STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:SV-222441r508029_rule
V-222441
SRG-APP-000089
APSC-DV-000620
CAT II
10
Enable session ID creation event auditing.
Access the management interface for the application or configuration file and evaluate the log/audit management settings.
Determine if the setting that enables session ID creation event auditing is activated.
Create a new user session by logging in to the application.
Review the logs to ensure the session creation event was recorded.
If the application is not configured to log session ID creation events, or if no creation event was recorded, this is a finding.
If a web-based application delegates session ID creation to an application server, this is not a finding.
If the application generates session ID creation event logs by default, and that behavior cannot be disabled, this is not a finding.
V-222441
False
APSC-DV-000620
Access the management interface for the application or configuration file and evaluate the log/audit management settings.
Determine if the setting that enables session ID creation event auditing is activated.
Create a new user session by logging in to the application.
Review the logs to ensure the session creation event was recorded.
If the application is not configured to log session ID creation events, or if no creation event was recorded, this is a finding.
If a web-based application delegates session ID creation to an application server, this is not a finding.
If the application generates session ID creation event logs by default, and that behavior cannot be disabled, this is not a finding.
M
4093