IIS: Application Host Config

Description

The IIS: Application Host Config test evaluates global configuration settings that are used by the Windows Process Activation Service (WAS) in Internet Information Services (IIS). This element defines many of the server-level configuration settings in the IIS 7 ApplicationHost.config file. Of significant importance, the Application Host Configuration Item contains the configuration settings for the Application Pools and Sites, which respectively define the collection of application pools and Web sites on an IIS server. Note: Unlike the settings that are found in system.webServer, settings in the Application Host Configuration Item element cannot be delegated.

The applicationhost_object element is used by an applicationhost_test to define the name of the Application Host to be evaluated.

The applicationhost_state element defines various information about the Application Host configuration settings under evaluation.

Technical Details

Artifact Parameters

iis.applicationhostconfig

Name

Type

Description

N/A

Supported Test Types

  • IIS: Application Host Config

Test Type Parameters

iis.applicationhostconfig

Name

Type

Description

operator

string

Comparison operation.

configuration_setting

string

Defines how many collected items must match the expected state.

data_type

string

The data type of the web.config setting.

value

string

The value to compare to the collected web.config setting.
NOTE: The operator parameter is governed by a constraint allowing only the following values:

  • bitwise and

  • bitwise or

  • case insensitive equals

  • case insensitive not equal

  • equals

  • greater than

  • greater than or equal

  • less than

  • less than or equal

  • pattern match

  • not equal

  • set white list

  • set is empty

NOTE: The configuration_setting parameter is governed by a constraint allowing only the following values:

  • allow_unlisted_isapis

  • allow_unlisted_cgis

  • advanced_logging_enabled

  • default_web_log_directory

NOTE: The data_type parameter is governed by a constraint allowing only the following values:

  • boolean

  • float

  • int

  • string

  • version

  • set

Generated Content

iis.applicationhostconfig

XCCDF+AE

This is what the AE check looks like, inside a Rule, in the XCCDF.

<xccdf:complex-check operator="AND">
  <xccdf:check system="https://benchmarks.cisecurity.org/ae/0.5">
    <xccdf:check-content>
      <ae:artifact_expression id="xccdf_org.cisecurity.benchmarks_ae_[SECTION-NUMBER]">
        <ae:artifact_oval_id>[ARTIFACT-OVAL-ID]</ae:artifact_oval_id>
        <ae:title>[ARTIFACT-TITLE]</ae:title>
        <ae:artifact type="[ARTIFACT-TYPE-NAME]">
        <ae:test type="[TEST-TYPE-NAME]">
          <ae:parameters>
            <ae:parameter dt="string" name="operator">[operator.value]</ae:parameter>
            <ae:parameter dt="string" name="configuration_setting">[configuration_setting.value]</ae:parameter>
            <ae:parameter dt="string" name="data_type">[data_type.value]</ae:parameter>
            <ae:parameter dt="string" name="value">[value.value]</ae:parameter>
          </ae:parameters>
        </ae:test>
        <ae:profiles>
          <ae:profile idref="xccdf_org.cisecurity.benchmarks_profile_Level_1" />
        </ae:profiles>
      </ae:artifact_expression>
    </xccdf:check-content>
  </xccdf:check>
</xccdf:complex-check>

SCAP

XCCDF

For iis.applicationhostconfig iis.applicationhostconfig artifacts, an XCCDF Value element is generated.

<Value
  id="xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var"
  type="[type.value]"
  operator="[operator.value]">
  <title>[RECOMMENDATION-TITLE]</title>
  <description>This value is used in Rule: [RECOMMENDATION-TITLE]</description>
  <value>[value.value]</value>
</Value>

For iis.applicationhostconfig iis.applicationhostconfig artifacts, the XCCDF check looks like this.

<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  <check-export
    export-name="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
    value-id="xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var" />
  <check-content-ref
    href="[BENCHMARK-TITLE]-oval.xml"
    name="oval:org.cisecurity.benchmarks.[PLATFORM]:def:[ARTIFACT-OVAL-ID]" />
</check>
OVAL

Test

<applicationhostconfig_test
  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#iis"
  id="oval:org.cisecurity.benchmarks.[PLATFORM]:tst:[ARTIFACT-OVAL-ID]"
  check_existence="any_exist"
  check="all"
  comment="[ARTIFACT-TITLE]"
  version="1">
  <object object_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]" />
  <state state_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]" />
</applicationhostconfig_test>

Object

<applicationhostconfig_object
  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#iis"
  id="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]"
  comment="[ARTIFACT-TITLE]"
  version="1" />

State

<applicationhostconfig_state
  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#iis"
  id="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]"
  comment="[ARTIFACT-TITLE]"
  version="1">
  <[configuration_setting.value]
    datatype="[data_type.value]"
    operation="[operator.value]"
    var_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]" />
</applicationhostconfig_state>

Variable

<external_variable
  id="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
  datatype="boolean"
  comment="This value is used in [RECOMMENDATION-TITLE]"
  version="1" />

YAML

artifact-expression:
  artifact-unique-id: "[ARTIFACT-OVAL-ID]"
  artifact-title: "[ARTIFACT-TITLE]"
  artifact:
    type: "[ARTIFACT-TYPE-NAME]"
    parameters:
  test:
    type: "[TEST-TYPE-NAME]"
    parameters:
      - parameter:
          name: "operator"
          dt: "string"
          value: "[operator.value]"
      - parameter:
          name: "configuration_setting"
          dt: "string"
          value: "[configuration_setting.value]"
      - parameter:
          name: "data_type"
          dt: "string"
          value: "[data_type.value]"
      - parameter:
          name: "value"
          dt: "string"
          value: "[value.value]"

JSON

{
  "artifact-expression": {
    "artifact-unique-id": "[ARTIFACT-OVAL-ID]",
    "artifact-title": "[ARTIFACT-TITLE]",
    "artifact": {
      "type": "[ARTIFACT-TYPE-NAME]",
      "parameters": []
    },
    "test": {
      "type": "[TEST-TYPE-NAME]",
      "parameters": [
        {
          "parameter": {
            "name": "operator",
            "type": "string",
            "value": "[operator.value]"
          }
        },
        {
          "parameter": {
            "name": "configuration_setting",
            "type": "string",
            "value": "[configuration_setting.value]"
          }
        },
        {
          "parameter": {
            "name": "data_type",
            "type": "string",
            "value": "[data_type.value]"
          }
        },
        {
          "parameter": {
            "name": "value",
            "type": "string",
            "value": "[value.value]"
          }
        }
      ]
    }
  }
}