kriterion 0.0.1

data/standards/stig_apache_site_2.2windows.json

@@ -0,0 +1,179 @@
+{
+  "name": "stig_apache_site_2.2windows",
+  "date": "2017-07-05",
+  "description": "All directives specified in this STIG must be specifically set (i.e. the server is not allowed to revert to programmed defaults for these directives).\n\nIncluded files should be reviewed if they are used.  Procedures for reviewing included files are included in the overview document.\n\nThe use of .htaccess files are not authorized for use according to the STIG.  However, if they are used, there are procedures for reviewing them in the overview document.\n\nThe Web Policy STIG should be used in addition to the Apache Site and Server STIGs in order to  do a comprehensive web server review.",
+  "title": "APACHE SITE 2.2 for Windows",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-13686",
+      "title": "Web Administrators must only use encrypted connections for Document Root directory uploads.",
+      "description": "Logging in to a web server via an unencrypted protocol or service, to upload documents to the web site, is a risk if proper encryption is not utilized to protect the data being transmitted.  An encrypted protocol or service must be used for remote access to web administration tasks.",
+      "severity": "high"
+    },
+    {
+      "id": "V-13688",
+      "title": "Log file data must contain required data elements.",
+      "description": "The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment, causation, and the recovery of both affected components and data. They may be used to monitor accidental or intentional misuse of the (IS) and may be used by law enforcement for criminal prosecutions. The use of log files is a requirement within the DoD.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13689",
+      "title": "Access to the web server log files must be restricted to Administrators, the user assigned to run the web server software, Web Manager, and Auditors.",
+      "description": "A major tool in exploring the web site use, attempted use, unusual conditions and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and Web Manager with valuable information. Because of the information that is captured in the logs, it is critical that only authorized individuals have access to the logs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13694",
+      "title": "Public web servers must use TLS if authentication is required.",
+      "description": "Transport Layer Security (TLS) is optional for a public web server.  However, if authentication is being performed, then the use of the TLS protocol is required.\n\nWithout the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure.  Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network.  To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled.\n\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater.  NIST SP 800-52 specifies the preferred configurations for government systems.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15334",
+      "title": "Web sites must utilize ports, protocols, and services according to PPSM guidelines.",
+      "description": "Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the automated information system (AIS).\n\nThe IAM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List.",
+      "severity": "low"
+    },
+    {
+      "id": "V-2226",
+      "title": "Web content directories must not be anonymously shared.",
+      "description": "Sharing of web server content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their contents to unnecessary access. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web content or cause web server performance problems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2228",
+      "title": "All interactive programs must be placed in a designated directory with appropriate permissions.",
+      "description": "CGI scripts represents one of the most common and exploitable means of compromising a web server. By definition, CGI are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not otherwise limited unless the SA or Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript and shell (sh, ksh, bash) are popular choices.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2229",
+      "title": "Interactive scripts used on a web server must have proper access controls.",
+      "description": "The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript, and shell programs (e.g., sh, ksh, bash, etc.) are popular choices. \n\nCGI is a standard for interfacing external applications with information servers, such as HTTP or web servers. The definition of CGI as web-based applications is not to be confused with the more specific .cgi file extension. ASP, JSP, JAVA, and PERL scripts are commonly found in these circumstances.\n\nClarification:\nThis vulnerability, which is related to VMS vulnerability V-2228, requires that appropriate access permissions are applied to CGI files.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2240",
+      "title": "The number of allowed simultaneous requests must be set.",
+      "description": "Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive, (i.e., a parameter used to limit the amount of time a connection may be inactive).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2245",
+      "title": "Each readable web document directory must contain either a default, home, index, or equivalent file.",
+      "description": "The goal is to completely control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have indexing turned off or at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon the ability to obtain information about the web server’s directory structure through locating directories without default pages.",
+      "severity": "low"
+    },
+    {
+      "id": "V-2249",
+      "title": "Web server administration must be performed over a secure path or at the local console.",
+      "description": "Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk.  Data, such as user account, is transmitted in plaintext and can easily be compromised.  When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used.\n \nAn alternative to remote administration of the web server is to perform web server administration locally at the console.  Local administration at the console implies physical access to the server.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-2250",
