Ax-OS must protect the authenticity of communications sessions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-276013	SRG-APP-000219	AXOS-00-000065	SV-276013r1122689_rule	2025-07-22	1

Description
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected using transport encryption protocols such as Transport Layer Security (TLS). TLS provides web applications with a means to authenticate user sessions and encrypt application traffic. Session authentication can be single (one way) or mutual (two way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for the client and server to authenticate each other. This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs). This requirement addresses communications protection at the application session versus the network packet. It also establishes grounds for confidence at both ends of communications sessions in relation to the ongoing identities of other parties and validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TL) mutual authentication (two-way/bidirectional). Satisfies: SRG-APP-000219, SRG-APP-000910

Description

Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected using transport encryption protocols such as Transport Layer Security (TLS). TLS provides web applications with a means to authenticate user sessions and encrypt application traffic. Session authentication can be single (one way) or mutual (two way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for the client and server to authenticate each other. This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs). This requirement addresses communications protection at the application session versus the network packet. It also establishes grounds for confidence at both ends of communications sessions in relation to the ongoing identities of other parties and validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TL) mutual authentication (two-way/bidirectional). Satisfies: SRG-APP-000219, SRG-APP-000910

ℹ️ Check
Select the gear icon (System Settings) >> Privacy and Security >> Certificate and Encryption. Under SSL Certificate, if the certificate has not been changed from the self-signed default certificate, unless otherwise approved by the authorizing official (AO), this is a finding. Under Certificate Verifications Settings, if "Use OCSP" is not selected, this is a finding. Under SSL Trust & CA Settings, if "Use custom certificate" is not selected and configured for a DOD PKI (or other AO-approved certificate), this is a finding. Under Mutual TLS Settings, if the "Enable mutual TLS" slide bar is not enabled, and the "Enforce client certificate validation" box is unchecked, this is a finding. Under Encryption Settings, if the "Allow legacy SSL cipher suites for adapters" is checked, this is a finding.

ℹ️ Check

Select the gear icon (System Settings) >> Privacy and Security >> Certificate and Encryption. Under SSL Certificate, if the certificate has not been changed from the self-signed default certificate, unless otherwise approved by the authorizing official (AO), this is a finding. Under Certificate Verifications Settings, if "Use OCSP" is not selected, this is a finding. Under SSL Trust & CA Settings, if "Use custom certificate" is not selected and configured for a DOD PKI (or other AO-approved certificate), this is a finding. Under Mutual TLS Settings, if the "Enable mutual TLS" slide bar is not enabled, and the "Enforce client certificate validation" box is unchecked, this is a finding. Under Encryption Settings, if the "Allow legacy SSL cipher suites for adapters" is checked, this is a finding.

✔️ Fix
Select the gear icon (System Settings) >> Privacy and Security >> Certificate and Encryption. Under Certificate Verifications Settings, select "Use OCSP". Under SSL Trust & CA Settings, select "Use custom certificate" and configure for a DOD PKI (or other AO-approved certificate). Under Mutual TLS Settings, enable the "Enable mutual TLS" slide bar. Check the "Enforce client certificate validation" box. Under Encryption Settings, ensure the "Allow legacy SSL cipher suites for adapters" box is unchecked.

✔️ Fix

Select the gear icon (System Settings) >> Privacy and Security >> Certificate and Encryption. Under Certificate Verifications Settings, select "Use OCSP". Under SSL Trust & CA Settings, select "Use custom certificate" and configure for a DOD PKI (or other AO-approved certificate). Under Mutual TLS Settings, enable the "Enable mutual TLS" slide bar. Check the "Enforce client certificate validation" box. Under Encryption Settings, ensure the "Allow legacy SSL cipher suites for adapters" box is unchecked.