Free DISA STIG and SRG Library | Vaulted

V-35426

The application server must employ cryptographic mechanisms to ensure confidentiality and integrity of all information at rest when stored off-line.

Finding ID
SRG-APP-000231-AS-000156
Rule ID
SV-46713r3_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000231-AS-000156
CCI
CCI-001199
Target Key
(None)
Documentable
No
Discussion

This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Application servers generate information throughout the course of their use, most notably, log data. If the data is not encrypted while at rest, the data used later for forensic investigation cannot be guaranteed to be unchanged and cannot be used for prosecution of an attacker. To accomplish a credible investigation and prosecution, the data integrity and information confidentiality must be guaranteed. Application servers must provide the capability to protect all data, especially log data, so as to ensure confidentiality and integrity.

Fix Text

Configure the application server to employ cryptographic mechanisms to ensure confidentiality and integrity of all application server data at rest when stored off-line.

Check Content

Review the application server configuration to ensure the system is protecting the confidentiality and integrity of all application server data at rest when stored off-line. If the application server is not configured to protect all application server data at rest when stored off-line, this is a finding.