+      "title": "Logs of web server access and errors must be established and maintained.",
+      "description": "A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Without these log files, SAs and web managers are seriously hindered in their efforts to respond appropriately to suspicious or criminal actions targeted at the web site.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2252",
+      "title": "Log file access must be restricted to System Administrators, Web Administrators or Auditors.",
+      "description": "A major tool in exploring the web site use, attempted use, unusual conditions and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and Web\nManager with valuable information. To ensure the integrity of the log files and protect the SA and Web\nManager from a conflict of interest related to the maintenance of these files, only the members of the\nAuditors group will be granted permissions to move, copy and delete these files in the course of their\nduties related to the archiving of these files.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2254",
+      "title": "Only web sites that have been fully reviewed and tested must exist on a production web server.",
+      "description": "In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files that reveal business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security risk that is totally avoidable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2258",
+      "title": "The web client account access to the content and scripts directories must be limited to read and execute.",
+      "description": "Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.",
+      "severity": "high"
+    },
+    {
+      "id": "V-2260",
+      "title": "A web site must not contain a robots.txt file.",
+      "description": "Search engines are constantly at work on the Internet.  Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content.  In turn, these search engines make the content they obtain and catalog available to any public web user. \n\nTo request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt.  This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site.  This information may be used to reduce an attacker’s time searching and traversing the web site to find files that might be relevant.  If information on the web site needs to be protected from search engines and public view, other methods must be used.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2262",
+      "title": "A private web server must utilize an approved TLS version.",
+      "description": "Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled.\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.\nThe SSLProtocol directive enables or disables SSL/TLS protocols. “SSLProtocol ALL” is a shortcut for enabling SSLv3 and TLSv1 but does not disable lower versions of SSL. Since some Apache versions enable SSL by default, SSL needs to be explicitly disabled, while also enabling TLS. To disable specific SSL Protocols, the –SSLv3 –SSLv2 switches are used with the SSLProtocol directive.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2263",
+      "title": "A private web server must have a valid DoD server certificate.",
+      "description": "This check verifies that DoD is a hosted web site's CA. The certificate is actually a DoD-issued server certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not for the server (Certificate belongs to), if the certificate is not issued by DoD (Certificate was issued by), or if the current date is not included in the valid date (Certificate is valid from), then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2265",
+      "title": "Java software on production web servers must be limited to class files and the JAVA virtual machine.",
+      "description": "From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.",
+      "severity": "low"
+    },
+    {
+      "id": "V-2270",
+      "title": "Anonymous FTP user access to interactive scripts must be prohibited.",
+      "description": "The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2272",
+      "title": "PERL scripts must use the TAINT option.",
+      "description": "PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation.\n\nConsequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26279",
+      "title": "Error logging must be enabled.",
+      "description": "The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or “unauthorized” errors that may be an evidence of attack attempts.   Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26280",
+      "title": "The sites error logs must log the correct format.",
+      "description": "The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation.  Log data can reveal anomalous behavior such as “not found” or “unauthorized” errors that may be an evidence of attack attempts.   Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26281",
+      "title": "System logging must be enabled.",
+      "description": "The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or “unauthorized” errors that may be an evidence of attack attempts.   Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. The CustomLog directive specifies the log file, syslog facility, or piped logging utility.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26282",
+      "title": "The LogLevel directive must be enabled.",
+      "description": "The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation.  Log data can reveal anomalous behavior such as  “not found” or “unauthorized” errors that may be an evidence of attack attempts.   Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. While the ErrorLog directive configures the error log file name, the LogLevel directive is used to configure the severity level for the error logs. The log level values are the standard syslog levels: emerg, alert, crit, error, warn, notice, info and debug.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3333",
+      "title": "The web document (home) directory must be in a separate partition from the web server’s system files.",
