| 1.1 Ensure root does not have ownership of Websphere Liberty binaries | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2 Ensure extraneous files and directories are removed | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3 Ensure only defined users have access to the file system | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.4 Ensure that only one user ID has write access to the WebSphere Liberty configuration files | ACCESS CONTROL |
| 1.5 Ensure Websphere Liberty Server Output is not set to the default value | ACCESS CONTROL |
| 1.6 Ensure automated configuration updates are disabled | CONFIGURATION MANAGEMENT |
| 1.7 Ensure the WebSphere Liberty Installation is Validated | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.8 Ensure Websphere Liberty file system access is Restricted | ACCESS CONTROL, MEDIA PROTECTION |
| 1.9 Ensure that the 'onConflict attribute' is set to 'IGNORE' to restrict config file overwrites | ACCESS CONTROL, MEDIA PROTECTION |
| 2.1 Ensure 'displayAuthenticationRealm' is set to 'false' | ACCESS CONTROL |
| 2.2 Ensure Basic Registry and Quick Start security Registry are Removed | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3 Ensure that the LDAP connection uses TLS | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ensure that automatic applications updates are disabled | CONFIGURATION MANAGEMENT |
| 4.1.1.1 Ensure 'cookieSameSite' SameSite attribute is set to 'Strict' for session cookies | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.1.2 Ensure 'cookieHttpOnly' HttpOnly attribute is set to 'true' for session cookies | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.1.3 Ensure 'cookieDomain' cookie domain name attribute is set for the session cookies. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.1.4 Ensure 'cookieSecure' secure attribute is set to 'true' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2.1 Ensure 'sameSiteCookie' attribute is set to 'Strict' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2.2 Ensure 'ssoDomainNames' attribute is configured for the authentication cookies. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2.3 Ensure 'setCookieSecureFlag' secure attribute is set to 'true' for the `JWT` cookie. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2.4 Ensure 'ssoRequiresSSL' secure attribute is set to 'true' for the LTPA Cookies | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2.5 Ensure 'ssoCookieName' LTPA cookie name is set | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2.6 Ensure 'httpOnlyCookies' HttpOnly attribute is set to 'True' for the authentication cookies | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2.7 Ensure 'trackLoggedOutSSOCookies' is set to 'true' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2.8 Ensure 'cookieName' JWT (JSON Web Token) cookie name is set | ACCESS CONTROL |
| 4.1.3.1 Ensure 'samesite' SameSite attribute is set to 'Strict' for additional cookies | CONFIGURATION MANAGEMENT |
| 4.2.2 Ensure 'sslProtocol' is set to the latest versions of TLS (Transport Layer Security) | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.3 Ensure HSTS (HTTP Strict Transport Security) is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.4 Ensure that outbound TLS configurations are specified | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.5 Ensure that secure ciphers suites are configured | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.6 Ensure 'transport-guarantee' is set to 'CONFIDENTIAL' for all web applications | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.7 Ensure Hostname verification for TLS communication is enabled | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.8 Ensure that CA (Certificate Authority) certificates are used | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.9 Ensure 'ocsp.enable' certificate revocation is set to 'true' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.11 Ensure that strong algorithms are used for TLS certificates. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.12 Ensure `httpPort` attribute set to `-1` | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.1 Ensure 'signatureAlgorithm' asymmetric key algorithm is set for encrypting the JSON Web Tokens | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.3 Ensure 'tokenReuse' is set to 'false' | IDENTIFICATION AND AUTHENTICATION |
| 4.3.4 Ensure 'disableIssChecking' issuer claim is set to 'false' in the RP (Relying Party) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.5 Ensure 'hostNameVerificationEnabled' is set to 'true' in OIDC Relying Party (RP) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.6 Ensure 'signatureAlgorithm' is set to a secure algorithm in OIDC Relying Party (RP) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.7 Ensure 'signatureAlgorithm' is set to a secure algorithm in OIDC Provider (OP) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.8 Ensure 'httpsRequired' is set to 'true' in OIDC Relying Party (RP) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.9 Ensure 'tokenEndpointAuthMethodsSupported' is set to a valid authentication method in OIDC Provider (OP) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.10 Ensure 'accessTokenEncoding' is set to a strong hash algorithm in OAuth 2.0 | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.11 Ensure 'allowPublicClients' is set to 'false' in OAuth 2.0 | ACCESS CONTROL |
| 4.3.12 Ensure 'clientSecretEncoding' is set to a strong encoding type in OAuth 2.0 | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.13 Ensure 'httpsRequired' is set to 'true' in OAuth 2.0 | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.14 Ensure 'skipResourceOwnerValidation' is set to 'false' in OAuth 2.0 | IDENTIFICATION AND AUTHENTICATION |
| 4.3.15 Ensure 'httpsRequired' is set to 'true' in SAML | SYSTEM AND COMMUNICATIONS PROTECTION |
