STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must enforce organization-defined discretionary access control policies over defined subjects and objects.

DISA Rule

SV-222426r508029_rule

Vulnerability Number

V-222426

Group Title

SRG-APP-000328

Rule Version

APSC-DV-000470

Severity

CAT II

CCI(s)

• CCI-002165 - The information system enforces organization-defined discretionary access control policies over defined subjects and objects.

Weight

10

Fix Recommendation

Design and configure the application to enforce discretionary access control policies.

Check Contents

Review the application documentation and interview the application administrator.

Review application data protection requirements and application integrated access control methods.

Identify if the application implements discretionary access control to application resources. Discretionary Access Controls (DAC) allows application users to determine and set permissions on application data and application objects. The result is the user is given the ability to control who has access to the data they control.

If the application does not implement discretionary access controls, this requirement is not applicable.

Resources can be a URL, a folder, a file, a process, a database record, or any other application asset that warrants sharing or authorization permission reassignment.

Create 3 test accounts.

Using test account 1 set protection control on a test user 1 controlled resource.

Grant access to test user 2 and only test user 2.

Authenticate as test user 3 and attempt to access the application resource where test user 1 and test user 2 are granted access. Access should be denied.

If the enforcement of configured access restrictions is not performed, this is a finding.

Vulnerability Number

V-222426

Documentable

False

Rule Version

APSC-DV-000470

Severity Override Guidance

Review the application documentation and interview the application administrator.

Review application data protection requirements and application integrated access control methods.

Identify if the application implements discretionary access control to application resources. Discretionary Access Controls (DAC) allows application users to determine and set permissions on application data and application objects. The result is the user is given the ability to control who has access to the data they control.

If the application does not implement discretionary access controls, this requirement is not applicable.

Resources can be a URL, a folder, a file, a process, a database record, or any other application asset that warrants sharing or authorization permission reassignment.

Create 3 test accounts.

Using test account 1 set protection control on a test user 1 controlled resource.

Grant access to test user 2 and only test user 2.

Authenticate as test user 3 and attempt to access the application resource where test user 1 and test user 2 are granted access. Access should be denied.

If the enforcement of configured access restrictions is not performed, this is a finding.

Check Content Reference

M

Target Key

4093

Comments