+      "description": "Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6373",
+      "title": "The required DoD banner page must be displayed to authenticated users accessing a DoD private website.",
+      "description": "A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6531",
+      "title": "Private web servers must require certificates issued from a DoD-authorized Certificate Authority.",
+      "description": "Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_apple_ios6.json

@@ -0,0 +1,341 @@
+{
+  "name": "stig_apple_ios6",
+  "date": "2014-10-07",
+  "description": "Developed by DISA for use in the DoD. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.",
+  "title": "Apple iOS6 Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-18627",
+      "title": "The VPN client on mobile devices used for remote access to DoD networks must be FIPS 140-2 validated. ",
+      "description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.  FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19897",
+      "title": "All mobile device VPN clients used for remote access to DoD networks must support AES encryption. ",
+      "description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19898",
+      "title": "All mobile device VPN clients used for remote access to DoD networks must be configured to require CAC authentication. ",
+      "description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19899",
+      "title": "All mobile device VPN clients must have split tunneling disabled.  ",
+      "description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.  Split tunneling could allow connections from non-secure Internet sites to access data on the DoD network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24982",
+      "title": "Smart Card Readers (SCRs) used with CMDs must have required software version installed.",
+      "description": "Required security features are not available in earlier software versions. In addition, there may be known vulnerabilities in earlier versions.",
+      "severity": "low"
+    },
+    {
+      "id": "V-24983",
+      "title": "S/MIME must be installed on mobile device, so users can sign/encrypt email.",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.  Without S/MIME users will not be able to read encrypted email and will not be able to encrypt email with sensitive information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24984",
+      "title": "If mobile device email auto signatures are used, the signature message must not disclose the email originated from a CMD (e.g., Sent From My Wireless Handheld). ",
+      "description": "The disclaimer message may give information which may key an attacker in on the device. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-24985",
+      "title": "The browser must direct all traffic to a DoD Internet proxy gateway.\n",
+      "description": "When using the DoD Internet proxy for iOS device Internet connections, enclave Internet security controls will filter and monitor iOS device Internet connections and reduce the risk that malware could be downloaded on the mobile device.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-25003",
+      "title": "Mobile devices must have the required operating system software version installed. ",
+      "description": "Unapproved OS versions do not support required security features.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25007",
+      "title": "Mobile devices must be configured to require a password/passcode for device unlock.\n",
+      "description": "Sensitive DoD data could be compromised if a device unlock passcode is not set up on a DoD iOS device.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25008",
+      "title": "The iOS device password complexity must be set to the required value.\n",
+      "description": "iOS provides a security mechanism to prevent users from choosing simple passcodes (e.g., 1111). Implementation of this control is an appropriate defense-in-depth measure to mitigate unauthorized use of the device.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25009",
+      "title": "Maximum passcode age must be set.",
+      "description": "Sensitive DoD data could be compromised if a strong device unlock passcode is not set up on a DoD iOS device and the passcode is not changed periodically.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-25010",
+      "title": "The mobile device must be set to lock the device after a set period of user inactivity. ",
+      "description": "Sensitive DoD data could be compromised if the CMD does not automatically lock after 15 minutes of inactivity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25011",
+      "title": "Passcode maximum failed attempts must be set to required value.",
+      "description": "A hacker with unlimited attempts can determine the password of an iOS device within a few minutes using password hacking tools, which could lead to unauthorized access to the iOS device and exposure to sensitive DoD data.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25012",
+      "title": "Access to public media stores must be disabled.",
+      "description": "Strong configuration management of all media installed on DoD devices is required to ensure the security baseline of the system is maintained. Therefore, the ability for the user to download unapproved applications must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25013",
+      "title": "Users ability to download iOS applications must be disabled.",
+      "description": "Application download must be disabled so that unauthorized applications are not installed on DoD-managed  iOS devices. Unauthorized apps may contain malware or may modify the security baseline of the device. This could lead to the exposure of sensitive DoD data. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25014",
+      "title": "Mobile device cameras must be used only if documented approval is in the site physical security policy.\n",
+      "description": "This is an operational security issue.   DoD sensitive information could be compromised if cameras are allowed in areas not authorized by the site physical security plan.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25015",
+      "title": "Mobile device screen capture must not be allowed.\n",
