to generate a unique session identifier for each session.,CCI-001664
122 | 57551,SRG-APP-000427-AS-000264,The application server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.,SRG-APP-000427-AS-000264,medium,"Review the application server documentation and configuration to determine if the application server only allows the use of DoD PKI-established certificate authorities.If the application server allows other certificate authorities for verification, this is a finding.",Configure the application server to allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.,CCI-002470
123 | 57553,SRG-APP-000225-AS-000166,"The application server must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.",SRG-APP-000225-AS-000166,medium,"Review application server documentation and configuration to determine if the application server fails to a secure state if system initialization fails, shutdown fails, or aborts fail.If the application server cannot be configured to fail securely, this is a finding.","Configure the application server to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.",CCI-001190
124 | 57555,SRG-APP-000231-AS-000133,The application server must protect the confidentiality and integrity of all information at rest.,SRG-APP-000231-AS-000133,medium,"Review the application server documentation and configuration to ensure the application server is protecting the confidentiality and integrity of all information at rest.If the confidentiality and integrity of all information at rest is not protected, this is a finding.",Configure the application server to protect the confidentiality and integrity of all information at rest.,CCI-001199
125 | 57557,SRG-APP-000428-AS-000265,The application server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.,SRG-APP-000428-AS-000265,medium,"Review application server documentation and configuration to determine if the application server implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.If the application server does not implement cryptographic mechanisms to prevent unauthorized modification, this is a finding.",Configure the application server to implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.,CCI-002475
126 | 57559,SRG-APP-000429-AS-000157,The application must implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.,SRG-APP-000429-AS-000157,medium,"Review application server documentation and configuration to determine if the application server implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.If the application server does not implement cryptographic mechanisms to prevent unauthorized disclosure, this is a finding.",Configure the application server to implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.,CCI-002476
127 | 57561,SRG-APP-000456-AS-000266,"The application server must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).",SRG-APP-000456-AS-000266,medium,"Review the application server documentation and configuration to determine if the application server checks with a patch management system to install security-relevant software updates within a timeframe directed by an authoritative source.If the application server does not install security-relevant patches within the time period directed by the authoritative source, this is a finding.",Configure the application server to use a patch management system to ensure security-relevant updates are installed within the time period directed by the authoritative source.,CCI-002605
128 | 57563,SRG-APP-000454-AS-000268,The application server must remove organization-defined software components after updated versions have been installed.,SRG-APP-000454-AS-000268,medium,"Review the application server documentation and configuration to determine if organization-defined software components are removed after updated versions have been installed.If organization-defined software components are not removed after updated versions have been installed, this is a finding.",Configure the application server to remove organization-defined software components after updated versions have been installed.,CCI-002617
129 | 57565,SRG-APP-000447-AS-000273,The application server must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.,SRG-APP-000447-AS-000273,medium,"Review the application server configuration to determine if the management interface behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.If the application server does not meet this requirement, this is a finding.",Configure the application server management interface to behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.,CCI-002754
130 | 57567,SRG-APP-000266-AS-000168,The application server must identify potentially security-relevant error conditions.,SRG-APP-000266-AS-000168,medium,"Review the application server configuration to determine if the system identifies potentially security-relevant error conditions on the server.If this function is not performed, this is a finding.",Configure the application server to identify potentially security-relevant error conditions on the server.,CCI-001312
131 | 61351,SRG-APP-000439-AS-000274 ,The application server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.,SRG-APP-000439-AS-000274 ,medium,"Review the application server documentation and deployed configuration to determine if export ciphers are removed.If the application server does not have the export ciphers removed, this is a finding.",Configure the application server to have export ciphers removed.,CCI-002418
132 | 


--------------------------------------------------------------------------------
/example/README.md:
--------------------------------------------------------------------------------
 1 | # Quick Examples
 2 | >Create a new directory to test your own
 3 | 
 4 | ## Application
 5 | [DISA Application Server Security Requirements Guide](http://iase.disa.mil/stigs/cci/Pages/index.aspx)
 6 | 
 7 | ## RHEL 7
 8 | [U_Red_Hat_Enterprise_Linux_7_STIG_V1R0-2_Manual-xccdf.xml](https://github.com/openstack/openstack-ansible-security/blob/master/doc/metadata/U_Red_Hat_Enterprise_Linux_7_STIG_V1R0-2_Manual-xccdf.xml)
 9 | 
10 | ## RHEL 6
11 | [U_RedHat_6_V1R12_Manual-xccdf.xml](https://github.com/openstack/openstack-ansible-security/blob/master/doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml)
12 | 


