Free DISA STIG and SRG Library | Vaulted

V-35441

The application server must restrict error messages only to authorized users.

Finding ID
SRG-APP-000267-AS-000170
Rule ID
SV-46728r3_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000267-AS-000170
CCI
CCI-001314
Target Key
(None)
Documentable
No
Discussion

If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.

Fix Text

Configure the application server to restrict access to error messages so only authorized users may view or otherwise access them.

Check Content

Review the application server configuration and documentation to determine if the application server will restrict access to error messages so only authorized users may view or otherwise access them. If the application server cannot be configured to restrict access to error messages to only authorized users, this is a finding.