+      "description": "Sensitive data, including FOUO data displayed on the screen, could be saved in unsecure memory on the device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25016",
+      "title": "The device minimum password/passcode length must be set. ",
+      "description": "Sensitive DoD data could be compromised if a device unlock password/passcode is not set to required length on DoD CMDs. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25017",
+      "title": "Apple iOS Auto-Lock must be set.",
+      "description": "The \"Auto-lock\" feature enforces an inactivity timeout when coupled with a password lock. Without an inactivity timeout, sensitive DoD data on the device could be easily disclosed to anyone who obtains physical possession of the device. The absence of auto-lock would also facilitate the ability of an adversary to install malware on the device. Finally, the \"Auto Lock\" feature mitigates the risk of denial of service from battery depletion because less power is needed to light the display when the device automatically locks.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25018",
+      "title": "The mobile device passcode/password history setting must be set.",
+      "description": "The passcode would be more susceptible to compromise if the user can select frequently used passcodes.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25019",
+      "title": "The mobile device Bluetooth radio must only connect to authorized Bluetooth peripherals.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the iOS device without the knowledge of the user.  Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25022",
+      "title": "All mobile devices must display the required banner during device unlock/logon.\n",
+      "description": " DoD CIO memo requires all CMDs to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25033",
+      "title": "iOS Safari must be disabled.\n",
+      "description": "The Safari browser does not support FIPS 140-2 validated encryption and CAC authentication to DoD websites. FIPS validation provides a level of assurance that encrypted sensitive data will not be compromised.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25051",
+      "title": "Location services must be turned off unless authorized for use for particular applications, in which case, location services must only be available to the authorized applications.",
+      "description": "Mobile device location services allow applications to gather information about the location of the handheld device and possibly forward it to servers located on the Internet. This is an operational security issue for DoD mobile devices.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25092",
+      "title": "The iOS device Wi-Fi setting Ask to Join Networks must be set to Off at all times (User Based Enforcement (UBE)).\n",
+      "description": "When “Ask to Join Networks” is set to on, the user is alerted whenever they are in the vicinity of a Wi-Fi hotspot and could be tempted to connect to an unauthorized public hotspot, which could be managed by a hacker. Although the risk of exposing sensitive DoD data is low, setting this configuration as specified is a security best practice. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-25755",
+      "title": "Access to online application purchases must be disabled.",
+      "description": "Strong configuration management of all applications installed on DoD devices is required to ensure the security baseline of the system is maintained. Otherwise, sensitive DoD data could be compromised. Therefore, the ability for the user to download unapproved applications must be disabled.",
+      "severity": "low"
+    },
+    {
+      "id": "V-27635",
+      "title": "Remote full device wipe must be enabled.",
+      "description": "Sensitive DoD data could be compromised if mobile OS device data could not be wiped when directed by the system administrator.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32686",
+      "title": "iOS Siri application must be disabled.\n",
+      "description": "The Siri application connects to Apple servers and stores information about the device and user inquiries on those servers. The use of Siri could lead to the compromise of sensitive DoD information.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32688",
+      "title": "iOS Multiplayer Gaming must be disabled.\n",
+      "description": "The game function connects to Apple servers and allows the transfer of device data to other iOS devices. The use of the game function could lead to the compromise of sensitive DoD information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32689",
+      "title": "Adding Game Center Friends must be disabled.\n",
+      "description": "The game function connects to Apple servers and allows the transfer of device data to other iOS devices. The use of the game function could lead to the compromise of sensitive DoD information.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32690",
+      "title": "iCloud Backup must be disabled. ",
+      "description": "The iCloud feature (and associated iCloud setting in iOS) stores iOS device data on Apple controlled servers. Sensitive DoD data saved on the iOS device could be compromised when it is stored on the Apple servers.  Acceptable backup methods include backup to the MDM server or backup to a DoD PC via a USB connection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32691",
+      "title": "Document Syncing must be disabled. ",
+      "description": "The iCloud feature (and associated iCloud setting in iOS) stores iOS device data on Apple controlled servers. Sensitive DoD data saved on the iOS device could be compromised when it is stored on the Apple servers.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32693",
+      "title": "Photo Stream must be disabled.\n",
+      "description": "The iCloud feature (and associated iCloud setting in iOS) stores iOS device data on Apple controlled servers. Sensitive DoD data saved on the iOS device could be compromised when it is stored on the Apple servers.",
+      "severity": "low"
+    },
+    {
+      "id": "V-32695",
+      "title": "Diagnostic Data must not be sent to Apple or other unauthorized entity.",