--------------------------------------------------------------------------------
/xccdf-xml2csv.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | ###
 4 | # (C) 2010 Adam Crosby
 5 | # Licensed under:
 6 | #  http://creativecommons.org/licenses/by-nc-sa/3.0/
 7 | ##
 8 | import csv
 9 | import sys
10 | reload(sys)
11 | sys.setdefaultencoding('utf-8')
12 | import xml.etree.ElementTree as ET
13 | xmlns = "http://checklists.nist.gov/xccdf/1.1"
14 | 
15 | if len(sys.argv) != 2:
16 | 	print "  XCCDF-xml2tsv converts XCCDF XML documents (such as DISA STIGs)"
17 | 	print "    into easier to use Tab-Separated documents."
18 | 	print "  Please run as '%s' <filename> and redirect output as needed." % sys.argv[0]
19 | 	print "  Files should open easily in Excel."
20 | 	print "  E.g.:\n\t %s U_Perimeter_Router_v8R2_manual.xccdf.xml > output.tsv" % sys.argv[0]
21 | 	sys.exit(0)
22 | try:
23 | 	xml = ET.parse(sys.argv[1])
24 | except Exception,e:
25 | 	print "Error, unable to parse XML document.  Are you sure that's XCCDF?"
26 | 	sys.exit(-1)
27 | 
28 | benchmark = xml.getroot()
29 | check_list = []
30 | profile_name = "MAC-1_Classified"
31 | profiles = benchmark.findall("{%s}Profile" % xmlns)
32 | for profile in profiles:
33 | 	if profile.get("id") == profile_name:
34 | 		#<select idref="V-761" selected="true"/>
35 | 		selects = profile.findall("{%s}select" % xmlns)
36 | 		for select_tag in selects:
37 | 			if select_tag.get("selected") == "true":
38 | 				check_list.append(select_tag.get('idref'))
39 | 
40 | groups = benchmark.findall("{%s}Group" % xmlns)
41 | 
42 | 
43 | 
44 | csvfile = open('tmp.csv', 'wb')
45 | output = csv.writer(csvfile, dialect='excel')
46 | output.writerow(('STIG ID', 'Version', 'Rule Title', 'Title', 'Severity', 'Check Text', 'Fix Text', 'CCI'))
47 | for group in groups:
48 | 	group_id = group.get("id")
49 | 	if group_id in check_list:
50 | 		title = group.find("{%s}title" % xmlns).text
51 | 		severity = group.find("{%s}Rule" % xmlns).get("severity")
52 | 		version = group.find("{%s}Rule/{%s}version" % (xmlns, xmlns)).text
53 | 		rule_title = group.find("{%s}Rule/{%s}title" % (xmlns, xmlns)).text
54 | 		desctag = "{%s}Rule/{%s}description" % (xmlns, xmlns)
55 | 		fixtext = group.find("{%s}Rule/{%s}fixtext" % (xmlns, xmlns)).text
56 | 		try:
57 | 			check = group.find("{%s}Rule/{%s}check/{%s}check-content" % (xmlns, xmlns, xmlns)).text
58 | 			cci = group.find("{%s}Rule/{%s}ident" % (xmlns, xmlns)).text
59 | 		except:
60 | 			check = "(Missing - did you use an OVAL benchmark instead of a Manual XCCDF?)"
61 | 			cci = "(Missing CCI Number may be an older STIG)"
62 | 		descriptiontext = group.find(desctag).text
63 | 		encodedDesc = descriptiontext.replace("&gt;", ">").replace("&lt;", "<").replace("&", "&amp;")
64 | 		innerXML = "<desc>%s</desc>" % format(encodedDesc)
65 | 		xml = ET.XML(innerXML)
66 | 		iacontrols = xml.find("IAControls").text
67 | 		vulndisc = xml.find("VulnDiscussion").text
68 | 
69 | 		output.writerow( (group_id.replace('\n', '##').replace('V-',''), version.replace('\n', '##'), rule_title.replace('\n', '##'), title.replace('\n', '##'), severity.replace('\n', '##'), check, fixtext, cci) )
70 | 


--------------------------------------------------------------------------------