+      "description": "Sensitive DoD information could be compromised if this setting is not implemented. DoD mobile device diagnostic data could be considered sensitive data and should not be sent to Apple and reside on Apple servers.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32696",
+      "title": "All mobile device VPN clients must timeout after a set period of inactivity. \n",
+      "description": "DoD data and the DoD network could be compromised if transmitted data is not secured with a compliant VPN.  A VPN provides an open connection to the DoD network.  If the VPN client does not timeout after the required period of inactivity, and a hacker is able to bypass the device password controls, they would have access to the DoD network.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32697",
+      "title": "The mobile operating system must not cache smart card or certificate store passwords used by the VPN client for more than two hours.\n",
+      "description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN. User authentication credentials (CAC PIN) may be compromised if a hacker credential cache is not wiped on a periodic basis.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32698",
+      "title": "MDM, MAM, and integrity validation agent(s) must be installed on the mobile OS device. ",
+      "description": "The MDM, MAM, and integrity scanning agents all perform various security management functions on the iOS devices (some products integrate all three functions into one agent).  If these agents are not on the mobile device, key security controls may not be enforced, which could lead to the compromise of sensitive DoD data.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-32699",
+      "title": "The mobile operating system must not permit a user to disable or modify the security policy or enforcement mechanisms on the device.\n",
+      "description": "The integrity of the security policy and enforcement mechanisms is critical to the IA posture of the operating system.  If a user can modify a device's security policy or enforcement mechanisms, then a wide range of subsequent attacks are possible, including unauthorized access to information and networks.  Access controls that prevent a user from making modifications such as these mitigate the risk of operating system compromise.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-32700",
+      "title": "The mobile operating system must provide mutual authentication between the provisioning server and the provisioned device during a trusted over-the-air (OTA) provisioning session.\n",
+      "description": "When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system.  Mutual authentication ensures both that the device is authorized for provisioning and that a rogue provisioning server is not used to obtain software.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-32701",
+      "title": "The mobile operating system must protect the confidentiality of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.\n",
+      "description": "Provisioning data may be sensitive and therefore must be adequately protected.  An adversary within the general proximity of the mobile device can eavesdrop on OTA transactions, making them particularly vulnerable to attack if confidentiality protections are not in place.  Proper use of cryptography provides strong assurance that provisioning data is protected against confidentiality attacks.  \n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32702",
+      "title": "The mobile operating system must protect the integrity of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.\n",
+      "description": "Provisioning data may be sensitive and therefore must be adequately protected.  It may be possible for an adversary within the general proximity of the mobile device to hijack provisioning sessions and modify data transmitted during the provisioning process.  Proper use of cryptography provides strong assurance that provisioning data is protected against integrity attacks.   \n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32703",
+      "title": "The mobile operating system must support the capability for the system administrator to disable over-the-air (OTA) provisioning. \n",
+      "description": "In some environments, the risk of OTA provisioning may outweigh any convenience benefit it offers. In addition, some OTA mechanisms do not provide appropriate authentication and cryptographic integrity measures. In such cases, the administrator should have the ability to disable OTA provisioning to ensure secure breaches do not occur from use of this technique.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-32706",
+      "title": "The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.\n",
+      "description": "The most common vulnerabilities with cryptographic modules are those associated with poor implementation.   FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly.  FIPS validation is also a strict requirement for use of cryptography in the Federal Government.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32711",
+      "title": "The mobile operating system must prevent a user from using a browser that does not direct its traffic to a DoD proxy server. \n",
+      "description": "Proxy servers can inspect traffic for malware and other signs of a security attack.  Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide.  Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information.  Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-32716",
+      "title": "The mobile operating system must employ a DoD-approved anti-malware protections.",
+      "description": "In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes viruses, worms, Trojan horses, and spyware.  Malicious code can result in the disclosure of sensitive information or cause a denial of service.  Anti-virus applications are not common on mobile operating systems but one or more methods to mitigate the risk of malware must be in place to protect DoD information and networks.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-34172",
+      "title": "Shared Photo Stream must be disabled. ",
+      "description": "The iCloud feature (and associated iCloud setting in iOS) stores iOS device data on Apple controlled servers. Sensitive DoD data saved on the iOS device could be compromised when it is stored on the Apple servers.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-34173",
+      "title": "Access to iOS Passbook applications must be disabled.",
+      "description": "iOS Passbook allows applications to be accessed after the iOS device is locked.  The icons for passbook enabled apps are shown on the device screen after the device is locked.  Any sensitive data stored in the available application would be available if the iOS device is lost or stolen.  Therefore, sensitive DoD data could be exposed. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-34174",
+      "title": "The iOS device user must not allow applications to share data between iOS devices via Bluetooth.",
+      "description": "The iOS device Bluetooth sharing feature allows applications to share data saved on the iOS device with other iOS devices via Bluetooth connections between the devices.  This feature allows the wireless transmission of sensitive DoD data without using FIPS 140-2 validated encryption as required by DoD policy and could expose sensitive DoD data to unauthorized individuals.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-34316",
+      "title": "A Wi-Fi profile must be set up on managed iOS devices to disable access to any public Wi-Fi network that iOS may otherwise auto-join. ",
+      "description": "iOS has the capability to “auto-join” public Wi-Fi networks that are pre-configured in iOS. This feature is available in iOS to improve a user’s experience when connecting to the Internet. The “attwifi” public network has been found to be monitored by hackers and easily spoofed, so users do not know if they are connecting to the real network or the hacker-controlled network. Sensitive DoD data could be exposed if a DoD user’s iOS device is connected to a hacker-controlled Wi-Fi network. An iOS GSM device from ATT  will attempt to auto-join any attwifi network in the vicinity of the device. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-34322",
+      "title": "The ability to wipe a DoD iOS device via an iCloud account must be disabled.",
+      "description": "If a DoD iOS device is associated with an iCloud account, a user of that iCloud account, or anyone who gains access to that iCloud account, can send a device wipe command to the iOS device and the device will wipe itself. This will cause a Denial-Of-Service (DOS) attack on the device. There are two possible mitigations for this vulnerability: \n\n1. Disable all personal email on the iOS device via an iOS Restriction. This is the recommended method. The use of personal email on iOS devices could cause sensitive DoD data to be saved on the device outside the security container if a DoD email message with sensitive data is forwarded to a personal email account and that email message is viewed on the device. Disabling all personal email also disables \"Find My iPhone\" which, if functional, would have the capability of wiping a DoD iOS device from an iCloud account, which is configured to a personal email address.\n\n2. Disable \"Find My iPhone\" via an iOS Restriction. This method should only be used if there is a mission need for a user to have personal email accounts set up on their DoD iOS device and use of personal email has been approved by the DAA.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35006",
+      "title": "The iOS device iMessage service must be set to Off at all times (User Based Enforcement (UBE)). ",
+      "description": "iOS iMessage service provides the potential for the exposure of private and possibly sensitive DoD information.  When a DoD iOS device is transferred to a new user or disposed of, the device may still receive iMessages sent to the previous DoD user. iMessage phone numbers on a specific iOS device can persist after a SIM has been removed from the phone.  For example, SIM A is placed in phone, activated on iMessage, and then swapped out for SIM B.  That phone will receive iMessages bound for the phone numbers on both SIM A and B until the iMessage service on the phone has been turned off and then back on again. This vulnerability exists for GSM devices but not for CDMA devices.  When the original device user receives messages via their iMessage account, the message will be displayed on their old iOS device. The wipe procedure for the iOS device must include specific procedures (outlined in the STIG Overview) to mitigate this risk.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-37769",
+      "title": "The iOS Passcode must contain at least one alphabetic and one numeric character.",
+      "description": "Sensitive DoD data could be compromised if a device unlock password/passcode is not set to the required complexity on DoD CMDs. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-37770",
+      "title": "The iOS Passcode must contain at least one complex (non-alphanumeric) character.",
+      "description": "Sensitive DoD data could be compromised if a device unlock password/passcode is not set to the required complexity on DoD CMDs. The DoD CMD password requirements for protecting sensitive data are that the password must be at least 8 characters in length and contain at least one lowercase letter, one uppercase letter, and one number. In addition, sequential characters/numbers may not be used in the password. It is not currently possible to require both an uppercase letter and lowercase letter for the iOS passcode, or to enforce the sequential character restriction, so the iOS passcode must contain a special character to approximate the same password strength as the DoD-specified password complexity rules.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54983",
+      "title": "Apple iOS operating systems that are no longer supported by the vendor for security updates must not be installed on a system.",
+      "description": "Apple iOS operating systems that are no longer supported by Apple for security updates are not evaluated or updated for vulnerabilities, leaving them open to potential attack.  Organizations must transition to a supported operating system to ensure continued support.",
+      "severity": "high"
+    }
+  ]
+}